Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This scheme is hugely flawed.

If you steal a password list from a website you can identify all the passwords generated by this utility (10 characters, uniform distribution over alphanumeric characters) and then simply crack the master passwords with a brute force attack. If you have stolen multiple SuperGenPass generated passwords from the same website, you can crack them all at the same time with no additional penalty. After recovering the master password you can then log into every single online account belonging to the user.

They seem to generate the password hash with simple md5, which is about the worst possible choice they could have made. Any master password which is low entropy enough to carry around in your brain can probably be cracked in a few days at most.



Except that you don't use the full MD5 sum, so it's not a simple matter of brute-forcing it.


For the default password length of 10 characters they use ~60 bits of MD5 output. That's more than enough information to uniquely identify the master password.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: