First of all, this looks like an awesome and very well-thought-out implementation, and I'm sure it'll work well for some people!<p>That said, I actually made something very similar to this a while back. Now I use pass instead: <a href="http://www.passwordstore.org/" rel="nofollow">http://www.passwordstore.org/</a><p>The downsides I didn't think about, or didn't think would be as annoying as they were, until I started running into them in actual use:<p>- The big one: change your master password? You now have to change <i>all</i> of your passwords for every service you use.<p>- Weird restrictions on password length or allowed characters? Okay, the app gives you options to generate a password with the required parameters, perfect! When you actually use this you realize that that set of parameters is a state that must be stored somewhere. Possibly your brain ("okay, when I log into gmail, I select 'phrase', but logging into Bank of America I have to use 'long'... or was it 'medium'?). This does not scale.<p>- Need to change a password for a specific service? Again--this has a "site counter", that works... except now there's more state, and you need to remember to use "2" with "gmail" and "5" with "hn" and...<p>Of course, you could (and, didn't download to try, but it's possible the app does?) store those restrictions/site counters somewhere, but now you've lost the main benefit of doing this in the first place (stateless, nothing to sync). In the end, I decided that gpg encryption is secure enough for me.
It is important to note that there is a security flaw in this scheme that makes it strictly less secure than using a password manager with randomly generated passwords. All an adversary needs in order to generate <i>all</i> of your passwords is your master password. Let's walk through the steps of how an adversary can brute force your master password.<p>First, they will need access to a hash of <i>one</i> of the passwords you have generated. Say you use this application for every site you visit, and you have somewhere between 20-30 accounts. If only one of these companies suffers from a password leak, then the adversary will have enough information necessary to brute force your master password and generate your password for all other sites. This means that the sketchy site you created an account on to buy a phone case can result in an adversary gaining your well-protected bank password.<p>Once they have a password hash, they can brute force your master password in the regular way. All other inputs to password generation function are easily obtainable through minimal social engineering or guessing (your name, the site name, number of re-generations). I will note here that they did use scrypt, which makes brute-forcing more difficult (but not impossible). So, if you use a weak master password, not only is your password for the vulnerable site brute forceable, but all other sites you use in the present and the future will be compromised.<p>This scheme is not more secure than existing password management schemes (provided the password manager uses a good hashing algorithm for the master password like PBKDF2). It is strictly less secure because the security of all your passwords relies on the minimum security of all sites you use. It is also less secure because after a leak, an adversary can generate <i>future</i> passwords.<p>This tool should be used with caution and with these facts in mind.
This sounds like an excellent approach:<p><i>"Master Password is a stateless password generator. It doesn't store, collect or transmit any secrets. It makes them ubiquitously available, on-demand, depends on nothing but your private master password, and is fully open source."</i><p>I wonder why it hasn't received wider attention since being released a year or so ago? The only real mention I found in a cursory search (outside of app store reviews) was here:<p><a href="https://pack.resetthenet.org" rel="nofollow">https://pack.resetthenet.org</a><p><i>"Are you using the same password everywhere? If so, change it, starting with your email account. Use a tool like MasterPassword or write it down."</i>
This is incredibly similar to my side project Cassidy (except it's built on top of vault). Same idea though: master password + salt + site.<p><a href="https://cassidy.nicinabox.com" rel="nofollow">https://cassidy.nicinabox.com</a>
<a href="https://github.com/nicinabox/cassidy" rel="nofollow">https://github.com/nicinabox/cassidy</a>
Really great to see more open source solutions in this space, especially those attempting to tackle all platforms.<p>However, I can't help but feel a bit depressed by the state of even some of the most common projects, like GPG[0].<p>Another one that I truly fell in love with its simplicity and beauty -- Mitro[1] -- seems to be dying a slow death[2].<p>I know it shouldn't reflect on this project, and can only wish for its long-term success.<p>[0] <a href="https://news.ycombinator.com/item?id=9003791" rel="nofollow">https://news.ycombinator.com/item?id=9003791</a>
[1] <a href="https://www.mitro.co" rel="nofollow">https://www.mitro.co</a>
[2] <a href="https://github.com/mitro-co/mitro/issues/123" rel="nofollow">https://github.com/mitro-co/mitro/issues/123</a>
Curious as to how PasswordMaker either uses weak crypto or "suffers from critical flaws". Master Password seems to be more flexible with features like password counter and a customizable password policy (this is especially cool if it is customizable per domain). Unfortunately for me iOS-only is a deal breaker. PasswordMaker has clients that run on everything. The two I use most are the "PasswordMaker Pro" Chrome extension and the PasswordMaker X Android app.<p><a href="https://github.com/passwordmaker/chrome-passwordmaker" rel="nofollow">https://github.com/passwordmaker/chrome-passwordmaker</a><p><a href="https://github.com/eddieringle/PasswordMaker_X" rel="nofollow">https://github.com/eddieringle/PasswordMaker_X</a>
I'm using [SuperGenPass] for exactly same thing. I forked the project on Github so I'm sure that algorithm won't be changed.<p>[SuperGenPass]: <a href="https://chriszarate.github.io/supergenpass/" rel="nofollow">https://chriszarate.github.io/supergenpass/</a>
This is a pretty neat concept. I'm not sure if this is what its doing but it seems like it.<p>It seems your master password is like a seed for the encryption or something so that's why it can always be the same. If thats pretty much what it is its pretty smart and simple.<p>I also like the option for the account clues.
PasswordMaker <a href="http://passwordmaker.org/" rel="nofollow">http://passwordmaker.org/</a> is most similar, but this has a coherent cross-platform implementation and better templating.<p>Downsides:<p>- single point of developer failure (although open source, and specification-based)<p>- lack of browser integration
This is based on simpler tools like SuperGenPass<p><a href="https://github.com/chriszarate/supergenpass/wiki/FAQ" rel="nofollow">https://github.com/chriszarate/supergenpass/wiki/FAQ</a><p>which credits my site<p><a href="http://angel.net/~nic/passwd.current.html" rel="nofollow">http://angel.net/~nic/passwd.current.html</a><p>as "the original bookmarklet password generator". It adds some useful features, but loses the simplicity and transparency and real statelessness of a self-contained HTML/JavaScript form - and is less convenient for most uses than a bookmarklet.
Great idea, but a total geek product. In terms of actual market success, that is, getting security to average people this is never going to work. Not only is there all kinds of language on the site that regular folk aren't interested in (text encodings, hashes, etc.), the very idea of having to remember a "password counter" is far too difficult for <i>anyone</i>. I've got hundreds of passwords (in a password app), and once even a quarter of those are incremented past 1 in the counter it's just a massive guessing game at that point.
Great idea! And kudos for releasing it as free software.<p>But I don't see how "nothing to intercept" is a security feature. That means an attacker can start brute forcing just knowing the victims name instead of having to obtain the encrypted files first.
This is such an old idea but brilliant for those cross device fiddly little passwords - wish I had thought of it.<p>But, can you auto fill / paste the password? The UX for a phone is painful usually - downloading it so we shall see
Cool idea! Reminds me of Passcode (<a href="https://github.com/mdznr/iOS-Passcode" rel="nofollow">https://github.com/mdznr/iOS-Passcode</a>), which follows a similar model.
Here's details of how the algorithm is implemented:<p><a href="https://ssl.masterpasswordapp.com/algorithm.html" rel="nofollow">https://ssl.masterpasswordapp.com/algorithm.html</a>
What if I need to change the password for a particular website (for example because it has been compromised and all its users were encouraged to change their password)?
One very bad "oops" I've realized I made.<p>Show HN is meant for projects one has created themselves. This is not my project and I didn't read that guideline last night when I submitted. It's an interesting project that I stumbled upon last night and started using. I thought I'd "show (it to) HN".<p>Happy for a mod to edit the title. My sincerest apologies to the author and the HN community for my haste and any misunderstanding.