Domain: masterpasswordapp.com
Stories and comments across the archive that link to masterpasswordapp.com.
Comments · 7
-
Wrong question
There's nothing inherently wrong with passwords. There's a lot wrong with how most of us use passwords.
Dismissing passwords or naively pretending like "We reached the end of needing passwords maybe seven years ago" is throwing the baby out with the bathwater.
To fix the problem of authentication security, we need to re-think the meaning and use of authentication identifiers *before* we start making blind judgement calls about what is and isn't fit as one.
There are some good ideas out there.
-
Passwords should not be handled by people.
We have hundreds of accounts scattered across the net, and each's security relies on a secret that is supposed to be unguessable and shared only between you and that site. Such is the primary assumption of passwords, and yet such a system can never work for people.
The only solution is to stop using passwords as passwords and instead consider them as "symmetric keys". Master Password is a password generator that takes the name of your site and generates a unique key for you and it which you use as the password for the site. The awesome thing is that it's a generated key and thus doesn't rely on any form of storage, be it cloud or require backups and sync, nor can it ever be lost. It uses the scrypt KDF to protect itself against off-line reversal attacks.
-
Re:KeePass?
How about no keyfile at all? Keeping backups of a keyfile in secure locations, syncing a keyfile between multiple devices and handhelds securely and without conflict, etc all needlessly complicate password management and eventually affect overall security. Also, if an authority obtains your keyfile through any form of search, they are legally within their right to force you to provide the key to unlock it. Not so if there is no encrypted vault.
-
Re:SuperGenPass
The idea is great, the implementation horrible.
Master Password is an implementation of the same idea which takes care of all the flaws.
In my opinion, what you need from a password manager is:
- The output passwords need to be strong against attacks and the solution needs to be strong against attacks.
- You need to be able to trust the algorithm and the implementation that implements it, and any involved parties.
- Being safe from loss is just as important. If you can get locked out of everything the day your apartment catches fire, it sucks.
- It needs to be sufficiently easy to use so that I won't get lazy and skip it.Doing 10 MD5's (SuperGenPass) offers NO strength against attacks on the solution at all. In fact, if I want all your passwords, all I need to do is make a website, get you to sign up with me, and brute-force your master password from the site password you gave me. A day's work, at most.
Master Password implements several techniques to solve all of the above security problems: http://masterpasswordapp.com/s...
-
Re:SuperGenPass
The idea is great, the implementation horrible.
Master Password is an implementation of the same idea which takes care of all the flaws.
In my opinion, what you need from a password manager is:
- The output passwords need to be strong against attacks and the solution needs to be strong against attacks.
- You need to be able to trust the algorithm and the implementation that implements it, and any involved parties.
- Being safe from loss is just as important. If you can get locked out of everything the day your apartment catches fire, it sucks.
- It needs to be sufficiently easy to use so that I won't get lazy and skip it.Doing 10 MD5's (SuperGenPass) offers NO strength against attacks on the solution at all. In fact, if I want all your passwords, all I need to do is make a website, get you to sign up with me, and brute-force your master password from the site password you gave me. A day's work, at most.
Master Password implements several techniques to solve all of the above security problems: http://masterpasswordapp.com/s...
-
Re:Good idea
This.
When all your online access depends on it, you can't have enough redundancy.
Security isn't just about secrecy. It's also about being safe from loss.
Which is exactly why I created Master Password (algorithm/app): The theory is that all your passwords should be stateless, not rely on any form of storage at all, be long to be secure against brute-force attacks, be irreversible, and even if you lose everything you own tomorrow, be recreatable purely from your own knowledge.
-
Re:because
It is my opinion that you cannot trust a human to make a good password.
You also cannot trust anything, a hard-disk, a notebook, a company(!) to store your passwords.
Which is why I use http://masterpasswordapp.com/ and I unlock it with a passphrase. The key elements here being: stateless, no storage, strong passwords.