My Easy Passwords extension is quickly climbing up in popularity, right now it already ranks 9th in my list of password generators (yay!). In other words, it already has 80 users (well, that was anticlimatic). At least, looking at this list I realized that I missed one threat scenario in my security analysis of these extensions, and that I probably rated UniquePasswordBuilder too high.
The problem is that somebody could get hold of a significant number of passwords, either because they are hosting a popular service or because a popular service leaked all their passwords. Now they don’t know of course which of the passwords have been generated with a password generator. However, they don’t need to: they just take a list of most popular passwords. Then they try using each password as a master password and derive a site-specific password for the service in question. Look it up in the database, has this password been ever used? If there is a match — great, now they know who is using a password generator and what their master password is.
This approach is easiest with password generators using a weak hashing algorithm like MD5 or SHA1, lots of hashes can be calculated quickly and within a month pretty much every password will be cracked. However, even with UniquePasswordBuilder that uses a comparably strong hash this approach allows saving lots of time. The attacker doesn’t need to bruteforce each password individually, they can rather crack all of them in parallel. Somebody is bound to use a weak master password, and they don’t even need to know in advance who that is.
How does one protect himself against this attack? Easy: the generated password shouldn’t depend on master password and website only, there should also be a user-specific salt parameter. This makes sure that, even if the attacker can guess the salt, they have to re-run the calculation for each single user — simply because the same master password will result in different generated passwords for different users. Luckily, UniquePasswordBuilder is the only extension where I gave a good security rating despite missing salts. Easy Passwords and CCTOO have user-defined salts, and hash0 even generates truly random salts.