It's a common opinion, especially from amateur security enthusiasts.
I'm planning on writing a blog post to detail the security specifics of the Spectre algorithm in particular, and the concerns that it aims to address. I can update you once it's live.
In the general sense, it is a valid criticism. This is why it is important to develop the actual algorithm thoughtfully. For instance, my naive initial solution back in 2010 was to use a seeded SHA256 hash of the domain name as the password. Such an approach would definitely be vulnerable to this issue. Most "similar" solutions such as SuperGenPass and even LessPass are particularly vulnerable to determined attempts at reversing the algorithm; so it is important to be wary of this.
As for Spectre, I've designed the algorithm deliberately to maximally protect against this using a multi-layered approach. The key relevant components are the choice of HMAC and Scrypt functions. The way the algorithm protects against reversal is to make it slow enough that it takes too long to be realistic. Whenever you hear somebody say "brute-force", your immediate next question should be, "how quickly?", since speed is the only way in which a brute-force attack can ever be successful.
We want to know how long it would take for a hash breaking machine to find your personal secret. This will depend on:
- The amount of guesses it can make per second.
- The entropy of your chosen personal secret.
From some calculations (I'll go into detail in the blog post), a top of the line commercially available hashing GPU nowadays (the Nvidia GTX 1080 Ti) might net us
~168 Spectre guesses per second. This is an extrapolation of my own tests on a GTX 1060.
Now we need to know the entropy of your personal secret. You can use a 4-digit PIN as your personal secret and reversal should be pretty easy, but what did you expect? We recommend using a short nonsense sentence. Let's assume you put some random words together, like
wild berry yelling fire,
freshly exhasperated kitten dance. The average 8-year old knows about 10,000 words (crazy!). The average adult knows about 20,000 words.
A 3-word personal secret space based on an 8-year old's vocabulary would take about 193 years of constant hashing to search. An adult's vocabulary 1550 years. Make it four words, 30 million years.
FYI, a rough estimate of that adult's personal secret against LessPass' algorithm might drop your 1550 years down to 4 months. SuperGenPass, about half an hour. I'm not going to dive into the many specifics there.
- The KDF function is very important. Spectre uses scrypt which is very slow, even on expensive GPUs, and is difficult to scale up because it's costly in all of GPU, CPU and RAM.
- The entropy of your personal secret is very important too. This is where you can control your own security.
Use a high entropy personal secret and you have nothing to worry about.
You can link this post to users who are concerned, I'm open to any questions.