This appears to be using the passphrase as an hmac key directly, with the URL.hostname as the value.<p>Unless the user memorizes a proper randomly generated key, this is going to be brute-forcable based on a single website’s generated password, which would then allow all other websites to be accessed.<p>Also, if a website ever changes its domain name, you’re going to have trouble.<p>This appears to be a weekend project, and I don’t want to be overly negative, but do not use this as-is. This is more than dead-simple: this is deadly simple.