weakness in generate()

[mschauler]

There is a weakness in generate() due to the fact the the domain, user and password strings are simply concatenated.

example: user 'john' using masterpassword '123' will generate exactly the same passwords as user 'john1' using masterpassword '23' because 'john' + '123' == 'john1' + '23'

Suggestion: include a separation character in the string-to-be-hashed, preferably a character that is not a valid UTF-8 element and cannot be produced by encode().

Therefore, I propose to replace hash_string = domain + username + master_password by hash_bytes = domain.encode('utf-8') + b'\xff' + username.encode('utf-8') + b'\xff' + master_password.encode('utf-8')

hashed_bytes = pbkdf2_hmac('sha512', hash_bytes ...