Hacker News new | ask | show | jobs
by vrikis 4350 days ago
(unfortunately) The more I think about this, the more flaws I find... I looked through pastor.py and essentially you're just creating a different password. There's no difference between using this generated password and another password (you could argue that the generated password is harder to brute force, but that's it really).
3 comments
watwut 4350 days ago
"The generated password is also site-unique and thus leaves you more resilient against sites losing their password databases or being outright malicious"

Assuming this tool would become popular, I do not think it would make any difference in scenario you described. If I know that a lot of people use this to generate their passwords, I can:

* guess the door id (e.g. facebook or fb for facebook.com),

* concatenate it to usual attack guess,

* hash the result one more time and continue in exactly the same way as usually.

Bonus for attacker: if any of password databases leaks and attacker manages to acquire your passphrase the above way, he needs only few door id guesses to get access on any of yours accounts.

link
ygra 4350 days ago
That's the usual purpose of a password manager. Freeing you from having to remember long and/or complex passwords so you can effortlessly have stronger passwords and more convenience (also different passwords for different services without having to remember them all).

Keep in mind that this is something for personal use to retrieve passwords used somewhere, not for storing passwords for users within a service (at least your confusion sounds like you might be confusing those two things).

link
Anderkent 4350 days ago
The problem is that the 'door' is your password now - you have to remember all the different doors, or use a password manager to store them for you... But then why not just keep the actual passwords in the manager?
link
ygra 4350 days ago
The door is just the identifier you use for retrieving a certain password. You can just use your username, or the e-mail address you used to sign up. Said identifier is not a password in that it's not secret. You can even write them down.
link
tekacs 4350 days ago
The generated password is also site-unique and thus leaves you more resilient against sites losing their password databases or being outright malicious, but the rekeying problem in the grandparent post is a major (essentially fatal) downside.
link