[mancini0]

Lesspass generates reproducible unique passwords from inputs (username, domain, masterpassword). It works without an internet connection and is open source. You only need their cloud storage if you want to backup metadata about the password requirements for specific sites (i.e, no special chars allowed by foo.com, bar.com requires a capital letter and a number, etc.) This metadata can also be stored locally. The command line utility is great, they also offer Mozilla / chrome extensions and mobile apps. I bash alias the command line command to copy the password into clipboard so when I navigate to a site on my laptop, I run genp chase or genp amazon and quickly have the pw ready to go in my clipboard. The apps / extensions and even the cli uses emojis as a visual cue to let you know you typed in the correct masterpassword (since it's masked)

[minitech]

The last time I looked at Lesspass, its implementation was worryingly incompetent[1][2]. Just use your browser’s password manager; it’s less phishable than a manual `genp site` and your passwords don’t pass through your clipboard.

EDIT: I revisited the code. Looks like everything in [1] is fixed, nothing in [2] is fixed, there are now JWTs for some reason, and… they removed metadata encryption??[3][4] Or it was never in in the first place and simple-crypto-js was used for something else? Either way, it’s a current and major flaw.

[1] https://news.ycombinator.com/item?id=22587940

[2] https://news.ycombinator.com/item?id=22582570

[3] https://github.com/lesspass/lesspass/issues/185

[4] https://github.com/lesspass/lesspass/blob/314fc7386f2c29750c...

[roustem]

How does it solve the problem with the site is compromised and you are forced to change the password?

[int_19h]

The inputs are domain + username + counter. So you just increment the counter.

[AdamJacobMuller]

How does it solve the problem when bank1 requires [a-zA-Z0-9] characters (no special) and bank2 requires [a-zA-Z0-9!@#$%^&*()] characters (special required)?

[int_19h]

You can set it up for that, as well. Of course, it means that you'll also have to back up the config, but it's just a JSON file. They do have a cloud service to sync that, too.

I recommend checking out their main page - it's got plenty of screenshots that showcase all the important features:

https://www.lesspass.com/

[insane_dreamer]

so simple even my grandma can do it! ;)

in all seriousness, Lesspass has a cool concept (I hadn't heard of them before, just looked at their website now). I'd be interested in hearing what cryptography/security experts think about it.

[mancini0]

Yep I bet she could - don't let the way I described my use of it as a 'poweruser' (via the cli) scare you off...the browser extensions are very user friendly, just ctrl-shift-L and fill out a few inputs