Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Given we’re likely stuck with passwords for the foreseeable future, I’d like to see two things in a password manager (maybe these exist?)

1. “hardware wallet” level security, with good UX. Maybe a USB/Lightning dongle, but I really wish computers/phones had built-in capability to do hardware wallets. Apple TouchBar got close (I realize it wouldn’t considered be a dedicated hardware wallet).

2. a way to automatically roll passwords periodically (with a small amount of user intervention, per requirement #1). This would require either some excellent AI or crowdsourced automations for every website.



> “hardware wallet” level security

This is mutually exclusive with passwords:

A hardware wallet never reveals its private key and allows you to review and approve private key operations through a well-defined and hardened interface. Passwords are bearer tokens, and there is no such option.


I use pass[0] against a Yubikey with a touch-policy that requires a touch to decrypt. I use passmenu, which types up the password (using xdotool) so clipboard stealing isn't as easy (probably adds a different attack vector though).

Not as good as webauthn etc, but still better than copy-pasting passwords, or a browser extension that keeps passwords decrypted in memory.


2. a way to automatically roll passwords periodically

Ironically, that’s what LastPass can do for many important sites. Technical details: it opens a site, clicks around its menus and does that for you, and you see all of this automation on your screen. Imagine how many non-2FA users are now experiencing automated password resets on their most valuable accounts.

I’m all for 1, as I take my physical keys with me everywhere, but random ISB solutions out there I don’t really trust any more than e.g. lastpass.


1. Check out https://www.themooltipass.com


Cool, great start, but something Yubikey sized would be more practical.


It can be done with yubikey. Passwords stored encrypted on disk and get decrypted on the yubikey with gpg.

https://github.com/drduh/YubiKey-Guide

https://attackpointsecurity.com/go-pass-yubikey-and-gpg


Isn't a hardware wallet airgapped?

For a cheap alternative you can use an old smartphone, and disable all radios. People will use a Librem 5 in 20 years still for this purpose wink.


> Isn't a hardware wallet airgapped?

No, most of them connect over USB. The important thing is reducing the attack surface to a bare minimum with simple protocols and implementations.

I think at a minimum it would need to emulate a keyboard to type out complex passwords. Ideally it could also receive simple commands from, say, a browser extension to request filling in a specific website.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: