
How I Manage My Passwords (Technical Version) - ecesena
https://hackernoon.com/how-i-manage-my-passwords-technical-version-8549dc1bde1e
======
Nomentatus
[https://hn.algolia.com/?query=deterministic%20password&sort=...](https://hn.algolia.com/?query=deterministic%20password&sort=byPopularity&prefix&page=0&dateRange=all&type=story)

~~~
ecesena
Thanks - I’m aware and read most of them. There are details in the post and in
the comments in medium.

------
m1keil
I think deterministic password managers are interesting solution for a small
amount of secrets. But I don't think it scales out nicely. Quickly glancing at
my 1Password, I have over 200 saved logins. Some problems I see with your
approach to a large amount of logins:

1) I don't always remember the username. In most cases it's my email address.
But in some services I use a different email address. Some services (e.g
Steam) do not allow you to change the original email address. Sometimes it's a
username instead of an email. Sometimes the services will generate the
username for you.

2) Password policies. Some of the websites have really ridiculous rules. What
do you do when the format of the generated password doesn't fit the policy?

3) Services change names and domains - companies re-brand, sold or merged. Now
it's another piece of history you need to retrace from memory ("were they
called x-y.com or xy.net?") on first login.

4) Changing passwords is hard. If you share the counter across a group,
bouncing it requires changing the passwords everywhere (or starting to
remember different counters). You never know when you'll need to change a
password. It can be due to a security leak, or due to policy.

Not saying it cannot work of course, after all it works for you. But I don't
feel it would work for me.

~~~
ecesena
Sorry for the delay.

I think I agree with you when you say "interesting solution for a small amount
of secrets", but I don't really see the limitations that you point out.

Note that I'm not saying that you must remember all the info for all your 200
services, I don't for all my services. I say that you can remember, and in
fact I remember enough of them, especially the critical ones. I have all the
info written down, and I could store them publicly accessible because they
don't contain any sensitive information (except privacy, i.e. knowing that I
have an account on that service, but that's easy to fix/spoof).

I look at security in a really practical way. I'm traveling abroad and I loose
my phone. I need to access critical info, say my bank, or my phone company, or
just my email. I go to a internet cafe, and with my algo I'm good to go. I
probably don't need urgent/immediate access to my instagram account, but if
so, and if I don't remember some details, I can access my gmail (because of my
algo), and reset instagram's password -- which I'll restore when I'm back from
traveling.

I don't think I fully understand the points. 1-4) are all issues with
1password as well, no? In fact we're also going to build apps/extensions so
you can manage all these things transparently/with ease. But still, even when
you don't have apps/extensions, you will always be able to recover your
passwords.

Specifically:

1) I agree, and you can have these info easily accessible because there's no
sensitive data. Also, I'm sure that actually you _do_ remember Steam's email
exactly because you tried to change it and you couldn't.

2) yes, and by design that's only in the formatting function. It's unrelated
if you get random or deterministically generated bits for your secret. Also,
in my experience, you can get out of it pretty easily because either special
chars are required (and "-" often counts), or you have silly restrictions (and
then you can just base64 encode, or keep it all lowercase).

3) it's the same as pinterest.com/pinterest.fr. As long as you remember (or
write down, or use an app) that getapp.io is now app.com, you can still use
getapp.io in the generation -- or you can change password if that really
bothers you. You have the same issue with 1password, you have to tell the
manager to remember that you want to use the same credentials on a different
site.

4) the counter is per-service, not per-group. But I agree with you, mass
changing password is a pain. We're thinking to a good user experience to
"upgrade" your passwords, like keeping a completion list, or similar, to help
you in the process. This seems the same issue with 1password though, if one of
your groups' pass is exposed.

Happy to discuss more, all very interesting points.

~~~
m1keil
From the points above only #3 affect traditional password managers as well.
PMs allows you to save multiple fields (including usernames), support any type
of password format you want (including configurable password generators) and
when password change is needed (either for website or master password) you
just need to change one password.

Re #2: what I was referring to is that you might end up having different
formatting functions for different sites (think about one that limits you to 8
characters for example - these still exists!!).

Re #3: that's true that you have similar problem with password managers. The
small difference is that I don't need to remember the exact characters. For
the pinterest example, I just need to search for "pinterest" and not be bother
with the ".fr" and my password manager will be smart enough to find
"pinterest.fr". Obviously "pinterest" changed to "qwerty" I'll be in trouble.
I know it's a small difference, but I feel like small things like this are
"make or break" when it comes to ease of use.

It is true you can start maintaining lists of "exceptions" (i.e special user
names or counters). But that starts to be really inconvenient in my opinion.
Maybe I'm just spoiled. ;)

~~~
ecesena
I'm not sure I really follow your logic, and sorry in advance I don't mean to
say you're wrong, I'm just trying to understand deeper.

It seems that you're comparing a PM with a fully featured app, vs an early-
stage idea that I'm proposing. I'm comparing 2 core algorithms, vault vs
deterministic.

Assume I will release an app very similar to 1password, but with "my" core
algorithm. Or, if you prefer, assume you don't have your PM handy. But, I
think, the comparison should be fair.

What I'm trying to say is that all the features you're proposing can be
implemented/applied to my core algo as well, they don't deal with how you
generate a secret, but more on how do you manage many of them.

On changing the password there's another case. If your master password for a
group is leaked, and you fear that the vault is also exposed, then you have to
change all the passwords in the group. If you think to "high mobility" uses,
like using your PM also on untrusted/partially trusted devices, the exposure
of the vault is not really something you can exclude.

I believe that the core difference between vault and deterministic is this
one. Vault, you have completely random passwords, you always need the PM to
retrieve them. Deterministic, you can recover your passwords without the PM
(some of them, if you remember the info) -- my algo attempts to really go full
in that direction. Everything else is "management" features, that you can
build on top of the core.

