With a salt and one generated password any password can be forged

[jaseg]

The algorithm as described in my gist is broken as described here: http://news.ycombinator.com/item?id=4374888

[jroes]

Ah, thanks @jaseg.

Instead of abandoning the concept altogether, what could we do to make it more cryptographically strong?

I feel like the overall idea behind databaseless password management is still a worthwhile endeavor.

[jaseg]

There are some existing implementations of this concept mentioned in the news.yc.com thread: https://www.pwdhash.com/ http://passwordmaker.org/ The block alignment issue could be circumvented by doing sha(A ^ B ^ C) as suggested in the news.yc.com thread since the result of A ^ B ^ C fits in one sha-512-block.

[jroes]

Hmm, I took a look at those implementations but I'm not a huge fan of the way they are presented and don't feel like I have a lot of clear insight on them. They don't seem very "open" either. I think this is still worth continuing to experiment with.

I think we can close this one based on your awesome pull request #2!