I'm working on something like this at the moment, which will be released within the next few months. I can email you when it's ready if you're interested?
Sure, but to be completely honest, this is one of those things where I'm very unlikely to take a big chance on a new, untried software. At least, not for my business. For my personal use, sure.
I'd like to see a helluva lot of proof that you're a legit company before trusting you with this kind of information.
I say this not to discourage you, but just to explain how a business owner will think about your premise. Or at least me, don't know if this is representative of your actual audience or not.
In any case let me know when it's up, I'd love to take a look!
Of course, and these are problems I will be working to solve very early on. The kind of users I'm aiming for should be rightly concerned about the security of their passwords and I will be providing as many mechanisms as possible, both socially and technologically, to prove said security in a transparent way.
Using a password manager allows me to assign a different random password to every site I use. This means that, if a site that uses weak hashing gets hacked (a relatively common occurrence), none of my other accounts are compromised. Do you have another practical way to achieve this level of security?
Also, note that if my password manager is compromised, it means that the attacker has some level of access to my machine, since that is where my passwords are stored. In that case it is reasonably likely the attacker can also install a keylogger. This will reveal my often-used passwords even if I do not use a password manager.
What would you recommend instead? If you insist people remember all of their passwords in their head, you'll end up with them using the same password for everything.
I like the idea of hashing off a root word + site. I'd rather have the browser do it for me though, and I don't think there's anything on the page itself that I could depend on to hash with. Maybe the domain?
To be honest, firefox has an encrypted database of site-passwords. What's wrong with that?
I have a system like that, that takes a master and the domain. The advantages over the Firefox password manager is availability and not having to worry about backups. Since I know the algorithm, I can recreate any password using widely available tools.
Feel like providing a workable alternative, or are you just content to stay in your cloud of idealism with other thoughts like "everyone should change passwords for everything every 90 days"?