Hacker News new | past | comments | ask | show | jobs | submit login

This is a pretty neat concept. I'm not sure if this is what its doing but it seems like it.

It seems your master password is like a seed for the encryption or something so that's why it can always be the same. If thats pretty much what it is its pretty smart and simple.

I also like the option for the account clues.




That's pretty much how 1Password works.


Master Password works very differently from 1Password, KeePass, LastPass, etc:

"Master Password is a stateless password generator. It doesn't store, collect or transmit any secrets. It makes them ubiquitously available, on-demand, depends on nothing but your private master password, and is fully open source."


LastPass is definitely different, as it stores data on a server.

KeePass and 1Password, as I understand, use your master key to decrypt a file (local or in a cloud provider like Dropbox) that contains your password(s).

Master Password may be different than this - I don't understand how you can retrieve passwords without storing them, but I'm sure it'll become clear by researching it. I do want to be clear that 1Password isn't a central repository like LastPass, however.

(edit: I think I understand MP better, see below)


Ok, I get it - it doesn't retrieve anything. It basically hashes you a password using what is public and a secret (your password). I need to see if it's possible to change your password on a per site basis - it seems that would require changing globally (since you'll need to update the secret)


Their algorithm page [1] contains this:

> The site's password counter (default: 0): This is an integer that can be incremented when the user needs a new password for the site.

So it looks like you can generate new passwords anytime you want on a per site basis.

[1]: https://ssl.masterpasswordapp.com/algorithm.html


it has an additional counter that can be incremented per site


This seems incredibly awkward to me.

Several of the design goals for this app were to eliminate the need for sync, as you're able to fairly easily replicate the initial seeds/salts for password generation (your full name, your master password, and the site base domain).

I'm not really seeing any pros using this solution...

Con 1: You can't use any password you want (for whatever reason, be it stupid password security requirements, your boss gave you a password to use, you're not allowed to change something, the list goes on) Con 2: They focus on not requiring sync, and concessions were made for this (a bunch of defaults, as well as con 1 from above) when they really actually do require sync. The password counter and password type (strong, weak, etc) both need to be synced to actually derive a password.

If we're going to have to sync these to reliably store our passwords, then why not just go with an actual password manager without any of these arbitrary limitations?

I've been using 1Password and its been working out great for me. (Arguments may be made about its closed source, but KeepassX functions in a similar manner).


> Con 1: You can't use any password you want (for whatever reason, be it stupid password security requirements, your boss gave you a password to use, you're not allowed to change something, the list goes on)

It does cover that:

   My boss gave me this password to use...

   Master Password's generated passwords only work if
   you use the password generated for you. You cannot
   use a password somebody else gave you.

   Only - you can: Master Password implements a hybrid
   solution, allowing you to save custom passwords in the
   app. They are AES encrypted with your master key, but
   like all vault-based password managers, are not immune
   to loss if you ever lose your phone and backups..
Of course that introduces a vault and presumably a need to sync if you want to access that password from multiple computers or mobile devices.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: