Hacker News new | ask | show | jobs
by iisaev 1555 days ago
Use https://www.lesspass.com/#/ - I've found the approach very fresh. Of course, you have to be sure that master password is not leaked, but the same is true for any stateful password manager.

The real problem though is that it does not support hardware security tokens at the moment.
4 comments
ytjohn 1555 days ago
I've looked into this approach in the past. For me it really breaks down if any of your sites require you to ever change or rotate your password. Then you have to memorize or record the differences.
link
jotaen 1555 days ago
> Of course, you have to be sure that master password is not leaked, but the same is true for any stateful password manager.

I don’t think this comparison is accurate. With a vault-based password manager, an attacker would need the master password AND the vault. The vault is usually protected separately, either because it’s a file that’s non-public (e.g. Keepass), or because it’s a web service that’s rate-limited or otherwise monitored (e.g. 1Password Cloud).

link
staticassertion 1555 days ago
The vault is almost always protected by the master password. That single password is what's used both to retrieve the vault and to decrypt it.

The only difference is going to be if the remote vault requires a separate auth factor. And that's a legitimate thing to consider. But I think (but I haven't thought much about it tbh) if you have a secure master password then the situations where this matters are limited.

link
jotaen 1555 days ago
> That single password is what's used both to retrieve the vault and to decrypt it.

Not sure how you mean that: if I used Keepass for example, which uses a file vault, and I told you that my master password was `p4ssw0rd`, how would that give you access to my vault and hence to any of my passwords?

link
staticassertion 1555 days ago
Sorry, I had assumed you were referring to systems where the vault is distributed.
link
staticassertion 1555 days ago
Ah nice, I had this idea and was thinking of implementing it. This is probably a very scary idea for a lot of people, but the reality is that it's no different with regards to security than other approaches, but it's vastly simpler (which should be a win).

I can't speak to this specific implementation, but the reality is that if your master password is leaked you have to rotate every credential no matter what.

link
TedDoesntTalk 1555 days ago
This has been implemented many times over the last 20 years. Another implementation is PasswordMaker.
link
princevegeta89 1555 days ago
It breaks as soon as domain names change.
link