Hacker News new | ask | show | jobs
by CogDisco 3711 days ago
I think it's more a password manager that doesn't manage passwords.

You can't set an expiry date on a password. You can't change a password if it's compromised. You don't know when a master password was created so you can change it. If you change your master password you have to change every password you care about. You can't introduce new entropy. You have to manually specify a keyword scheme (and presumably store it yourself). You can't store metadata in case the website decides it's changed from usernames to email addresses and you've forgotten which one you used for what. You can't change the master password independently of the individual passwords.

In actual password management, this program makes you specify, store and organize it all yourself. And without significantly more security than a traditional password manager like Keepass.

It seems a bit cocky to call it "Visionary".
3 comments
kichik 3711 days ago
And it can't accommodate websites having weird password requirements. Some websites require symbols and some have maximum number of characters. Fixing this would probably require special characters in the keyword which would force you to remember the website's original password requirements on top of the keyword itself.
link
yoha 3710 days ago
Very good point! Since some websites still require PIN codes (passwords made of digits), you would have to restrict yourself to something like 8 digit long password, which is not very secure, even with a slow hash (scrypt iteration).
link
yoha 3710 days ago
My main gripe is with:

> Nothing is stored so there’s nothing to steal.

Nothing is stored, but it's public knowledge. In a traditional password store, there are two levels of security: limited access to the encrypted passwords, and encryption itself. With their approach, there is only one level: encryption.

The counterpoint would be this:

> There are thousands of iterations of Scrypt, making brute-forcing infeasible.

But this is trivial to do with a conventional password store.

As you said, password expiration is in contradiction with the last point:

> No need to sync data, as there’s nothing to sync! You can use this script or our API (coming soon) from anywhere in the world, and from any device, to generate your passwords.

link
readams 3711 days ago
I think the idea is there's a keyword used to salt the password and you could use change the keyword if the password needs to be changed.
link
kichik 3711 days ago
That forces you to remember which "version" of the keyword you're on. Was I on github1? github56? etc. It makes the management part even more manual.
link