1

Given a seed string S, I want to deterministically generate a password of the form:

N characters, each chosen from a set of characters C

Unfortunately neither N nor the cardinality of C necessarily play nicely with powers of 2, and I want to avoid introducing a bias towards any particular characters in C.

Is the following a sane approach to generating these passwords with a uniform distribution, or, is there already a well known approach to doing this?

To choose the i_th character of the password, I would compute for every character c in C the value sha256(S + i + c), then choose the character c for which this has the largest hash.

e-sushi
  • 17,891
  • 12
  • 83
  • 229
noop
  • 13
  • 2

1 Answers1

0

Yes, this strategy works, in the sense that it generates each character with the appropriate distribution, and there is not trivial attack (with the caveat that the formatting used must allow to unambiguously find $S$, $i$ and $c$ from the concatenation $S\|i\|c$; formatting $i$ and $c$ as fixed-width fields will do). However

  1. We do not have a strong security argument: for this we'd need a MAC keyed by $S$, e.g. use $\operatorname{HMAC-SHA256}(S,i\|c)$; the HMAC construction turns a hash into a MAC, with a proof.
  2. There is no entropy-stretching, nor salt, as in standard password-based key derivation; thus a guess of $S$ can be checked with low odds of errors knowing a password and it's $i$; if the seed string $S$ is low-entropy (like a master password), that's a huge problem.
  3. We can obtain the appropriate distribution with far less hashes; see this.

Point 2 is by far the most worrying.

fgrieu
  • 140,762
  • 12
  • 307
  • 587