

Show HN: PW - Simple, secure & cross-platform password generator - simontabor
http://simontabor.com/labs/pw/

======
danpalmer
Looks interesting, but I might be missing something here, what actually is it?

Why does it need the service and a password, isn't it generating a password?
And how is it cross-platform, it looks like it's web based?

~~~
simontabor
Probably didn't make it clear enough, it's repeatable so you'd use Twitter as
the service and whatever password you usually use (master password), it'd come
back with a hash and you use that as your Twitter password. Whenever you need
your Twitter password, you repeat the process.

[https://github.com/simontabor/pw](https://github.com/simontabor/pw) \- it's
got node-webkit so there's a mac app in that repo and should also work on
Windows + Linux nicely (this is simply to take it out of the browser where
it's easy to lose tabs and put it in a clean, small window)

~~~
danpalmer
It's a nice touch to provide a local application to run as there is no way
people should be doing this in the browser. You might want to remove the
tracking from the local app though, even if it is for analytics purposes, I
don't want something that deals with passwords like this to be phoning home.

~~~
simontabor
I may do, it's not too difficult for people who care about it to just take it
out - I'd actually rather people take the code, remove tracking if they'd
like, edit colours/whatever and make it their own. It's more the concept that
I care about (never ever send your main password over the wire)

------
danpalmer
> echo "service-password" | openssl sha

This is a quick alternative that should work on Mac OS and Linux, and Windows
when openssl has been installed in a similar way.

------
ugexe
Making all the passwords the same length makes this essentially pointless.

~~~
simontabor
It's a repeatable SHA1 hash, what more do you want?

~~~
ugexe
I don't want everyone to know the length of my password that's for sure.

~~~
simontabor
Sounds like you've misunderstood the purpose of this.

I usually just use a single password across most services, so they _all_ know
your password, even if you trust them not to store it in plain text. It's
infinitely more secure to use something like PW, never entering your
main/master password into any other services and then have a generated hash
that really means nothing to anyone (can't be decoded or anything stupid). The
length factor here makes very little difference, and only you need to know
that you use 40 character password (yes, 40, which I bet is longer and more
secure than your current password(s))

~~~
simontabor
Yes, but it's by far the lesser of two evils. You can easily take a substring
of the generated password.

How would you randomise the length of the password in a repeatable + secure
manner?

~~~
ugexe
There is nothing inherently secure with you hashing the password to be used as
a password. It uses a non dictionary string and has a long (but static)
length, ok, but a random number of anything (characters, words, whatever) has
variable length.

There is a reason passwords like 'the old lemon man jumped high as a pokemon'
are getting more popular.

