
Show HN: NoKey, a Distributed Password Manager Without a Master Password - Zinggi
https://github.com/Zinggi/NoKey
======
Zinggi
Hi all!

This is my first time posting something to HN, so please be kind.

I wanted to show what I’ve been working on for the last 6 months:

NoKey, a password manager without a master password. Instead, you can unlock
your passwords by confirming from another device. E.g. if you need a password
on your PC, you only have to confirm this on your phone. No need to remember
any passwords!

The vast majority of the code is written in Elm and it’s fully open source.

There is a browser extension for Chrome and Firefox and an Android app. The
application is only useful with at least two devices, so to really test it
out, you’ll have to install it on two devices. There is no iOS version and the
web app doesn’t work on Safari either (it's missing some stuff from the Web
Crypto API), sorry!

Any feedback or questions are greatly appreciated!

~~~
qz3
I love the Idea, and I think it's pretty smart. When I'm doing work on my
laptop, I always have my phone nearby. I think it's unlikely that both of them
are compromised or stolen simultaneously.

Also, the Android app requires no device permissions, haven't seen that in a
while.

~~~
Zinggi
> the Android app requires no device permissions

That's not true, it just uses the new way to ask for permissions. E.g. when
you want to scan a QR code it requires the camera permission. But it only asks
at that moment, not upfront as older android apps used to do

------
e_carra
This is a great idea and a great example of distributed "consumer" app.

------
darkstar999
I like the Correct Horse Battery Staple approach to the pairing mechanism ;-)

~~~
Zinggi
Thanks. I was always wondering why others don't do this more often. I find it
much easier to remember and type in a few words compared to a long number.

------
4684499
Even though it's different, but in terms of usage, I think it's like a
decentralized 2FA (or MFA) solution?

~~~
Zinggi
Yep, from a user perspective it definitely looks like 2FA.

In terms of technology it's of course completely different.

------
sushant20
Seems like a good idea. What happens when I lose both my devices?

~~~
Zinggi
You lose access to your passwords, that's the consequence of that approach.

That's why it's a very good idea to pair as many devices as you can, e.g. an
old phone, your work PC, etc.

This way you're pretty save from any loss.

In general, if you save your passwords with security level N (meaning you need
N devices to unlock), if you lose all but N-1 devices, you lose access. You
can also add a "key box", which gives you one more "device", but requires you
to remember a password.

~~~
craftyguy
> That's why it's a very good idea to pair as many devices as you can

Doesn't this increase your attack surface greatly though? The more devices you
have this on, the greater chances that one or more of them could be
compromised and used to access your passwords. Since there's no master key,
one has to only compromise the OS to get at everything. Given that so many
devices do not receive regular security updates, this seems like it would be a
concern..

~~~
Zinggi
> Doesn't this increase your attack surface greatly though?

That's true. I suppose it's a trade off between protection against lost vs.
smaller attack surface.

> Since there's no master key, one has to only compromise the OS to get at
> everything

That's wrong, compromising one device doesn't give an attacker anything
useful. Only if two or more devices have been compromised can passwords be
decrypted. But in any case, I think if your device is compromised you might be
in bigger troubles anyway. E.g. if an attacker controls your device,
ransomeware might be easier and more lucrative to them than going after more
devices to hunt for passwords.

~~~
craftyguy
> That's wrong, compromising one device doesn't give an attacker anything
> useful

Yea I understand that, but by having a large number of devices with this on
it, you increase the chances that any two of them could be compromised. That
was my point, I just didn't articulate it well enough.

~~~
smittywerben
Does anyone use a password manager for critical accounts?

I use them to generate random passwords for sites like yahoo or neopets (or
whatever).

~~~
jsjohnst
My GitHub.com password is >100 characters long and I deem it a critical
account (hence the password length), so yes, I do use a password manager for
it.

