
Hide your secret key in plain site? Tell me the issues with this thought doodle - yeoldefrederick
https://gist.github.com/anonymous/305cdee9d2c977de08d8844385d540c5
======
yifanlu
So, your concern with password managers right now is that losing your master
password means you lose everything?

You wish to design a new system where the threat model includes losing the
master password? I think your implementation only adds 3 bits "more" security
than a "basic" implementation that is: hash web site name || root password.

Say, in your implementation, the attacker gets the root password and "salt
based on another random password" (it's likely that they get both at the same
time because they would be stored in the same place. If they're not stored in
the same place, you just discovered a weak form of 2-factor auth). All the
attacker has to do at this point is guess 10 values (30-40) and try each one
to get the account password. That's your 3 extra bits of security from the
'basic' implementation.

But if you just look at the two "features" you presented of your scheme, I
don't know any popular password manager (LastPass, 1Password, etc) that
doesn't have them. Can you explain?

------
yeoldefrederick
My concern with password managers is that if the password database is stolen
with my master password, I lose everything. If this script is stolen off my
laptop, what do I lose? Attacker would have to guess so much. Even if they did
guess all 3 'passwords', they would still have to guess the site, username,
etc. Plus, my master password isn't stored anywhere on my machine.

I don't care about forgetting a master password. I can recreate everything.

The flip side is my master password IS distributed across multiple third party
datasources that I have no control over....

------
qewrffewqwfqew
A basic implementation here:
[http://webpass.rkeene.org/](http://webpass.rkeene.org/)

A couple of difficulties your writeup doesn't cover:

* password expiry/rotation - webpass uses the "sequence number" for this, and sequence numbers can be saved in localStorage or shared online through another channel

* policies. The "Site" dropdown references a json structure which can specify min/max lengths, character type rules etc

The implementation is pretty simple, but that's kinda the point :).

------
mapio
Isn't it [http://www.supergenpass.com/](http://www.supergenpass.com/)?

