Show HN: PW - Simple, secure & cross-platform password generator
simontabor.comLooks interesting, but I might be missing something here, what actually is it?
Why does it need the service and a password, isn't it generating a password? And how is it cross-platform, it looks like it's web based?
Probably didn't make it clear enough, it's repeatable so you'd use Twitter as the service and whatever password you usually use (master password), it'd come back with a hash and you use that as your Twitter password. Whenever you need your Twitter password, you repeat the process.
https://github.com/simontabor/pw - it's got node-webkit so there's a mac app in that repo and should also work on Windows + Linux nicely (this is simply to take it out of the browser where it's easy to lose tabs and put it in a clean, small window)
It's a nice touch to provide a local application to run as there is no way people should be doing this in the browser. You might want to remove the tracking from the local app though, even if it is for analytics purposes, I don't want something that deals with passwords like this to be phoning home.
I may do, it's not too difficult for people who care about it to just take it out - I'd actually rather people take the code, remove tracking if they'd like, edit colours/whatever and make it their own. It's more the concept that I care about (never ever send your main password over the wire)
> echo "service-password" | openssl sha
This is a quick alternative that should work on Mac OS and Linux, and Windows when openssl has been installed in a similar way.
Making all the passwords the same length makes this essentially pointless.
It's a repeatable SHA1 hash, what more do you want?
I don't want everyone to know the length of my password that's for sure.
Sounds like you've misunderstood the purpose of this.
I usually just use a single password across most services, so they all know your password, even if you trust them not to store it in plain text. It's infinitely more secure to use something like PW, never entering your main/master password into any other services and then have a generated hash that really means nothing to anyone (can't be decoded or anything stupid). The length factor here makes very little difference, and only you need to know that you use 40 character password (yes, 40, which I bet is longer and more secure than your current password(s))
Yes, but it's by far the lesser of two evils. You can easily take a substring of the generated password.
How would you randomise the length of the password in a repeatable + secure manner?
There is nothing inherently secure with you hashing the password to be used as a password. It uses a non dictionary string and has a long (but static) length, ok, but a random number of anything (characters, words, whatever) has variable length.
There is a reason passwords like 'the old lemon man jumped high as a pokemon' are getting more popular.
I still don't think you get the idea. Using 'the old lemon man jumped high as a pokemon' across multiple services may be secure from someone trying to hack just you, but it's much more likely that one of those services will leak your password (security flaw of some kind) and will therefore compromise your password across every service.
You could easily just use 'servicename||this is my secure password' as your password, but it's still obvious what the pattern is to anyone who obtains that password, rather than getting 404fC7C426Cb6cD694E6C2Ee828c133fA771AcC8. You should be able to leave your password and email address in public places without anyone being able to have any significant effect on your security (they might gain access to one service).
I understand how password managers work. Do you understand why a constant length password is bad?
To be fair, although I really dislike the idea of fixed length passwords, with this many characters it's not too bad.
A full search of the password space that this outputs would take ~10^50 years at the moment, on high end hardware, and shouldn't be susceptible to attacks on patterns, assuming SHA is working properly.
One thing I would say is that with something like this you might as well just remember a really long password and tag on the name of the service at the beginning, that will give you (arguably) more security. Something like hackernewsFe26476e75256504234fC7CbBcE05aEd704b94A2.
That's a decent idea, appending/prepending the service name to the hash would probably help.