
Password Live - DatastreamRider
http://passwordlive.github.io
======
mingabunga
Nice one. I always found password managers a bit annoying to use, so this is a
great alternative

~~~
thirsteh
The idea is admirable, but it's a really bad alternative to having unique,
random passwords for each site. With this, it's trivial to recover all other
passwords if you know just one of them.

~~~
aba_sababa
As opposed to a password manager, where it's trivial to know every password
within if you know the master password?

~~~
thirsteh
Well, the difference is that if I compromise any of the sites you use, I now
know all your passwords. If I compromise any of the sites you use when you use
a password manager properly, I'll only know one password that'll be fairly
useless to me.

~~~
aba_sababa
Compromising one of these passwords does not at all mean that all the other
passwords are compromised. You can't figure out the original master password
from a hashed, compromised password.

~~~
thirsteh
Yes, you can. To understand why, compare:

This:

    
    
      'facebook' + 'mypassword'
      'twitter' + 'mypassword'
      'foursquare' + 'mypassword'
    

Password manager with unique passwords:

    
    
      'mSX32ZyKZXptY3E'
      '33RiKbc3n6sA6IY'
      '4kGzFtWDd0rnti6'
    

All I have to do is figure out what you named the site that I compromised,
then do exactly what I'd usually do to recover your password, and, voila, I
can now access all sites you use it for. Compare this to the password manager
example where each password has been generated at random--one password
communicates no information whatsoever about the other.

~~~
aba_sababa
Ok, so you know that "facebook" is part of the original hash. Not following
how you can also derive "mypassword" from it. If you have a good strong master
password, rainbow tables won't be able to crack the hash.

