Hacker News new | past | comments | ask | show | jobs | submit login

On problem with password managers (that are using web authentication to create/manage an account for backing up the password manager in the cloud) is that the authentication password can be leaked during the authentication process. For example, the storage provider for password manager backup can simply read the password from the authentication web page since this web page is hosted at the provider. This is problematic if the authentication password is also used to encrypt the password manager, i.e. the provider could decrypt the password manager with the authentication password. You would actually need two passwords; one for authentication and one for encryption. Unfortunately, you usually don't even have the option to choose two passwords.

To solve this problem I'm working on FejoaAuth (https://fejoa.org/fejoapage/auth.html). FejoaAuth uses an authentication protocol that does not leak the user password to the provider who is going to store the password manager. This protocol is run in a trusted browser plugin in order to ensure the correct execution of the protocol. Thus you can use a single password for authentication and password manager encryption.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact