Cryptography is hard, opsec much harder. I frowned immediately when I realised that it generates deterministic password from seeds partially known to the attacker.
This is only slightly better than the brain wallet concept for personal key management and back then people thought it was a good idea too. So I guess this kind of attempts will never go away.
If part of the seed has sufficient entropy, it doesn't matter if the attacker knows (or can guess) another part of the seed. Assuming the software uses a decent cryptographic hash function properly.
This is true, however I can't help but feel that the design of the system encourages users to choose a low entropy master password and get a false sense of security seeing a different "strong" password can be produced for every account. The fact that the master password has to be typed frequently to recover the derived passwords adds to the problem.
This is the exact same problem with brain wallets, for which people delude themselves into thinking that they have managed to conjure a secret phrase that only they will know, only to get hacked in no time because the passphrase they came up with was just bad and they could not tell.
That’s heavily misleading, like complaining encryption is performed using a key partially known to the attacker because a nonce/IV is involved. The site name and username are there to derive different keys, not provide security.
Except in this case there are no IV or nonce involved and every key derivation is perfectly replayable.
Let's pause for a second and think what is the point of using password managers - I take it as a means to allow each account to have unique passwords that the leak of any of them won't lead to more account breaches. The method being shown here does nothing in this aspect as every password is effectively the same master password hashed with a known salt. One might argue that a costly derivation path could make bruteforcing impractical but it doesn't help with the fact that the concept is unsound from the beginning.
This is only slightly better than the brain wallet concept for personal key management and back then people thought it was a good idea too. So I guess this kind of attempts will never go away.