otherwise there are attacks possible with this simple schema. Check why it's a good idea to use an HMAC for serious applications instead of "secret:...mytext..." for more details (long story short, it's possible to continue the SHA1 computation resuming from where it ended and appending more text). It's really a problem in different cases, not in our case of generating passwords, but it's a good practice to use always HMAC or when it is not practical like in this case at least putting the secret before and after.