The concern would be an attacker might be able to derive the password for other sites from one breached password.
I like the simplicity, but I think one concern is that if a site is breached, an attacker can bruteforce master pwd offline very efficiently (because they know url). Maybe use PBKDF2 or HMAC with very strong local secret to make bruteforce untenable?
-
-
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
This has come up before with PwdHash. I like the idea of using PBKDF2 and a salt stored on a Yubikey perhaps. http://www.flypig.co.uk/presentations/dlj-gr-passwords2016.pdf …
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.