[SNvD7vEJ]

How does this compare to the KeePass family of pw-managers? (Besides that Forgiva is closed source and KeePass is open source.)

Fixes poor passwords, accessibility and storage problems with highly secure way.

What does that even mean?

[buro9]

The way I read it... it's a password manager that doesn't store passwords (centrally or locally).

Instead it regenerates the password each time.

i.e. password for HN may be: some trait of HN (domain?) + some salt + your identity (cert?) to always produce the same password.

I didn't understand it all from the site, the explanations and broken English didn't really elucidate. But... if my understanding was right, I wondered about how to handle cert changes or key rolling, etc. There seemed to be a mentioned mechanism for this, but again I didn't really understand that from the description.

Gist though: No generated and stored passwords, but a pattern to always generate the same password for a given site.

[cauterized]

What happens then if you want/need to rotate your password?

How does it deal with stupid password format restrictions?

[RubyPinch]

the salt gets changed

so, either password database + master password gets stolen, or salt database + master password gets stolen

[jjnoakes]

Except if the master db is stolen without the master password, one can throw guessed passwords at it and know when one worked (i.e. the db becomes readable).

Throwing passwords at a salt db gets you... what?

[cauterized]

But then if the salt is stored and the algorithm is known, doesn't the salt just essentially become the password, from a security standpoint?

[SNvD7vEJ]

Seems like a really cool idea, as long as the password generator can be proved to be hard enough to break.

How long does the retrieval of a password take? Sub-second? 10 seconds?

[dom96]

It looks like it isn't completely closed source, https://github.com/sceptive/Forgiva.

[mynameislegion]

NC licenses aren't considered "Open Source":

http://www.opensource.org/docs/osd

[dom96]

Interesting, but then what do you call something who's source is available to be viewed?

[cyphar]

I'd call it proprietary. It's closer to free software, but it's not all the way there.

[dsr_]

"Source-viewable"

[mynameislegion]

I call that source code publication or public source code.

[type0]

Then this company - Sceptive is kinda Deceptive. It says on their web page: "Or clone Open Source implementation from Github"

[marcusfrex]

>> How does this compare, for example, to the KeePass family of pw-managers?

It is a password manager too but with an alternative approach.

>> "Fixes poor passwords, accessibility and storage problems with highly secure way." >> What does that even mean?

Generates strong passwords by default, you can access them anywhere with it and does not need to store anywhere.

[ComodoHacker]

>you can access them anywhere with it and does not need to store anywhere

But you have to carry the database with you anyway and have to store somewhere. So what's the point of having database with everything but passwords?

And you still need the database encrypted, because you don't want to give the attacker your usernames, emails, recovery answers and other stuff, do you?

[SNvD7vEJ]

Maybe the point is that you do not need to store the database securely, that you can store it openly, as long as the certificate used to generate the passwords is kept secret.

But you probably want to keep the meta info of what sites you have access to secret to.

So I don't know why this is better than simply use the certificate to encrypt the database.

But maybe I did not understand how it works.

[SNvD7vEJ]

Ok, cool that you can access it anywhere.