If you steal a password list from a website you can identify all the passwords generated by this utility (10 characters, uniform distribution over alphanumeric characters) and then simply crack the master passwords with a brute force attack. If you have stolen multiple SuperGenPass generated passwords from the same website, you can crack them all at the same time with no additional penalty. After recovering the master password you can then log into every single online account belonging to the user.
They seem to generate the password hash with simple md5, which is about the worst possible choice they could have made. Any master password which is low entropy enough to carry around in your brain can probably be cracked in a few days at most.
For the default password length of 10 characters they use ~60 bits of MD5 output. That's more than enough information to uniquely identify the master password.
If you steal a password list from a website you can identify all the passwords generated by this utility (10 characters, uniform distribution over alphanumeric characters) and then simply crack the master passwords with a brute force attack. If you have stolen multiple SuperGenPass generated passwords from the same website, you can crack them all at the same time with no additional penalty. After recovering the master password you can then log into every single online account belonging to the user.
They seem to generate the password hash with simple md5, which is about the worst possible choice they could have made. Any master password which is low entropy enough to carry around in your brain can probably be cracked in a few days at most.