
Show HN: DerivePass – Password Manager that doesn't store passwords in the cloud - indutny
https://derivepass.com/
======
charlieegan3
I'd always viewed password tools like this as less secure than 1Password etc.

With 1Password an attacker needs my encrypted vault and my master password to
get my email password.

With this, they just need the master password (since they can guess the domain
and revision number presumably?)

~~~
indutny
That's true, and should be viewed as a possible risk. However, there is still
more implicit trust in 1Password and similar companies that is often not
mentioned:

* They run mostly closed source system. Thus one has no idea what happens on backend, and what data is actually sent

* The encrypted vault already belongs to them. In fact, all encrypted vaults live in the same place, which makes it very attractive for hacker attacks

So effectively, leaking Master Password for 1Password might have just as bad
effect as leaking it for DerivePass. Depending on how much you trust both
entities.

