
Show HN: Password Chef – Create a recipe for your passwords - robertmerrill
http://passwordchef.co
======
chillacy
Before switching to a standard password manager I used to use the algorithmic
equivalent of this: I used supergenpass which took the domain name and a
master password and hashed them (probably HMAC'd) so that I could have the
password be strong but not stored.

Ultimately though what got in the way were obscure password requirements of
some websites (especially banks). Some banks required a "special character"
that wasn't in the hash's output, other sites thought 16 characters was too
long for a password, other sites didn't like some of the non alphanumeric
characters (no joke).

As the exceptions started piling up I started having to do lots of password
resets on these usual suspects before giving up this scheme and moving to a
traditional password manager (1password).

Just thought I'd share my experience with this sort of thing.

~~~
timwinfree
Great thoughts. You've highlighted some of our hurdles. I helped develop the
app with Robert.

There does seem to be a trend to make passwords less restrictive (or at least
longer). For example, Schwab just removed their ridiculous 8-character
restriction this summer. Hopefully that continues.

In the meantime, we address that issue a few ways: 1) we have a report card
that you can check while writing a recipe that guides you toward producing
more universally accepted passwords 2) if you find a password still doesn't
work for a particular site, you can affix a "note" to that recipe so you can
record the adaptation (e.g. "change $ to &")

I use Password Chef for everything, and have a surprisingly few amount of
notes. So few, in fact, that I have memorized the adaptation I need to make
for most of them.

Thanks so much for the comment!

~~~
chillacy
Ah good that you've thought of this too. Seems like you guys already have some
good workarounds

------
avitzurel
Few things:

1\. I initially thought this is chef.io recipes, but this is actually
different.

2\. This is a great idea, I've been personally using a password recipe for a
long time now, this is a great way to only remember one thing but still have
different passwords all over the place.

3\. I would also create a chrome/FF extension, this will be much easier for
most people to use. I really hate taking out my phone every time I need
something like this, this is why I hate 2 factor authentication.

4\. The information above the fold is not enough to understand the solution
without watching the video, most people will exit at this point IMHO.

Good luck with this!

~~~
robertmerrill
Thanks for checking it out. An extension would be helpful and I can see us
working on that in the future. I see what you mean about the information being
below the fold. We'll work on that.

~~~
rajington
also work on giving the chef a name please

but seriously, the problem that comes to mind is the crazy complexity
requirements that some sites have (must have special chars) but other sites
restrict (no special chars). i honestly can't think of a good solution to that
though, i always wanted to make a collaborative database of password
complexity for various sites

~~~
robertmerrill
Ha. We'll take name suggestions if you've got some!

To work around this you can have a second recipe called "no special
characters" or if it's something as simple as needing to shorten it to 8
characters, you can add a note to your primary recipe within the app about the
troublesome sites. By default the app walks you through designing a recipe
that produces strong passwords while meeting the most common requirements.

------
conradk
This looks interesting.

How do you store the password recipes? On disk? Are they encrypted? If so,
how?

------
guidorossi
What should be the correct approach using this for the sites (mostly banks)
that require a password change every 30 days o so... In a moment you will have
a lot of recipes depending on the period of the requirement...

------
Rainymood
Just a question: what if you want to log in at a friend's house for example?
Do you have to remember the encrypted password or do you just open the app
with a master password? Could you please elaborate some?

~~~
robertmerrill
Once you have designed a recipe, you can reference it in the app which will
provide your passwords as needed but the idea is that as you become familiar
with your recipe, you'll be able to recall passwords on the fly without
checking the app. You can set a passcode to open the app but none of your
passwords are saved in there, only a recipe (or recipes).

