If you use anything other than a very strong master password, this scheme leaves you unprotected. When you sign up to a site, you are effectively giving that site, and anybody intercepting that communication SHA256(base_phrase + " - " + door_id). This enables anybody with one of the generated passwords to crack the hash and obtain the master password. This should use a very slow hash function instead.