Show HN: Paasword – a password vault that never stores your passwords
github.comWarning: pre-release, unaudited, not for production use. (Though my password was generated with it)
Instead of saving secrets, it derives them on demand using domain + username + a short passphrase + a physical OpenPGP key (smartcard/YubiKey).
Passwords are reproducible but never persisted.
Currently tested only with RSA4096 on Windows + GnuPG 2.4.x. > a physical OpenPGP key (smartcard/YubiKey) I don't know how you get a reproducible value from this, but in the use described it isn't actually contributing a second factor. You're right — it's not a true "second factor" in the 2FA sense. The idea is to bind password derivation to a physical OpenPGP key. Without the smartcard/YubiKey inserted, the program can't generate the same password, even if someone knows the domain/username/phrase. So the key isn't used as extra entropy, but as an essential part of the derivation process.