Security advice for USB password generator

Sam P wrote 01/25/2016 at 11:10 0 points

I have this idea for a USB password generator which doesn't store any passwords. Instead it generates them as an when you tell it to from a master password that you type into the device using buttons on it. As soon as you unplug the device all passwords are forgotten.

The area I need advice on is the password generation. My initial solution is to concatenate the master password, username, website url, and version (to create 2nd/3rd etc passwords for websites), then calculate a SHA-256 hash of that string. With the output data I would then choose a suitable encoding depending on the website limitations (e.g. some are alphanumeric only).

Does this sound like a safe strategy? My main concern is if someone manages to obtain multiple passwords from different websites. It may be possible to work back to the original master password. Unfortunately the maths is a bit beyond me to figure this out myself.