

 Rate my web app: PassKey - PawelDecowski
https://passkeyapp.com/

======
tptacek
Your application is going to fail, because very few people are going to trust
it, which is going to drive conversions (which are already terribly low for
new web apps) through the floor, and because you are competing with things
like 1password that already work well across multiple devices.

And, while I don't want to send the wrong message about this (because I think
you _should_ use language like this to communicate security to end-users),
your security language addresses none of my concerns as a security
practitioner. What's being stored in bookmarklets in my browser? If I, as an
attacker, can read bookmarks from your browser, I have all your passwords, or
something that equates to them? What's being encrypted? How?

~~~
PawelDecowski
Valid points in the 1st paragraph. However, this is a hobby project. I'm not
competing with anything really. My initial goal when I thought about building
PassKey was to see if it was possible at all to get it to work using a
bookmarklet. In that sense, it's been a success.

I wanted to share it on HN to get feedback regarding implementation, and I got
positive feedback (thanks!). Perhaps business-wise it's not such a great idea,
but it wasn't my goal.

The bookmark only stores the encryption key. Even if you get hold of someone's
encryption key, it's useless because you don't know their PassKey username and
password (to get into the database).

------
spokey
I like the site. It's uncluttered but seems to give just the right information
in an appropriate level of detail.

I've never really looked deeply at "password keeper" applications before (I
think because Firefox seems to a reasonably good job of it), but your approach
seems like a good one. I think if I tried hard enough I might be able to come
up with a JavaScript-based attack vector to steal the browser's key, but I
suppose that would be a lot of work for relatively little payoff (unless
they've already stolen your database and are now looking for decryption keys).

I'm curious about your business model. Do you intend to make money from this?
How?

~~~
PawelDecowski
Thanks!

I hadn't looked at password managers before I built PassKey. I tend to use at
least 3 computers on a daily basis and with PassKey (unlike browser built-in
password managers) I can sign in to web apps from any machine (just need to
get the bookmark).

I don't think it's possible to remotely steal the encryption key as JavaScript
doesn't have access to browser's bookmarks.

Don't have a business model at the moment. It was a hobby project.

~~~
spokey
> I don't think it's possible to remotely steal the encryption key as
> JavaScript doesn't have access to browser's bookmarks.

I think a trusted site might be able to read the bookmark URL from the history
object, but that seems to be sandboxed in general and might not contain
javascript: links in the first place. If you were more clever with JavaScript
than I am you might be able to do something like (1) pop open the current page
in a new window to hide what you're about to do from the user, (2) invoke
history.back() in the "parent" window, and (3) read the URL from
window.location

------
olefoo
This looks to be a fairly strong implementation, and I have no doubt you've
done your homework, and it might make a decent open source project.

But this is not going to be a successful business ever. The end user has no
way to know if your application is legitimate or not, Google, Facebook and
Twitter can run authorization services that third parties can rely on because
they provide valuable services that establish their user's trust in them. You
are asking them to hand over their passwords to everything because you have a
clean well-lit website.

~~~
PawelDecowski
That's a very valid point and I have thought about it.

To be honest, I started building it when I got fed up with entering passwords
manually throughout the day. It was more of a hobby project.

There are similar services (Last Pass, Passpack -- in my opinion both much
more bloated than PassKey) which are businesses (whether successful or not --
I don't know.

Having said that; I didn't build it with making a ton of money in mind
(although it would be nice).

------
PawelDecowski
PassKey is a web based password manager; it allows you to sign in with 1 click
to your online accounts.

It's easy to use, you mainly interact with it via a bookmark(let).

It's secure:

    
    
      * All connections are HTTPS
      * Passwords are stored encrypted with AES
      * Encryption key is stored in your browser, in a bookmark(let)
    

I'd love to hear your feedback.

~~~
ithkuil
I think the point is that we have to trust you, that the passwords are stored
encrypted. Right? Or there is a way to see that you are passing the encrypted
password and the bookmarklet "decrypts" it locally without passing through
your site?

~~~
PawelDecowski
Encryption and decryption happen on the server. You need to trust me on that.

I may implement client-side encryption/decryption. I need to look into it.

~~~
erikano
>Encryption and decryption happen on the server. You need to trust me on that.

So in the event that someone breaks into your server, what keeps them from
stealing my unique encryption key the next time I use your service?

~~~
PawelDecowski
Nothing at the moment.

------
VMG
I really like the idea though I won't register. I'd like to have a central
password repository, but I want these features:

\- ability to store passwords for non-web services

\- automatically generate passwords based on certain rules (ie always 6
digits)

\- have an API to fetch/store passwords

\- have a browser plugin instead of a bookmarklet (I don't use the bookmark
bar in chrome)

~~~
PawelDecowski
I hear you. And my reply is: there are other password managers better suited
for you.

> ability to store passwords for non-web services

That's not what PassKey was built for. My main goal was to provide 1-click
sign in. Web app (which PassKey is) won't be able to sign you in to, say,
Skype client. It's technologically impossible.

> automatically generate passwords based on certain rules (ie always 6 digits)

That might be an interesting tool within PassKey and I may consider it.

> have an API to fetch/store passwords

That's an interesting idea. If there's enough interest I may provide an API to
fetch/store _encrypted_ passwords. Encryption/decryption would have to happen
on API client level for security reasons (ie I don't know the decryption key).

> have a browser plugin instead of a bookmarklet (I don't use the bookmark bar
> in chrome)

That defeats my goal to make it a "nothing to install" app.

Bottom line: PassKey was created purely to give you a button in your browser
that you click on and it signs you in to the website you're on. Nothing more.

Thanks for your input!

~~~
VMG
Unfortunately, I haven't found a better solution. Currently I am using pwsafe
via ssh and it is kinda frustrating.

------
justrudd
I like the website. It isn't nearly as cluttered as LastPass.com. Which brings
up my main question, why would I switch from LastPass.com to you? If I do
switch, do I have to enter everything manually? I didn't see any mention of
import tools.

~~~
PawelDecowski
The ease of use is my main selling point. I've tried LastPass and Passpack and
they are much more complicated.

No import tools at the moment but I like the idea. I'll add it to my todo
list.

