Hello everyone
My brain can’t handle remember a password for each website
I can’t use the same password for all websites / games / forums
So my solution to that is by generating a hash password using tools already existing
in all linux distribution coreutils it has md5 sha1-512 checker
I pipe my password into sha sum to generate a hashed password only me
able to make it, the password been slightly changed depending on the website
on my end the smallest change make the hash totally different
that will prevent malicious logging or suspection,but people on internet
spread misinformation saying that hashed passwords aren’t safe
Is that right ?
2 Likes
Yes, using a hash function to generate passwords is not a secure practice. The main issues are:
- If an attacker figures out your method (e.g., website name + salt + hash), they can brute-force it.
- With rainbow tables and GPUs, common hash functions (like SHA-1, SHA-256, MD5) can be cracked quickly.
- If your method is compromised, all accounts are at risk.
A better approach:
- Use a password manager like Bitwarden, KeePass, etc.
- Use random, unique passwords for each site.
- Enable 2FA where possible.
Hashing is great for verifying passwords (like how websites store them), but it’s not ideal for generating them securely.
Also see:
3 Likes
Use random, unique passwords for each site.
each website has different hash password
use GPU to crack an online hashed account password
Is really different than local decryption
some website I use sha256 a powerful cryptographic properties
unfortunately I never use something like 2FA, because different auth software generate different keys
like the github situation they rely on specific totp software
If you try to use different the backend refuses your keys
- If an attacker figures out your method (e.g., website name + salt + hash), they can brute-force it.
nice ,be he will never figure it out
also brute force on a remote server will be suspended as DNS attack.
Your method ensures each site has a different password, which is good, but hashing isn’t meant for password generation. SHA-256 is great for integrity checks, but it’s predictable – if someone figures out your pattern from a few captured passwords, they can reverse engineer others.
Brute force on the server might be limited, but attackers often use credential stuffing or offline attacks where hashing alone doesn’t help. A password manager removes patterns entirely.
While 2FA can be annoying, it adds an extra layer of protection. I use YubiKey for important accounts and 3 different 2FA apps on my phone (RSA, Authy and Google Authenticator). I avoid SMS 2FA when possible and use email 2FA if it’s the only option.
Your way is unique but, randomness and 2FA is stronger.
1 Like
Yubikey is excellent piece of technology
It’s use SHA-384/HMAC-SHA1 keys
But my method are the only way for me, I don’t have yubikey
here how I do it
echo -n "VeryUniquePassword123456789"|sha256sum
1 Like
Yes, it’s not bad. It has some security concerns, as version 4+ is no longer fully open-source. But even if YubiKey isn’t fully open-source, it’s still significantly harder to compromise than a predictable SHA-256 hashing approach.
YubiKey doesn’t just hash passwords, it also uses HMAC and cryptographic keys that never leave the physical device.
Rather than static hash responses, Yubikey also generates dynamic responses that can’t be predicted or replayed. So for me, I continue to use.
One thing with Arch, they have a Wiki page for EVERYTHING lol 
2 Likes
@hydn you did a great job explaining that. My mother tongue is not English but I understood everything!
1 Like
Yes, the idea behind passwords is use a long random string, more then 20-25 chars and complex, containing capitalized letters, lowercase, numbers, special chars etc etc…
For fix by my own this problem almost 2 years ago I developed a java console application that require in input a number for password lenght and it’s output is a very complex random password with the same lenght.
For store all my password I use a KeepassXC file which is master password protected and it’s located offline on my hard drive. I use to backup this file frequently and I also backup a copy of this file in a cloud storage, but before upload this file on cloud I do another gpg encryption.
That’s the best way I found, for now I would say I’m safe, until Quantum computer will appear, I’m quite scared about them.
Sorry for my poem 
but I want to share with my approach on security. With 2 encryption levels like mine case, it would be safer then a single encrypt phase.
About hashing I would say it would be safier with sha256 or better sha512 encrypt, I think it’s difficult for an hacker to pierce a sha512 password. Maybe the idea is putting some chars before and after that only you knows about, but I think that’s pretty paranoid.
Moreover nowdays a MD5 encrpyt I would say it’s obsolete and very insecure. It’s very unsafe to keep your data with this old encryption model.
1 Like
Moreover nowdays a MD5 encrpyt I would say it’s obsolete and very insecure. It’s very unsafe to keep your data with this old encryption model.
many website doesn’t accept 64 char password ,so I go into simpler encryption
but SHA-256 is the default which I go first on register
What I’m doing isn’t something ordinary, to use hash as password, but I look at the bright side 
1 Like
suddenly today fireship on his last video got my point just on the right time
I hope that would make it more clear and transparent
source
Thanks for sharing! 
The video shows storing pws inside DB.
Related reading:
2 Likes