Show HN: Password.ly - Per site password generator from a master password

It is not safe to enter your master password on a random website like password.ly. The risk is simply too high that it gets hacked someday and your master password will fall.<p>That it is not stored in a database is only a small advantage. If whoever controls password.ly wants to have all passwords, she could do so whenever she wants, a matter of a simple extra request. It could even be hidden in the params of any link on password.ly (to prevent you from noticing the extra request).<p>And that reveals the second big problem with this: The master password is basically every password. If it falls in the wrong hands you are worse off than you would be if you have a small set of passwords, which isn't a highly recommended strategy in itself.<p>But the idea itself isn't too bad, if you would instead of using password.ly use a terminal bcrypt command to bcrypt your password+sitename it would be very decent indeed.<p>The only way sites like this could be safe to use is if there would be a code-signing standard for the web.<p>edit: This service actually sends your password to their service! At first I thought it was an innocuous enough javascript password generator, but this is so stupid it borders on malice..

Since all this can be done client side, you don't really want/need to give your master password away. We built an app like this - its a chrome app and everything happens in your browser.<p><a href="https://chrome.google.com/webstore/detail/password-generator/nnjgaeekiplalipomfgacalgehhcckbp" rel="nofollow">https://chrome.google.com/webstore/detail/password-generator...</a><p>Source: <a href="https://github.com/agiliq/forgot-me-password" rel="nofollow">https://github.com/agiliq/forgot-me-password</a><p>Its not as good as this as we use use MD5 to hash the generated passwords - reason being this was proof of concept, and built mostly for our use. If anyone wants to add bcrypt - pull request is gladly accepted.

The passwords generated by this do not have enough entropy. The code that does the generation is:<p><pre><code> def generatePassword(password, site): letters = 'abcdefghijklmnopqrstuvwxyz' u_letters = letters.upper() all_letters = letters + u_letters numbers = '0123456789' symbols = '!@#$%*-?+=' length = 10 </code></pre> i.e. a 10 character password is generated from an alphabet with 72 characters in it. That gives 10 * log_2 72 which is roughly 61.7 bits.<p>Currently you'd want to have at least 80 bits for a good password.<p>Of course, it's trivial for them to fix this given that they are generating the passwords: just change length to 13 or greater.

Have a look at your competition such as; <a href="http://supergenpass.com/" rel="nofollow">http://supergenpass.com/</a><p>Your system is creating the passwords server side and so taking the user's "master" password in. Where as SuperGenPass is purely javascript based and runs completely in the browser; thus is safer.<p>Also being a bookmarklet make's it more convient, as you can just click the button from within your browser toolbar, rather than having to go to a sepearte site, remember exactly what you put in the "Create password for:" input, did you put the domain with a www or without? with <a href="http://" rel="nofollow">http://</a> or <a href="https://" rel="nofollow">https://</a> ?

It appears like you're using the flawed '2a' bcrypt implementation from 2011, ex:<p><pre><code> &#60;input type="hidden" name="hash" value="$2a$11$1aRIk1567CsvOEGMEKlalOteGiqsy9APgBfI/5ZtPJvQgQkvxC1.G"&#62; </code></pre> Use the '$2y$' form to ensure you're using the fixed version, at least, though I recommend something more along the lines of scrypt to be more robust against attack. And do you really need to pass the value in plaintext in the returned form? Just pass the hash value of the master password and put some fake stars in the form field to reduce the possibility of an attacker gaining the plaintext version of the master password from the browser.<p>All of this of course ignoring the problem of just generating lists of passwords based on commonly-used master passwords and service names, but i'm sure you all realize that problem.

If I want to change a non-master password (some random forum I use gets hacked, for example, or an admin forces a password change), how would I do that?

<a href="http://keepass.info/" rel="nofollow">http://keepass.info/</a>

I think this is a good idea for a site, but I'd caution that it could give users a false sense of security. As the site gains popularity, the site-specific passwords are only as secure as the master password used to generate them. Therefore it is still important to choose a strong master password when using this tool.<p>This may be obvious to users here, but to most people the fact that the generated passwords seem random may lead to a false sense of security in this matter.

The site seems to suggest it will only generate passwords in the moment. But the text of the site mentions you guys saving them, and your comment mentions a command line tool. How can I find out the extent of password.ly?<p>My initial impression was "no thanks" because 1Password will type my passwords in for me, a huge benefit. But maybe password.ly can or soon will do this?<p>In other words, IMO the landing page doesn't have enough info.<p>EDIT: ahh, now I see the link to the command one tool at the bottom.

What do you guys think about the security of 1password? I've been using it for a while and now have a unique password for every site, as long as the site will allow. The chrome extension is pretty good except sometimes I have to click it a few times before it opens.<p>Though I recently had to wipe my android phone and getting those long passwords in to every app was NOT fun.

This merely gives the user a false sense of security. What if a hacker get hold of your master password? I rather advocate the use of different high-entropy passwords divided in security tiers. A junk password for places you don't care about or fully trust, a generic password to use on trusted services and secure passwords for crucial services.

I don't know a lick of Python, so I can't check properly, but does the CLI client[1] work entirely offline, or does it also send the password to the server for processing?<p>I think I already know the answer (it does), but maybe someone can correct me if I'm wrong.<p>[1] <a href="https://github.com/passwordly/pw" rel="nofollow">https://github.com/passwordly/pw</a>

I'm a bit low-tech in regards to my password scheme, but here's how I do it:<p>First, I generated an 8 character password using pwgen (great program, btw) that is just mixed-case. I then add several characters based on the name of the website/service I'm logging into.<p>Using this, I can easily remember my password to everything, and each one is unique.

Not sure, why this hasn't been mentioned: <a href="https://chrome.google.com/webstore/detail/passwordmaker-pro/ocjkdaaapapjpmipmhiadedofjiokogj" rel="nofollow">https://chrome.google.com/webstore/detail/passwordmaker-pro/...</a> It is a port of Password maker pro for firefox. It has been working great for me.

Vault – <a href="https://getvau.lt/" rel="nofollow">https://getvau.lt/</a> – is basically the same idea, taken much further: it lets you control the character classes used in the generated password, and the command-line version can save per-site settings if you choose.

I feel like this is no different than passwordchart.com but is a bit less configurable. I use 1password myself after using passwordchart for a while. Ever thought about how to handle services that require you to change your password every few months?

I would love to see something like this or a browser tool integrated with a Yubikey. Yubikey has a static password generator. Could it be combined in a browser plugin or does it need a client executable to be secure?

Good one if you'd never change your password. Say I generated a password for my HSBC account with this. Later, if they ask me to change the password, I'm out of options because it's one password per account.