

Show HN: I built a dead simple, secure password manager. - enoch_r
http://mawud.com

======
SHOwnsYou
I couldn't figure out what I was supposed to type in the result field. May not
be the standard ux though - I'm on a tablet.

~~~
enoch_r
Ah, thanks for point that out! The only things you need to input are the
service and passphrase--the result box is just for the output of the
generator.

Now that you've pointed this out, I'm doubting my sanity in making the, um,
output box an input... It should focus on the "service" input on page load,
but on a tablet that might not be obvious.

Anyway, I should replace that to avoid confusion. Thanks for checking it out!

------
pbaehr
If I may offer a simple UI suggestion: Make the result box read only. Combined
with the minimalist UI this makes it very confusing for first time
experimenters.

Also, I would suggest a submit button for clarity (and tablets).

~~~
enoch_r
Yeah, sounds like the UI is a problem for many, and I can see why. I was going
for something as minimalist as possible, but clearly I went too far. Thanks
for your suggestions!

------
danjaouen
Seems like this would result in many users using the same password for
particular services.

~~~
randren
Maybe I'm missing something. I don't see why the use of this service would
produce an increase in that phenomenon beyond what it is now. I tend to think
this would merely swap encrypted versions of commonly-used passwords for the
originals.

------
jrs235
Have you considered using BCrypt instead of SHA?

~~~
enoch_r
Definitely, but the CryptoJS library just seemed more mature than the
Javascript BCrypt library I found, so I decided to just repeatedly hash the
data to approximate BCrypt's work factor. Thanks!

~~~
cheald
One very large appeal of bcrypt is its memory usage characteristics. SHA1 is
easily done on GPUs, and can be massively parallel with very little work.
Simply rehashing doesn't adequately replicate the barriers that bcrypt puts in
place to brute-forcing.

See: [http://crypto.stackexchange.com/questions/400/why-cant-
one-i...](http://crypto.stackexchange.com/questions/400/why-cant-one-
implement-bcrypt-in-cuda)

~~~
enoch_r
Thank you for that fascinating link. I've never understood why, if bcrypt is
good because it's slow, a similarly slow implementation of SHA wouldn't be
just as effective. Now I do. Really appreciate it!

------
marshallford
how and why this is secure blows my mind. Should I stop using keepass?

------
webwanderings
How do I run this locally?

~~~
16s
There are several local apps that have done this for a long time. I wrote and
use SHA1_Pass. It has local clients for Mac, Linux and Windows and a
JavaScript version that can run locally on mobile devices.
<http://16s.us/sha1_pass/>

~~~
webwanderings
I was wondering about the password change scenario and the FAQ at your link
gives some clue. So basically, if you are using this scheme/tool for your
passwords than you are basically remembering the changing words (bills1,
bills2 etc). This isn't really any different than remembering your passwords
(if you are into making password strings of your own).

I guess a local password manager is good enough repository for passwords as it
also lets you generate passwords.

------
randren
Great idea, confusing UI.

