Am I missing something?<p>It would seem to me that knowing the specter secret key and the “login id” then exposes the password that then is “fixed” and cannot be changed without breaking other aspects.<p>In a world where we’re moving to passkeys and hardware based authentication, why is this even a thing? It just seems a huge step backwards.
Deterministic password managers have their caveats:<p><a href="https://tonyarcieri.com/4-fatal-flaws-in-deterministic-password-managers" rel="nofollow noreferrer">https://tonyarcieri.com/4-fatal-flaws-in-deterministic-passw...</a>
How is this not "use the same password on every site" but with extra steps?<p>Seems like the "Spectre secret" is a massive risk given that compromising it once without detection would compromise EVERY PASSSWORD THAT USER USES, even ones that didn't exist when the secret was stolen.<p>Followup question: how does Spectre plan to prevent malicious SEO-squatting like we already see in the cryptocurrency space? If this was used widely, I'd assume that the search results for "compute Spectre password" would be 100% stuffed with sites that capture the secret...
If you are the owner of the site may I make a single recommendation. In the domain field set the casing to all lowercase. Depending on the device fields like that want to start with a capital letter, thus changing the output password.