Ask HN: Are you sure your password is not stolen?

[k0ban]

I am looking to start a product around password storage.

Have few questions to better understand is there a real demand for such product. Thank you in advance.

1. Do you feel safe entering login/password to bank or your critical resources (facebook, twitter etc)?

2. Are you concerned that malware could steal password, even anti-virus is installed?

3. Do you use any password storage software 1password (Mac), Roboform ?

4. Will you buy a service that will _guarnatee_ your login/password is not stolen or compromised? How much would you pay?

5. Could you share any additional features that you are missing in current products.

[chaosprophet]

And how do you intend to find out if it is stolen or not? Besides, if you want me to give you my banking passwords, telling me 'hey there, I'm pretty sure your passwords won't be stolen, but if they are we'll let you know' aint really comforting.

Rather than giving you my passwords and waiting anxiously for that fateful email saying 'Your passwords have been compromised', wouldn't I be better off just not giving them to you?

Also, how do you guarantee that they won't be compromised? If you have really cracked this, then I think you're sitting on a fairly big pot of money.

[k0ban]

unfortunately I can't share details at the moment.

But one thing i could share - we won't require your passwords, it is just totally wrong from security perspective :)

[Saavedro]

Say I compromised a website that was storing passwords in the clear. There should be no way whatsoever for you to know I've done this, or even that I've -used- this password. What, if any advantage would you have over a password manager storing single-use passwords? A very good web implementation of this, with client-side encryption so that the service has no access to your actual passwords, is clipperz.com. Do you believe you can offer me something better? As someone who spends a lot of time studying security, I think you've made some extraordinary claims..

[k0ban]

Sure, if the site is compromised than nothing you could know. But this is kind of unlikely in case of major players like banks.

Zero knowledge web app - is nice theoretical approach but I don't see a way it will be adopted anytime soon.

As to mine claims, I will post application when it will be ready, and we could discuss attacks against of it. It will be quite different from clipperz etc.

[spooneybarger]

1. reasonably 2. no 3. yes, 1 password 4. guarantee? as in if it is stolen or compromised, you pay X amount? if yes, how much i would pay would be based on how much you pay out as really, you are just selling insurance.

[k0ban]

Thanks.

Product is not about insurance, product is exactly about the fact that password is not stolen.

When it is stolen you will know it right away without any probability factor it will be 100% fact.

[spooneybarger]

how?