“The fact that the password is generated from data known to the attacker is not a problem in our opinion. Anyway the attacker must know which user owns which password in the first place.”