[buro9]

The way I read it... it's a password manager that doesn't store passwords (centrally or locally).

Instead it regenerates the password each time.

i.e. password for HN may be: some trait of HN (domain?) + some salt + your identity (cert?) to always produce the same password.

I didn't understand it all from the site, the explanations and broken English didn't really elucidate. But... if my understanding was right, I wondered about how to handle cert changes or key rolling, etc. There seemed to be a mentioned mechanism for this, but again I didn't really understand that from the description.

Gist though: No generated and stored passwords, but a pattern to always generate the same password for a given site.

[cauterized]

What happens then if you want/need to rotate your password?

How does it deal with stupid password format restrictions?

[RubyPinch]

the salt gets changed

so, either password database + master password gets stolen, or salt database + master password gets stolen

[jjnoakes]

Except if the master db is stolen without the master password, one can throw guessed passwords at it and know when one worked (i.e. the db becomes readable).

Throwing passwords at a salt db gets you... what?

[cauterized]

But then if the salt is stored and the algorithm is known, doesn't the salt just essentially become the password, from a security standpoint?

[SNvD7vEJ]

Seems like a really cool idea, as long as the password generator can be proved to be hard enough to break.

How long does the retrieval of a password take? Sub-second? 10 seconds?