PasswordMaker.org-like option for the Password Generator

[rolltidehero]

Can we PLEASE get a PasswordMaker.org-like option for the Password Generator?

There is source code available for just about every language you can think of, so one of you geniuses may be able to implement this into our beloved KeePassXC. I'll buy you a coffee... or a blunt. I don't judge.

Here is more info on what I am referring to for those who aren't familiar with it...

PasswordMaker uses three pieces of information:

1. A "master password" -- usually that one, single password you like.
2. The URL of the website requiring a password.
3. The encryption method of your choice.

Through the magic of one-way hash algorithms, PasswordMaker calculates a message digest, also known as a digital fingerprint, which can be used as your password for the website.

Although one-way hash algorithms have a number of interesting characteristics, the one capitalized by PasswordMaker is that the resulting fingerprint (password) does "not reveal anything about the input that was used to generate it."

In other words, if someone has one or more of your generated passwords, it is computationally infeasible for him to derive your master password or to calculate your other passwords. Computationally infeasible means even computers like this won't help!

This method is widely used as there are multiple versions available for just about everything:

•  Browser Extensions
  

  • Chrome \ Chromium-based browsers
  • Firefox
  • Opera
  • Bookmarklet

•  Mobile
  

  • iOS - Available Editions: 1
  • Android - Available Editions: 3
  • PHP - For use on your own web server.

•  Desktop
  

  • Windows - Available Editions: 2
  • Mac - Available Editions: 2
  • Linux/Python - Available Editions: 2

•  Other
  

  • Online - Original / Online 2 - Available Editions: 2
  • Javascript - The Javascript Edition can be used on your local drive or on your own web server.
  • PHP - The PHP Edition can be run from the command-line (php cli) or used on a webserver (php cgi).
  • Maemo - CLI and GUI versions available

•  Other Links
  

  • Screenshots of many of the different editions & extensions
  • FAQ about the method and other things
  • Wiki where I got all of this information

If someone gets my master password, can't he determine all of my generated passwords?

No. There are ten other variables he would need for each account. They are:

• URL
• character set
• which of nine hash algorithms was used
• modifier (if any)
• username (if any)
• password length
• password prefix (if any)
• password suffix (if any)
• which of nine l33t-speak levels was used
• when l33t-speak was applied (if at all)

Probably the most interesting of these is character set because it gives you the flexibility to determine precisely which characters can and can't be included in generated passwords.

So... Thoughts? Is this possible? Should I be posting this in browser extension discussions instead?
I currently use the browser extensions, but it would be so much easier if it was coded into KeePassXC instead.
Regardless, thanks to all you guys & gals for what you do!

[droidmonkey]

This is a terrible system and we won't implement it. You can't change your master password without having to change evey single derived password. If your master password is leaked then we can derive every single of your passwords.

[rolltidehero]

Not if you don't know the encryption method used. Plus, you would still have to know the username as well as the website.

[rolltidehero]

If someone gets my master password, can't he determine all of my generated passwords?

No. There are ten other variables he would need for each account. They are:

• URL
• character set
• which of nine hash algorithms was used
• modifier (if any)
• username (if any)
• password length
• password prefix (if any)
• password suffix (if any)
• which of nine l33t-speak levels was used
• when l33t-speak was applied (if at all)

Probably the most interesting of these is character set because it gives you the flexibility to determine precisely which characters can and can't be included in generated passwords.

[droidmonkey]

And where do you store those ten variables? In keepassxc? Why aren't you just using a random password and eliminate all that nonsense. It makes zero sense and it will never be in our program.

[StarBoyzz]

Hell, just the custom prefix and\or suffix option would make it nearly impossible to steal whether they have your master password or not.