tinyapps.org / blog

Time to replace traditional password managers like KeePass, 1Password, LastPass, et al.? #

"Master Password is a stateless password generator. It doesn't store, collect or transmit any secrets. It makes them ubiquitously available, on-demand, depends on nothing but your private master password, and is fully open source.

How Does It Work?

The user is expected to remember the following information:

• Their full name (eg. Robert Lee Mitchell):
  This is a salt for the master key generation.
• Their personal master password (eg. pink fluffy door frame):
  This is the secret for the master key generation.
• The site name (eg. apple.com):
  The user chooses a name for each site. The bare domain name is an ideal choice.
• The site's password counter (default: 0):
  This is an integer that can be incremented when the user needs a new password for the site.
• The site's password type (default: Long Password):
  This type determines the format of the output password. It can be changed if the site's password policy does not accept passwords of this format.

In practice, the secret master password is the only extra thing users will actually need to remember. Their full name, they'll hopefully remember regardless. If the site is always named after the bare domain name, it needn't explicitly be remembered but can be found in the browser's address bar. The counter and type need only be remembered if they are changed from their default values."

• GitHub project page
• The Master Password Algorithm
• Discussion board
• Platforms include iOS, Android, OS X, Java, *nix (terminal app written in C), and web (beta)
• Discussions on Hacker News and reddit, including potential pitfalls and important considerations
• Some similar projects:
  • Cassidy "is an open source password manager that doesn't store passwords."
  • hash0 is a "synchronizable PBKDF2 based password generator."
  • hashapass "automatically generates strong passwords from a master password and a parameter."
  • One Shall Pass "is a browser-side service for calculating strong, site-specific passwords. It is open source. In contrast to other password services, 1SP does not save your passwords or universal passphrase anywhere."
  • PasswordMaker "is a small, lightweight, free, open-source tool for Internet Explorer, Firefox, Google Chrome, iPhone, Opera, PHP, Windows, OS X, Linux, Flock, Yahoo! Widgets, Android, Python, and many other platforms & systems. It creates unique, secure passwords that are very easy for you to retrieve but no one else. Nothing is stored anywhere, anytime, so there's nothing to be hacked, lost, or stolen. PasswordMaker has been around since about 2003 and so is a mature, stable, popular solution."
  • PwdHash "generates theft-resistant passwords."
  • SuperGenPass "uses a hash algorithm to transform a master password into unique, complex passwords for the Web sites you visit."

/misc | Jun 26, 2015

Subscribe or visit the archives.