

We're releasing a password management service. We'd love your input. - lighthazard
https://www.passwords.cc/

======
us
How does this compare to a service like 1Password? While I get the convenience
of having access to it anywhere on any machine since it seems like it's web
based, I'm not a huge fan of web base password storage. Most people would not
trust you to store their passwords. Some will, but there will be a huge number
of skeptics.

I like services on my local machine. While it is true I can't access all my
passwords when I'm not on my main device, two things come to my mind right
away:

1\. I rarely if ever use any other machines. When I do, I easily memorize my
passwords for common things I like to check. Usually these days I check them
on my smartphone.

2\. There are ways to get 1Password to work with Dropbox which in turns allow
me to replicate what you guys are doing without having to exclusively use an
online service.

Having said that, I believe you can still garner userbase, but my original
question stands, what added benefit do you guys offer?

PS Site design is a bit hideous, a change may help.

~~~
lighthazard
Unlike the Dropbox method you mentioned, Passwords.cc encrypts the data. Last
I checked, Dropbox does not encrypt user's files but I may be wrong (I am an
avid user of Dropbox myself). The benefit to Passwords.cc over 1Password is
mainly sharing - we created a system that is best used between people, whether
it be a married couple or a group of developers. We plan on adding browser
support (plugins and extensions) and a desktop app.

Thanks for the input on the site design.. we will work on it, but we spent
more time on the UI after you log in.

~~~
us
Dropbox possibly doesn't encrypt user's data but 1Password does. You already
have to have two layers of passwords to even get to the encrypted list of
passwords stored before hand.

On the shared passwords, I haven't found much use for that ever. Generally
speaking, I would just have people create their own accounts or some services
allow for sub-user accounts. I can't imagine many use cases having to give
someone your password and I'd imagine that the of use of the service is
focused on the primary user so whoever they choose to share their password
with will have to find their own way to remember the password.

On the note regarding the plugin support, that still doesn't change it's web-
base. As for desktop app, unless its a true local machine service, if you're
calling back to a server somewhere, it doesn't change the security issues
raised in my original post or that of others here.

~~~
lighthazard
I never thought about using 1Password with Dropbox, but would you be able to
install dropbox on all computers as opposed to a web based alternative?

Sharing passwords is quite important in the development world. When a client
gives a company their authentication credentials, it is imperative to keep the
data secure while still sharing it with all the developers. The benefit to
Passwords.cc with sharing is that the other people who don't have accounts can
still view shared passwords without ever registering.

The desktop app we plan on having will be a local system with option of
syncing online.

~~~
us
You can access the agile key via dropbox's web login without having to install

------
Sidnicious
Is a browser extension (or something like it) in the cards? I love the idea,
but it is a dealbreaker to have to visit a website and do a copy-paste dance
to log into other websites websites.

Two quick usability thoughts:

\- I love Apple's memorable password generator, which puts out passwords like
"chai680{Tanya", which are reasonably secure but easy to type and memorize. It
really sucks to type an average random password (from my phone) into a public
computer, and there's no chance I'll ever memorize it.

\- I use the same naming convention for multiple accounts on the same website
("Website (Account)"). Could passwords.cc handle this automatically (show the
account name in a lighter shade next to the service name when multiple
accounts exist)?

~~~
lighthazard
Yes, a browser extension is being developed now. It appears that a lot of
people want browser extensions to really make Passwords.cc useful.

We like Apple's memorable password generator, I think we're going to implement
this in the near future.

The naming convention UI is a great idea! We will do that right now, it should
be updated in a little bit.

------
dantheta
What jurisdiction does the company/service/servers fall under? Although I'm
based in the UK (which is hardly a privacy haven), I'd be quite wary of
storing account data or anything on US-based servers, even though I'm not
remotely interesting to the US Govt.

Rsync.net offers storage in Switzerland for this sort of reason, although just
to be on the safe side I encrypt backup files for storage before uploading
anything.

I'm probably a little too paranoid for cloud-based password management, but it
might be an interesting consideration for people who are less paranoid but
still keen on privacy.

------
bdhe
You mention "military-grade AES". Are you referring to AES-256? These terms
are generally frowned upon (cf. <http://www.schneier.com/crypto-
gram-9902.html#snakeoil>)

Also, you should be using a MAC rather than a checksum. Finally, you mention
using a random hashx that links to the wikipedia article on checksum. You are
better off using a Password-Based Key-Derivation Function (PBKDF2, if you're
using AES).

~~~
lighthazard
So we should just mention how strong it is and remove the term "militar-grade
AES" ? Sounds good.

Thanks for the advice on using MAC instead of a checksum, we're currently
using HMAC-SHA1.

Thanks for the terminology help, we will be using PBKDF2 now for our
encryption key.

Thank you!

------
abhigupta
I like this service. I have been thinking about doing something similar
myself. Though, I think it would have been better if it was marketed as a
secure place to store private information.

Also, it would be great if this service had its code audited on frequent basis
by a trusted 3rd party.

An iPhone app to synch my personal information locally would be awesome too.
This way I could access my information even if I am not in front of a computer
or don't have net access.

~~~
lighthazard
This definitely is a secure data storage system. We just liked the name
passwords.cc (carbon copy).

Do you have any third party that you'd trust? Our code is mostly in Javascript
so anyone can check it out.

We will be adding mobile phone apps soon.

------
pwg
Since I have no way to know what you do with what I give you, and no way to
verify how you store what I give you, other than "take my word for it", I
would never utilize your service.

~~~
lighthazard
The service is mostly Javascript. All code runs on the browser before being
sent to the server. The Javascript is viewable.

------
lighthazard
Currently, the service works best for Gecko and Webkit. IE does not work. Any
and all input is welcome, as well as any questions you may have.

