Hi, I’m Zhiwei and I’ve dedicated my entire career to security. You also may have read LastPass got hacked or password managers may not be secure. Well, that’s me.
Password is a mess. And all the password managers have a single point of failure. You lose your master key, you lose everything.
I’ve spent the last 5 years of soul searching to find a solution that does not rely on any trusted party. I built something for myself but you may also like it. So I’m sharing it with you and welcome any feedback.
All you need is a keepsake photo that you would anyway never lose. The solution works by transforming your memorable password using the photo to thousands unique passwords. The photo never leaves your device, and your memorable password stays only in your mind. That way, you can use/reuse the same memorable password everywhere without worrying about anything.
If that sounds too good to be true, let me do this. Not only I will share my password with you, but also everything stored in the server. I even posted my keepsake photo online. Now, try to break my Gmail, instagram, or Github.
Obviously, I don’t encourage anyone to share their password, but I want to show you how we can make it irrelevant, and why the solution is secure, convenient, and private. And if you have questions, please come join my Slack so we can discuss live.
Yes, it has to be exactly the same original photo, because (1) most likely it contains more entropy (2) the original is the single source of truth, (3) you can still use the photo anywhere as long as it’s not the original.
Generated password is essentially
password’=hash(hash(photo)|domain|password)
Usually, you don’t have to rotate strong passwords. If you really want, that’s what I do: I just add a postfix to the password I remember. For example, I can use ziTJune1, ziTJune2, etc. They generate completely different passwords.
https://techcrunch.com/2014/07/11/lastpass-finds-security-ho...
https://www.csoonline.com/article/2453941/why-password-manag...
Password is a mess. And all the password managers have a single point of failure. You lose your master key, you lose everything.
I’ve spent the last 5 years of soul searching to find a solution that does not rely on any trusted party. I built something for myself but you may also like it. So I’m sharing it with you and welcome any feedback.
All you need is a keepsake photo that you would anyway never lose. The solution works by transforming your memorable password using the photo to thousands unique passwords. The photo never leaves your device, and your memorable password stays only in your mind. That way, you can use/reuse the same memorable password everywhere without worrying about anything.
If that sounds too good to be true, let me do this. Not only I will share my password with you, but also everything stored in the server. I even posted my keepsake photo online. Now, try to break my Gmail, instagram, or Github.
zhi.li@pepperword.com Password: ziTJune Database record available at: https://gist.github.com/zhili-ppwd/810c091a4efb6d17c878e4cf4...
My keepsake photo posted to instagram: https://www.instagram.com/p/CFrYIBugZlP/
Live demo: https://youtu.be/ybU9Jst2IhI
Obviously, I don’t encourage anyone to share their password, but I want to show you how we can make it irrelevant, and why the solution is secure, convenient, and private. And if you have questions, please come join my Slack so we can discuss live.
https://join.slack.com/t/pepperword/shared_invite/zt-hn3invq...