I think the point is that we have to trust you, that the passwords are stored encrypted.
Right? Or there is a way to see that you are passing the encrypted password and the bookmarklet "decrypts" it locally without passing through your site?
This looks to be a fairly strong implementation, and I have no doubt you've done your homework, and it might make a decent open source project.
But this is not going to be a successful business ever. The end user has no way to know if your application is legitimate or not, Google, Facebook and Twitter can run authorization services that third parties can rely on because they provide valuable services that establish their user's trust in them. You are asking them to hand over their passwords to everything because you have a clean well-lit website.
That's a very valid point and I have thought about it.
To be honest, I started building it when I got fed up with entering passwords manually throughout the day. It was more of a hobby project.
There are similar services (Last Pass, Passpack -- in my opinion both much more bloated than PassKey) which are businesses (whether successful or not -- I don't know.
Having said that; I didn't build it with making a ton of money in mind (although it would be nice).
I like the website. It isn't nearly as cluttered as LastPass.com. Which brings up my main question, why would I switch from LastPass.com to you? If I do switch, do I have to enter everything manually? I didn't see any mention of import tools.
I like the site. It's uncluttered but seems to give just the right information in an appropriate level of detail.
I've never really looked deeply at "password keeper" applications before (I think because Firefox seems to a reasonably good job of it), but your approach seems like a good one. I think if I tried hard enough I might be able to come up with a JavaScript-based attack vector to steal the browser's key, but I suppose that would be a lot of work for relatively little payoff (unless they've already stolen your database and are now looking for decryption keys).
I'm curious about your business model. Do you intend to make money from this? How?
I hadn't looked at password managers before I built PassKey. I tend to use at least 3 computers on a daily basis and with PassKey (unlike browser built-in password managers) I can sign in to web apps from any machine (just need to get the bookmark).
I don't think it's possible to remotely steal the encryption key as JavaScript doesn't have access to browser's bookmarks.
Don't have a business model at the moment. It was a hobby project.
> I don't think it's possible to remotely steal the encryption key as JavaScript doesn't have access to browser's bookmarks.
I think a trusted site might be able to read the bookmark URL from the history object, but that seems to be sandboxed in general and might not contain javascript: links in the first place. If you were more clever with JavaScript than I am you might be able to do something like (1) pop open the current page in a new window to hide what you're about to do from the user, (2) invoke history.back() in the "parent" window, and (3) read the URL from window.location
Your application is going to fail, because very few people are going to trust it, which is going to drive conversions (which are already terribly low for new web apps) through the floor, and because you are competing with things like 1password that already work well across multiple devices.
And, while I don't want to send the wrong message about this (because I think you should use language like this to communicate security to end-users), your security language addresses none of my concerns as a security practitioner. What's being stored in bookmarklets in my browser? If I, as an attacker, can read bookmarks from your browser, I have all your passwords, or something that equates to them? What's being encrypted? How?
Valid points in the 1st paragraph. However, this is a hobby project. I'm not competing with anything really. My initial goal when I thought about building PassKey was to see if it was possible at all to get it to work using a bookmarklet. In that sense, it's been a success.
I wanted to share it on HN to get feedback regarding implementation, and I got positive feedback (thanks!). Perhaps business-wise it's not such a great idea, but it wasn't my goal.
The bookmark only stores the encryption key. Even if you get hold of someone's encryption key, it's useless because you don't know their PassKey username and password (to get into the database).
I hear you. And my reply is: there are other password managers better suited for you.
> ability to store passwords for non-web services
That's not what PassKey was built for. My main goal was to provide 1-click sign in. Web app (which PassKey is) won't be able to sign you in to, say, Skype client. It's technologically impossible.
> automatically generate passwords based on certain rules (ie always 6 digits)
That might be an interesting tool within PassKey and I may consider it.
> have an API to fetch/store passwords
That's an interesting idea. If there's enough interest I may provide an API to fetch/store encrypted passwords. Encryption/decryption would have to happen on API client level for security reasons (ie I don't know the decryption key).
> have a browser plugin instead of a bookmarklet (I don't use the bookmark bar in chrome)
That defeats my goal to make it a "nothing to install" app.
Bottom line: PassKey was created purely to give you a button in your browser that you click on and it signs you in to the website you're on. Nothing more.
18 comments
[ 4.4 ms ] story [ 64.1 ms ] threadIt's easy to use, you mainly interact with it via a bookmark(let).
It's secure:
I'd love to hear your feedback.I may implement client-side encryption/decryption. I need to look into it.
So in the event that someone breaks into your server, what keeps them from stealing my unique encryption key the next time I use your service?
But this is not going to be a successful business ever. The end user has no way to know if your application is legitimate or not, Google, Facebook and Twitter can run authorization services that third parties can rely on because they provide valuable services that establish their user's trust in them. You are asking them to hand over their passwords to everything because you have a clean well-lit website.
To be honest, I started building it when I got fed up with entering passwords manually throughout the day. It was more of a hobby project.
There are similar services (Last Pass, Passpack -- in my opinion both much more bloated than PassKey) which are businesses (whether successful or not -- I don't know.
Having said that; I didn't build it with making a ton of money in mind (although it would be nice).
No import tools at the moment but I like the idea. I'll add it to my todo list.
I've never really looked deeply at "password keeper" applications before (I think because Firefox seems to a reasonably good job of it), but your approach seems like a good one. I think if I tried hard enough I might be able to come up with a JavaScript-based attack vector to steal the browser's key, but I suppose that would be a lot of work for relatively little payoff (unless they've already stolen your database and are now looking for decryption keys).
I'm curious about your business model. Do you intend to make money from this? How?
I hadn't looked at password managers before I built PassKey. I tend to use at least 3 computers on a daily basis and with PassKey (unlike browser built-in password managers) I can sign in to web apps from any machine (just need to get the bookmark).
I don't think it's possible to remotely steal the encryption key as JavaScript doesn't have access to browser's bookmarks.
Don't have a business model at the moment. It was a hobby project.
I think a trusted site might be able to read the bookmark URL from the history object, but that seems to be sandboxed in general and might not contain javascript: links in the first place. If you were more clever with JavaScript than I am you might be able to do something like (1) pop open the current page in a new window to hide what you're about to do from the user, (2) invoke history.back() in the "parent" window, and (3) read the URL from window.location
And, while I don't want to send the wrong message about this (because I think you should use language like this to communicate security to end-users), your security language addresses none of my concerns as a security practitioner. What's being stored in bookmarklets in my browser? If I, as an attacker, can read bookmarks from your browser, I have all your passwords, or something that equates to them? What's being encrypted? How?
I wanted to share it on HN to get feedback regarding implementation, and I got positive feedback (thanks!). Perhaps business-wise it's not such a great idea, but it wasn't my goal.
The bookmark only stores the encryption key. Even if you get hold of someone's encryption key, it's useless because you don't know their PassKey username and password (to get into the database).
- ability to store passwords for non-web services
- automatically generate passwords based on certain rules (ie always 6 digits)
- have an API to fetch/store passwords
- have a browser plugin instead of a bookmarklet (I don't use the bookmark bar in chrome)
> ability to store passwords for non-web services
That's not what PassKey was built for. My main goal was to provide 1-click sign in. Web app (which PassKey is) won't be able to sign you in to, say, Skype client. It's technologically impossible.
> automatically generate passwords based on certain rules (ie always 6 digits)
That might be an interesting tool within PassKey and I may consider it.
> have an API to fetch/store passwords
That's an interesting idea. If there's enough interest I may provide an API to fetch/store encrypted passwords. Encryption/decryption would have to happen on API client level for security reasons (ie I don't know the decryption key).
> have a browser plugin instead of a bookmarklet (I don't use the bookmark bar in chrome)
That defeats my goal to make it a "nothing to install" app.
Bottom line: PassKey was created purely to give you a button in your browser that you click on and it signs you in to the website you're on. Nothing more.
Thanks for your input!