

Ask HN: Are you sure your password is not stolen? - k0ban

I am looking to start a product around password storage.<p>Have few questions to better understand is there a real demand for such product. Thank you in advance.<p>1. Do you feel safe entering login/password to bank or your critical resources (facebook, twitter etc)?<p>2. Are you concerned that malware could steal password, even anti-virus is installed?<p>3. Do you use any password storage software 1password (Mac), Roboform ?<p>4. Will you buy a service that will _guarnatee_ your login/password is not stolen or compromised? How much would you pay?<p>5. Could you share any additional features that you are missing in current products.
======
chaosprophet
And how do you intend to find out if it is stolen or not? Besides, if you want
me to give you my banking passwords, telling me 'hey there, I'm pretty sure
your passwords won't be stolen, but if they are we'll let you know' aint
really comforting.

Rather than giving you my passwords and waiting anxiously for that fateful
email saying 'Your passwords have been compromised', wouldn't I be better off
just not giving them to you?

Also, how do you guarantee that they won't be compromised? If you have really
cracked this, then I think you're sitting on a fairly big pot of money.

~~~
k0ban
unfortunately I can't share details at the moment.

But one thing i could share - we won't require your passwords, it is just
totally wrong from security perspective :)

------
Saavedro
Say I compromised a website that was storing passwords in the clear. There
should be no way whatsoever for you to know I've done this, or even that I've
-used- this password. What, if any advantage would you have over a password
manager storing single-use passwords? A very good web implementation of this,
with client-side encryption so that the service has no access to your actual
passwords, is clipperz.com. Do you believe you can offer me something better?
As someone who spends a lot of time studying security, I think you've made
some extraordinary claims..

~~~
k0ban
Sure, if the site is compromised than nothing you could know. But this is kind
of unlikely in case of major players like banks.

Zero knowledge web app - is nice theoretical approach but I don't see a way it
will be adopted anytime soon.

As to mine claims, I will post application when it will be ready, and we could
discuss attacks against of it. It will be quite different from clipperz etc.

------
spooneybarger
1\. reasonably 2\. no 3\. yes, 1 password 4\. guarantee? as in if it is stolen
or compromised, you pay X amount? if yes, how much i would pay would be based
on how much you pay out as really, you are just selling insurance.

~~~
k0ban
Thanks.

Product is not about insurance, product is exactly about the fact that
password is not stolen.

When it is stolen you will know it right away without any probability factor
it will be 100% fact.

~~~
spooneybarger
how?

