OK, let's do it together.
OK.
As for your calculation, you'd have to multiply the master password combinations and character set combinations instead of adding them, giving you a total of 93^101 = 6,55...e+198 = about 2^457 combinations (as comparison, the universe consists of about 2^250 particles).
A number with 198 digits is quite difficult to comprehend, no wonder it's giving people headaches, so I'm looking at a few common scenarios, and give some examples too, so anyone interested in this can understand it.
Let's look at your example first, and make it specific. So there's Alice and Eve, and Eve doesn't like Alice (we don't know the reason, but I suspect it has to do with Bob ). Eve knows that Alice is using PasswordMaker, knows that she isn't using leet or other modifications, only a personalized character set (Alice might have mentioned that in a forum), so Eve sets up a forum on her site and gets Alice to register. Now Eve has a generated password, let's say it is "Aa1!Bb2#", so we have something to work with. She now ponders on how to get the master password, so she gets herself a super computer, and someone to write her a program so it can check a billion passwords per second with the following settings:
No leet, Hash: SHA-256, URL: eve.com, length 8, all other fields empty.
The script permutes the full 93 characters in the master password and charset fields in all lengths.
Eve is prepared to wait a long time, but after only two months (statistically) the scripts ends with a solution, maybe:
Character Set: zbA2Y17B#0!%a
Master Password: qwerty
(you can check this at
http://passwordmaker.org/proto/passwordmaker.html, it does generate the password Aa1!Bb2#)
Another two months later, the script puts out another solution, maybe:
Character Set: bH(XaBK&2Aqaz#!xe&iI1v8G
Master Password: 12345
or:
Character Set: xxx#xB2axAxb!1xx
Master Password: password
What happened? Which one is Alice's master password, qwerty or 12345 or 'password'? This is something called "collision" in cryptography, different input values generating the same output value. And there is no way for Eve to find out which one is the right one, without further information.
The calculation Eric made is leaving out one important variable, or rather assume it to be pretty high while it's normally quite low: the length of the generated password. In this example it is 8.
This leaves only 93^8 (= 2^36) combinations for generated passwords, while the input is 2^457. So each generated password has 2^421 master password/charset combinations that generate it. Eve would either need a generated password of length 100 or more, or 13 different generated passwords of length 8, to narrow down the collisions to a reasonable amount, from which to choose the right one, maybe one where the charset is in sort of an order (ABCDE…). But in this case it really does take the ridiculous amount of time we calculated.
I obviously constructed these collisions, which is very easy. In the last example you can substitute every x in xxx#xB2axAxb!1xx with any other character, so that gives you a quadrillion collisions, and they all generate the password in question.
So I think we all agree that Eve needs a different approach. Let's assume Alice and Eve aren't stupid, have computer knowledge and some resources. Eve tries to send Alice a keylogger, a custom script not noticed by virus protection, if Alice installs it and doesn't have a good firewall, she's out of luck. But Alice doesn't install anything unknown.
Alice will be pretty secure as long as Eve doesn't get physical access to the machine Alice is working on. But once Eve does, maybe even by sneaking into her home, opening the PC and making a copy of the hard disc, she'll have much more to work with. And maybe Alice wouldn't even find out that she's been compromised.
Assuming the drive wasn't encrypted, Eve now has copies of about everything. She's only interested in PasswordMaker stuff, so now everything depends on how much information Alice has put into it. If Alice has stored her Master Password in the rdf file, or if she has used the same password for the remote server or stored in a field in any other account, then it's over. Eve has won, because she will try those first. So let's assume the master password is unique and never stored anywhere.
Now Eve has access to all the settings, including charset and all stored passwords. All she has to do now is a brute force attack over the master password, still assuming she has at least one generated password of at least the length of the master password.
Now it all depends on the complexity of the master password. Assuming it's not a dictionary word but doing a search over 96 characters, we'd get (at a billion passwords/sec, if it's a slower workstation, you just add a zero or two):
length: time
5: 8 seconds
6: 14 minutes
7: 21 hours
8: 84 days
9: 23 years
10: 2138 years
( time = 96^length / 1,000,000,000 )
So, to sum it up, a weak master password isn't a problem as long as settings aren't revealed. But once someone knows them PLUS a password generated by them AND has the knowledge and means to crack it, then a weak password increases your risk.
There would be an easy way to add much more security, by adding a new field "recursive encryption", a number that states how many times the generated hash (or password) is fed back into the hash algorithm to create a loop. If it's for example 1000, it would take 1000 times the amount of time to crack it, with everything else revealed. You could choose an even higher number for more security when you use a dictionary word, but it'll slow down the generation (which is desired, so the attacker will have trouble too).