
Show HN: NilPass, the only password manager that's truly impenetrable - spb
https://nilpass.com/
======
spb
While I first wrote an article about the absurdities of information security
[in 2011][1], this specific extension is an idea I've had since [June 2015][2]
- due to the absurd nature of the idea, I wanted to launch it on April Fools'
Day, but that ended up causing it to be [dismissed as a joke out of hand
altogether][3], so I figured I'd wait a day before posting it to Hacker News.

While the premise of the extension sounds like a joke, it's legitimately a
good idea, and [one others have had independent of this][4]. I explain some of
the thoughts and motivations behind NilPass's design here:
[https://nilpass.com/seriously/](https://nilpass.com/seriously/)

[1]: [http://www.cracked.com/article_18962_5-things-we-all-do-
that...](http://www.cracked.com/article_18962_5-things-we-all-do-that-make-
hackers-lives-incredibly-easy.html)

[2]: [https://github.com/nilpass/nilpass-
branding/commit/6090b5cc9...](https://github.com/nilpass/nilpass-
branding/commit/6090b5cc972378832799d1c2a13ee8b12db88ca7)

[3]:
[https://www.reddit.com/r/netsec/comments/62sgrp/presenting_n...](https://www.reddit.com/r/netsec/comments/62sgrp/presenting_nilpass_the_only_password_manager/dfova33/)

[4]: [https://rempel.world/passwordless-
method.html](https://rempel.world/passwordless-method.html)

------
tscs37
I see an incredible weakpoint: Your email account becomes your only defense,
meaning the password on it must be strong and you still need to remember it.
And you need 2FA.

Not that this is not the case already, email accounts are already important.

~~~
timvdalen
I think the most important point of this 'thought experiment' is that it
reveals that email accounts are already your only defense.

Even if you use a different strong password for all sites, if a site offers a
password forgot function your email account is still the weakest link.

------
jszymborski
Password managers are already a barrier. Forgotten Password flow via email is
an embarrassingly shitty UX and similarly shitty security protocol.

I wouldn't try to encourage the broken "Forgotten Password" protocol... it's
usually the softest target of authenticating on the web.

