While I first wrote an article about the absurdities of information security [in 2011][1], this specific extension is an idea I've had since [June 2015][2] - due to the absurd nature of the idea, I wanted to launch it on April Fools' Day, but that ended up causing it to be [dismissed as a joke out of hand altogether][3], so I figured I'd wait a day before posting it to Hacker News.<p>While the premise of the extension sounds like a joke, it's legitimately a good idea, and [one others have had independent of this][4]. I explain some of the thoughts and motivations behind NilPass's design here: <a href="https://nilpass.com/seriously/" rel="nofollow">https://nilpass.com/seriously/</a><p>[1]: <a href="http://www.cracked.com/article_18962_5-things-we-all-do-that-make-hackers-lives-incredibly-easy.html" rel="nofollow">http://www.cracked.com/article_18962_5-things-we-all-do-that...</a><p>[2]: <a href="https://github.com/nilpass/nilpass-branding/commit/6090b5cc972378832799d1c2a13ee8b12db88ca7" rel="nofollow">https://github.com/nilpass/nilpass-branding/commit/6090b5cc9...</a><p>[3]: <a href="https://www.reddit.com/r/netsec/comments/62sgrp/presenting_nilpass_the_only_password_manager/dfova33/" rel="nofollow">https://www.reddit.com/r/netsec/comments/62sgrp/presenting_n...</a><p>[4]: <a href="https://rempel.world/passwordless-method.html" rel="nofollow">https://rempel.world/passwordless-method.html</a>
I see an incredible weakpoint: Your email account becomes your only defense, meaning the password on it must be strong and you still need to remember it. And you need 2FA.<p>Not that this is not the case already, email accounts are already important.
Password managers are already a barrier. Forgotten Password flow via email is an embarrassingly shitty UX and similarly shitty security protocol.<p>I wouldn't try to encourage the broken "Forgotten Password" protocol... it's usually the softest target of authenticating on the web.