For the justifiably paranoid, a web service is not going to cut it (lack of https is just the start - relying on any web service is a _lot_ of trust to put in such an Important Thing). Even if you are as trustworthy as I'd hope, it's foolish to even allow the possibility of you (or your service) being compromised to affect the safety of my passwords.
Personally, I use a command-line implementation of SuperGenPass that a friend of mine wrote (and I host at github:gfxmonk/supergenpass). It avoids all sorts of spoofing / browser vulnerabilities, and is reasonably convenient with something like Guake.
I'm not trying to diss the concept at all - I love this kind of thing, and honestly can't understand why it isn't more widely used / encouraged. But It's worth pointing out what already exists in the space.
NullPass isn't a Web service, it's a one-page Javascript app like mine and SuperGenPass. But it loads a bunch of libraries, so it can't as easily be copied for safe offline or local use.
I never realised there were so many implementations of this floating around. It might be a neat idea to inline/reduce the libraries I used to more easily distribute for offline. Although I have to say that I don't feel this is any less safe because it can't run locally :)
Thanks for your input :)
Thanks!
I do this myself with supergenpass, for when a site's password DB gets compromised (a common enough occurrence these days).
Importantly, this augmented state is a convenience - it's not irreplaceable. If I find myself _without_ my list of hints, I am not completely screwed - I'll just have a harder time logging into those few sites, and it's quite likely I'll remember the right hint after a few tries from memory if I really need to.
Basically the same idea but seeds a random number generator with the master password and the service name to have an infinite supply of passwords. Technically no state is needed because Python's random module is deterministic, but I will end up saving the state with the service name and the index of the random number so that I don't have to try each and every one (not that I change passwords that often, for better or worse).
And, for convenience, since I won't be saving the master password, I'm looking into adding a credential cache like sudo has.
http://en.wikipedia.org/wiki/Hash-based_message_authenticati...
Is there any reason why HMAC would be better than my current implementation? I have had a read over the article and it seems that straight SHA512 should have similar cryptographic strength.
Thanks for your input!
Thanks for your input :)
