Hacker Newsnew | comments | show | ask | jobs | submit login

That's meaningless. It opens a whole range of attack vectors for absolutely reason. No least your inky password (which they presumably use as the key). They allow a minimum length of 6 chars on that, which can be brute forced within hours on todays hardware.

They very clearly have no idea what they're doing (security-wise), consequently this is very likely not the only fatal flaw in their implementation.

Easy account sync between devices is a good enough reason for me. It can be implemented securely, so in general I don't see a problem. Hey, Google Chrome syncs saved passwords, online password vaults like LastPass do this too, are they security-incompetent too? Don't know what hash function and encryption they use, but I think it's possible to pick/configure them so that brute-forcing even 6-character passwords is impractical.


If you're willing to gamble your imap password on their undocumented process then that's fine.

I posted my warning because I think most users are not even aware that they're sending their password to inky and the implied risk. Also inky does nothing to educate them (a handwavy marketing-blurb buried in the FAQ does not count).

Sorry but comparing inky to LastPass and Google is laughable. Google is trusted because it's Google. LastPass is trusted because their process is extensively documented. If you plan to casually juggle your users crown jewels for a convenience-feature then you'd better fit into one of these two categories.


Yep, the process needs to be transparent, documented and verifiable. Until it is, good idea to warn others!


Applications are open for YC Winter 2016

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact