Hacker News new | ask | show | jobs
by moe 4187 days ago
It sounds like you're asserting that Bitcoin

Don't put words in my mouth, I never suggested anything like that.

In Bitcoin the private key is derived from the public key which is normally randomly generated and not provided by the user.

The browser 'password manglers' mentioned here instead derive it directly from the password provided by the user. That is a big difference.

Most users don't choose a password of sufficient strength since they are limited to printable characters and especially when they are required to type it in all the time.

This is why key stretching functions such as PKDF2 and Scrypt were invented. To make relatively bad passwords (which users are prone to choose) harder to crack.

Screwing this particular step up in a tool that wants to be a password manager (of all things) strongly indicates that the creator has no remote clue what he is doing and that everyone should stay far away from his software.
1 comments
SwellJoe 4187 days ago
So, pass phase length and strength is the concern here? If a human were to generate a reasonably strong pass phrase (say 25 characters), would that mitigate the problem? (Certainly this is stronger than a memorizeable unique password for every site, but I'm willing to believe I should do better.)

What does a good password manager look like if not this?

link
moe 4187 days ago
A good password manager generates a new, strong, random password for each site, stores them in a file and encrypts the file with a key that is derived from a user provided password via one of the aforementioned methods (PBKDF2 or scrypt).

This lets the user change his master password without invalidating all stored passwords and the compromise of any single or multiple site passwords does not affect the master password in any way.

And since the password-file is encrypted it can also be trivially backed up and synced across devices using any untrusted transport (e.g. Dropbox).

As it happens, this is exactly how the common solutions (KeePass, LastPass) operate. This part of the wheel is in no need to be re-invented poorly.

link