
A Password Manager That Doesn't Store Passwords - libeclipse
http://libeclipse.me/visionary/
======
CogDisco
I think it's more a password manager that doesn't _manage_ passwords.

You can't set an expiry date on a password. You can't change a password if
it's compromised. You don't know when a master password was created so you can
change it. If you change your master password you have to change every
password you care about. You can't introduce new entropy. You have to manually
specify a keyword scheme (and presumably store it yourself). You can't store
metadata in case the website decides it's changed from usernames to email
addresses and you've forgotten which one you used for what. You can't change
the master password independently of the individual passwords.

In actual password management, this program makes you specify, store and
organize it all yourself. And without significantly more security than a
traditional password manager like Keepass.

It seems a bit cocky to call it "Visionary".

~~~
kichik
And it can't accommodate websites having weird password requirements. Some
websites require symbols and some have maximum number of characters. Fixing
this would probably require special characters in the keyword which would
force you to remember the website's original password requirements on top of
the keyword itself.

~~~
yoha
Very good point! Since some websites still require PIN codes (passwords made
of digits), you would have to restrict yourself to something like 8 digit long
password, which is not very secure, even with a slow hash (scrypt iteration).

------
js2
This password manager is:

    
    
        scrypt(
            password=master_password,
            salt=keyword,
            r=1, p=1, N=2048, dkLen=32
        ).encode('hex')[:password_len]
    

[https://github.com/libeclipse/visionary/blob/8c5f6e1c/vision...](https://github.com/libeclipse/visionary/blob/8c5f6e1c/visionarypm/__init__.py#L10)

[https://github.com/ricmoo/pyscrypt#api](https://github.com/ricmoo/pyscrypt#api)

[http://www.tarsnap.com/scrypt.html](http://www.tarsnap.com/scrypt.html)

------
StavrosK
I've used this kind of thing (supergenpass) for years, but in the end the
inflexibility got me. A word to the wise: Just use KeePass2. It's a fantastic
piece of software, works with Chrome/Firefox (with extensions), has
KeePass2Android, a fantastic Android app, and is completely free. Just do
yourself a favor.

~~~
_Understated_
Been a huge fan of KeePass for years and recommend it to anyone that listens.

I created EnterPass ([https://enterpass.co](https://enterpass.co)) based on
the flexibility, simplicity and security of KeePass.

It's for companies to manage passwords across teams and want to keep the
passwords stored inside their own networks... not on the cloud. Oh, and you
don't need to remember a master password to use it as it uses Active Directory
for permissions.

KeePass has been a huge influence.

~~~
Roritharr
I can see why you are being downvoted, but this is a huge problem so many
organizations face that i'm getting mad that there's no "just use x" solution
when you need Keepass for organizations, with sharing, access groups etc.

Not everything can be handled by attaching LDAP.

~~~
_Understated_
Agreed, hence the reason I built my own but as for LDAP, it's used for access
to a gazillion things in the network already, e.g. file shares, applications,
internet access and so on that surely using it to authorise access to one more
resource, passwords in this case, makes sense.

Active Directory makes it easy to authorize/authenticate so surely that would
be a good thing.

~~~
Roritharr
Oh sorry, i didn't mean to say that attaching it is wrong, i meant that you
can't attach it to every piece of Software/Web-App which would indeed be nice.

Logging into the Company Bankaccount with LDAP would be nice.

~~~
_Understated_
Ah, that makes sense :)

------
ketralnis
> 1\. Your passwords are generated on-the-fly based on a pure algorithm

> 2\. Nothing is stored so there’s nothing to steal

[...]

> 4\. No need to sync data, as there’s nothing to sync!

If there's only one possible password for a given website, and every password
is stateless, how do you change the password if it's compromised?

~~~
pstrateman
Even worse, how do you handle sites that restrict valid passwords?

~~~
duaneb
Yea, that makes this approach useless.

------
winstonewert
This strikes me as less secure then a password manager that stores passwords.
Here, if someone gets my master password all is lost. With stored passwords,
they'd have to get both my master password and the encrypted passwords.

~~~
dopu
> Here, if someone gets my master password all is lost.

Not true. They'd need to know your keywords, which don't necessarily have to
be "github" or "facebook" \-- e.g., you could choose a consistent pattern,
yielding "git##hub" and "face##book".

~~~
winstonewert
ok, yes. They'd also have to figure out my keywords. Still less secure then
having to steal my encrypted passwords.

------
bascule
Deterministic password schemes seem to pop up pretty frequently. Here's one of
the most famous: [https://www.pwdhash.com/](https://www.pwdhash.com/)

~~~
curryhoward
A few others:

1) SuperGenPass - [http://www.supergenpass.com/](http://www.supergenpass.com/)

2) Vault -
[https://github.com/jcoglan/vault](https://github.com/jcoglan/vault)

3) Hashpass - [https://www.stephanboyer.com/post/101/hashpass-a-
stateless-p...](https://www.stephanboyer.com/post/101/hashpass-a-stateless-
password-manager-for-chrome)

(Disclaimer: I made #3)

One suggestion for improvement for the OP: make this a browser extension.
Probably more convenient than switching to a terminal whenever you want to log
into something.

------
janitor61
These types of deterministic password generators usually have an issue with
inflexibility - you can't change the generated password for a site without
modifying the input parameters.

I believe a good approach to this problem would be having some sort of online
Bloom filter API where you could submit a hash of your input parameters and
then query to see if the password has been "burnt". You'd be able to mark a
generated password as "discarded", at which point the input params would be
hashed using a different algorithm and added to the Bloom filter. Next time
you use the frontend, the front end could perform the next iteration of
hashing if the result was found in the Bloom filter.

~~~
hamburglar
I have one of my own design where this problem is solved by just having a
"version" field in the hashed data. Bump it and the password changes, and you
still have the ability to retrieve old passwords. I have been waiting for one
of the good ones to incorporate this idea so I don't have to finish mine. ;)

Edit: and I might as well mention my other feature that I haven't seen
elsewhere, which is that the hashed data isn't used as the password directly,
but rather is input to a transformation function which can take into
consideration different password rules for different sites. This way if a site
has a dumb rule like no exclamation points or an 8 character limit, I can
still use my generator to manage the passwords, just with a lame final
transform that limits the password space in the appropriate way.

------
yifanlu
In terms of security, this doesn't improve anything (all security hinges on
the master password). In terms of flexibility, this is a lot worse than a
secure password manager.

------
paulddraper
"Deterministic password generator" is perhaps the better title.

------
xvolter
I've seen many implementations of this exact thing, the basic ones are just
sha1 or sha2(master + website domain) which generates a unique "password" for
each site. This is just another implementation of the same idea. I've seen a
few releases of simple scripts that do this for you as well, some work as
bookmarklets, browser extensions, or single-page app websites.

Visionary being a Python script I think makes it less portable, harder to use
for average users, and definitely not mobile-device friendly.

------
zwass
Can anyone comment as to how this differs from something like
[http://passwordmaker.org](http://passwordmaker.org)? I've used that for quite
a while, but it seems to have little support these days and I would consider
moving on.

------
viralpoetry
I have published experimental chrome extension which derives password from
url, salt, and passphrase on the fly:

[https://chrome.google.com/webstore/detail/alzheimer-
password...](https://chrome.google.com/webstore/detail/alzheimer-password-
genera/emclcafdgdeodlhpenmejdapecfgenof)

Source code & threat model: [https://github.com/viralpoetry/password-
generator](https://github.com/viralpoetry/password-generator)

------
luke-stanley
I made similar, but with the advantage of easy typing on mobile:
[https://github.com/lukestanley/mobileFriendlyMasterPass/](https://github.com/lukestanley/mobileFriendlyMasterPass/)

It has an Android, Python and JS implementation.

Related [http://masterpasswordapp.com](http://masterpasswordapp.com) doesn't
have easy typing but is more popular

------
rkeene2
WebPass ( [https://webpass.rkeene.org/](https://webpass.rkeene.org/) ) does a
very similar thing.

------
denoyse
Same concept as [http://masterpasswordapp.com/](http://masterpasswordapp.com/)
?

------
aldanor
Not a single objective reason to switch from e.g. 1Password.

------
TsomArp
I use PasswordMaker.org. Sadly it stopped being updated.

------
daveguy
passpack.com is what I use. Easy to access and secure. I just wish they had a
totp two-part auth instead of yubikey.

