Eric,
Just the second and following need a separator. The first one may stay as it is now.
The separator is needed to identify 'abc2' without any extra data and 'abc' + '2' (the '2' appended because it is the second iteration) as different strings.
I'll try a better explanation. Consider the following scenario:
You have two users, 'user' and 'user2', for connecting to domain.com. Your master password is 'PW'. You want to generate a long key which needs 2 hashes. If you don't use a separator, in the case of the first user the hashes would apply to these strings:
'PWdomain.comuser' (for the first iteration)
'PWdomain.comuser2' (for the second iteration)
On the other hand, in the case of the second user the following strings will be hashed:
'PWdomain.comuser2'
'PWdomain.comuser22'
The first string in this case is the same as the second string used before, thus the password characters generated will be equal. However, using separators the strings hashed would be, for the first user:
'PWdomain.comuser'
'PWdomain.comuser\n2'
and for the second user:
'PWdomain.comuser2'
'PWdomain.comuser2\n2'
All strings are now different, which is safer. Actually, I would like to see separators between all the input fields in the password generation algorithm for similar reasons (simple concatenation doesn't distinguish where each field terminates and the next starts), but that would break compatibility.
Note that everywhere I write \n I mean ASCII character LF, code 10. In any case the idea is to choose a separator that can't be entered by the user.
-- Pedro Gimeno