It sounds like a cool concept, but I can’t see anyone migrating to this service since there is no logical way to import your current passwords.

Am I missing something?

  • ollien@beehaw.org
    link
    fedilink
    arrow-up
    13
    ·
    2 years ago

    The idea of a security tool using the same name as one of the most serious security vulnerabilities of the last decade is very funny, lol.

  • ram@lemmy.ca
    link
    fedilink
    arrow-up
    11
    ·
    edit-2
    2 years ago

    This is extremely impractical for daily password use. Not being able to ever change your master or the passwords to your sites is a deal-breaker for the security minded who wouldn’t even want the risk of an encrypted password wallet.

    It’s an interesting idea, but in the end it’s flawed.

  • dudeami0@lemmy.dudeami.win
    link
    fedilink
    arrow-up
    8
    ·
    2 years ago

    This seems like someone learned about key derivation functions and applied it to passwords. So with this system, it’s stateless and no passwords are stored (encrypted or not). You need 4 things to generate passwords:

    • Your full name
    • Spectre secret
    • Site Domain
    • Master password

    This seems counter intuitive to the stateless nature, since at least one (the spectre secret) will need to be stored somewhere. For UX the full name probably would also be stored, and the site domain can be gotten via some API on password use. This leaves the master password as the only portion not stored, and on “unlocking” the database it would probably be stored on the users device for a period of time.

    This also ignores some of the requirements of websites needing passwords (some support all characters, some only a-z0-9_, etc etc). If supported, this metadata would also need to be stored somewhere. The cons of not being able to change passwords is also a huge issue, as passwords should be changed often, or replaced with keys (which you also replace often!).

    For attackers, this seems not much different than a database file. In most cases, they’ll already know two of the 4 (site domain and full name, especially in corporate environments). This leaves only the spectre secret and the master password doing the heavy lifting of security. This sounds a lot like a traditional password manager, where you have a master password, a database file, and an optional key file.

    So the process to attack a traditional database system is to acquire the needed information (database file, master password/key file) and lookup the password (site domain/description). The process to attack spectre is to acquire the needed information (full name, secret, master password) and lookup the password (site domain/description). These have the same challenges of acquiring/brute forcing the master password and key file, and are essentially the same in the eyes of an attacker.

    Overall I think passkey’s will replace passwords, or something along that line. Keys have been used for a long time in security sensitive areas, can be swapped out easily and provide much more protection than a password when large enough.

    • Saik0@lemmy.saik0.com
      link
      fedilink
      English
      arrow-up
      5
      ·
      2 years ago

      Any “password” that cannot be revoked is a bad password.

      This is also why biometrics are bad. You can’t replace your fingers, eyes, etc… These are good usernames.

    • Oliver@feddit.de
      link
      fedilink
      English
      arrow-up
      2
      ·
      2 years ago

      I don’t think passwords have to be changed very often. When you use a password manager and 30 character random generated passwords (or why not 64 characters or even more if the site allows it) separately for each site. If there isn’t a breach: why should I change the password?

      That’s a singular used very complex password which only my password managers knows changed against another singular used very complex password which only my password manager knows.

      If it is long enough, even brute force shouldn’t be a problem if someone is trying every single combination possible for 30 or more characters (where he doesn’t know how much characters he has to find). 🤷‍♂️

      • dudeami0@lemmy.dudeami.win
        link
        fedilink
        English
        arrow-up
        1
        ·
        2 years ago

        Often is probably a bad way to phrase it, but there is a reason TLS certificates are changed regularly. Generally this isn’t a big concern if you are the sole user and a set of known devices are used. Once you start handing passwords to others to use (such as is common in corporate environments) the problems being to show. Resetting the password is just a sure fire way to revoke access to anyone that may of had access that shouldn’t, for whatever reason.

        You are correct though, that as long as the password isn’t being used on public terminals or in areas it might be compromised, it’s generally secure.

  • unreliable@discuss.tchncs.de
    link
    fedilink
    arrow-up
    7
    ·
    2 years ago

    So… you need a master password, you can not switch your master password, any password you generate can not be changed in case of leaks or ugly police to change every X days. Plus, having access to your master password give you access to every single password you ever created or will create.

    I stay with single master password with random password.

  • Jeremy Yap@hachyderm.io
    link
    fedilink
    arrow-up
    6
    ·
    2 years ago

    This is often called a “stateless” or “generative” password manager, and while they do have some benefits they tend to be rather niche.

    The main issue is losing the ability to easily change the master passwords as well as making it more difficult to deal with password requirements.

    Also, for most users the sort of access needed to steal an encrypted password vault isn’t much different from what is needed to grab a master password as its being used, so the benefit is very limited.

  • im stuff@lemmy.blahaj.zone
    link
    fedilink
    arrow-up
    6
    ·
    2 years ago

    if my securely generated password to example.com gets leaked in a data breach, my only options are to ignore the leak or regenerate all my passwords with a new master password?

    i don’t think this works for me

  • Esca@lemmy.one
    link
    fedilink
    arrow-up
    4
    ·
    edit-2
    2 years ago

    So basically a fancy hashing algorithm to get the same password for the same information you give it. Neat idea but I am not convinced yet.

    If your Spectre secret gets somehow leaked (and your full name could easily be found), that’s immediately all your current and future passwords leaked. Now, this would in theory also be a problem with regular password managers that live in the cloud. Though smart ones hopefully add 2FA or similar before they let their users log in. For offline password managers the hacker would need your secret + database to get your password. That’s a lot harder. Spectre takes one of those items away, because the ‘database’ is their algorithm which literally runs on their webpage. All they need is a single password.

    What if a site you use leaks your password and you have to change your password for that site only? Spectre won’t help you with that, as it will still give you the (burned) password. So you manually have to remember which sites use Spectre for passwords and which ones don’t.

    Have any services that have been provided to you with a set password you can’t change (eg: some service your job uses), Spectre won’t help you with this as it won’t hold any custom passwords. Have any weird services that requires a specific length and/or forbidden characters Spectre does? Good luck, Spectre can’t help you here either. It’s not a password manager.

    • DumBirb@kbin.social
      link
      fedilink
      arrow-up
      2
      ·
      edit-2
      2 years ago

      If one password is leaked, it should let you change the key for just that one service. Eventually, you could have a bunch of different keys for different service. But then you will need some manager for remembering all those different secrets. Yay!

      I see they have a counter that maybe you can set? Then I guess you just need a manager to store the counters, which seems fundamentally the same

      • Esca@lemmy.one
        link
        fedilink
        arrow-up
        1
        ·
        2 years ago

        See my response a few comments down this thread. I found the counter and password-template too. I don’t have an iphone so I can’t test the app, but I very much think this app stores the ‘settings’ (counter, template) to generate the password. Based on what the api and CLI can do… it has to, surely. It also has the ability to retrieve a custom password.

        Of course the webapp in the link doesn’t do all of that. You’re stuck with 1 password in 1 format. Unless you change your secret and then all your passwords change.

    • imaginary@feddit.deOP
      link
      fedilink
      arrow-up
      2
      ·
      2 years ago

      and your full name could easily be found

      I think they are only talking about your username, not your actual name.

      What if a site you use leaks your password and you have to change your password for that site only? Spectre won’t help you with that, as it will still give you the (burned) password.

      That is something I immediately thought about, there is no way to change a single password. All or nothing.

      Good luck with hundreds of passwords that would need changing.

        • Esca@lemmy.one
          link
          fedilink
          arrow-up
          2
          ·
          2 years ago

          In practice it can be anything though. It just gets thrown in one of the hashing functions. They way they describe it:

          user-key = SCRYPT( user-name, user-secret )

          site-key = HMAC-SHA-256( site-name . site-counter, user-key )

          site-password = PW( site-template, site-key )

          Which is kinda interesting, they mention site-counter and site-template. The counter indicates you can set it to a different value to get a different password for that site. But then obviously every time you want to recall that password, you have to set the site counter correctly. I guess the app will remember this, but the web version obviously doesn’t. But the gimmick is that it doesn’t store anything, but it seems for the app to work it does need to store the settings to generate your password.

          And also there is a site-template, which seems to hold various ways to generate passwords. Long, medium, short, pin, etc etc. With or without special symbols. It even mentions ‘saved personal password’ so I guess it can save custom passwords? Hopefully encrypted though.

          That sorta addresses the concerns I have. But obviously that means you need the app, the website doesn’t do all those extra things. And if you loose the app you loose your custom site counter and template.

          Also, the CLI version seems to happily store the username and secret on your pc? Or at least lets you read it from a file, so…

          (I haven’t actually used the app, just going through some docs and source code here)

  • aksdb@feddit.de
    link
    fedilink
    arrow-up
    4
    ·
    2 years ago

    Calling this “manager” seems a bit of a stretch. What exactly does it manage? It only seems to derive passwords. Unless I have a database I can search in (and get convenience shit like the information how old or weak existing passwords are or maybe even which sites have been compromised in the meantime), I would not call it a manager.

  • halictuz@beehaw.org
    link
    fedilink
    arrow-up
    3
    ·
    2 years ago

    There are some things I’m missing.

    What if I need or want a certain passwod length? Because a site only allows X or I want to have Y amount of signs.

    What about the control over special characters in the password or not. Sometimes I need to generate passwords without any special character.

    Where is the 2FA aspect? Sure there is no datavse with my passwords. But at least my DB is secured with username + password + 2FA Code

    I still need to trust a website or app where I put my credentials in. Or is it 100% offline? Like I am with KeePass and/or selfhosted Bitwarden at home.

    How do I change passwords without the need of keeping track of website name changes?

    And just as a note, things like Bitwarden or KeePass are much more than only a password generator.

    Extra note: we are heading towards a passwordless future with passkey etc. anyway.

  • Mothra@mander.xyz
    link
    fedilink
    arrow-up
    3
    ·
    2 years ago

    All these people exchanging opinions and information about password manager options and me… Funmbling with the paper booklet I’ve been using to track my passwords for the last decade

    • imaginary@feddit.deOP
      link
      fedilink
      arrow-up
      2
      ·
      2 years ago

      I am curious. Without going much into detail to compromise your passwords obviously.

      But how do you come up with a good password, and how long are they typically for you?

      • Esca@lemmy.one
        link
        fedilink
        arrow-up
        4
        ·
        edit-2
        2 years ago

        I’m not the person you’re replying to but I have a fun answer for how I did it before I moved to password managers.

        I used to have just a single password, normal-ish password. Reasonable length, some numbers in there, random caps. But in order for me to have unique passwords on every site without losing track of all the unique password, I added the first and last letter of the name of the service at a specific point inside the password. My password was cryptic enough that if you would see it you wouldn’t immediately notice it. But for me it meant I had a single strong password that was easy to remember and unique for every service.

        I’m still kind of proud of that one, even though I don’t use that method anymore.

      • Mothra@mander.xyz
        link
        fedilink
        arrow-up
        1
        ·
        2 years ago

        I don’t know, I just think of a word and add/replace a few numbers and whatever I’m required to. Most places specify the minimum requirements ( character n., Numbers, uppercase, special characters etc). I rarely exceed the minimum requirements, though occasionally I do if it helps me remember the password. These days passwords keep getting longer and longer, most sites won’t allow registration with anything less than 12 characters and lately I’m seeing some request 16. Backtrack a decade and you were set with something simple like “simpl3”.

  • TheOneCurly@lemmy.theonecurly.page
    link
    fedilink
    arrow-up
    2
    ·
    2 years ago

    Seems like you’ve got it right, but I don’t think a lot of security minded folks who moved to a system like this would scoff at changing their passwords again.

  • flashgnash@lemm.ee
    link
    fedilink
    arrow-up
    1
    ·
    2 years ago

    I would absolutely migrate to this if there were a good android app for it. The one that exists doesn’t seem to have support for android’s password autofill system though

    Have been using a manual method of consistently generating passwords for a while now so given good app/browser extensions it’s a direct upgrade

  • FermatsLastAccount@kbin.social
    link
    fedilink
    arrow-up
    1
    ·
    2 years ago

    Seems interesting, but yeah I don’t see how it’d be possible to import existing passwords.

    If I remember correctly, LastPass used to have a function where they’d go through your insecure passwords and automatically change them. Maybe Spectre could do something like that.

  • petrescatraian@libranet.de
    link
    fedilink
    arrow-up
    1
    ·
    2 years ago

    @imaginary doesn’t seem to be that much of a novel concept. I was interested into such a password manager that generates your paswords each time you access it instead of storing them. Indeed, for some (probably security related) reason you have to change your passwords to every service you use