5 comments

[ 67.5 ms ] story [ 642 ms ] thread
If you are the owner of the site may I make a single recommendation. In the domain field set the casing to all lowercase. Depending on the device fields like that want to start with a capital letter, thus changing the output password.
Am I missing something?

It would seem to me that knowing the specter secret key and the “login id” then exposes the password that then is “fixed” and cannot be changed without breaking other aspects.

In a world where we’re moving to passkeys and hardware based authentication, why is this even a thing? It just seems a huge step backwards.

How is this not "use the same password on every site" but with extra steps?

Seems like the "Spectre secret" is a massive risk given that compromising it once without detection would compromise EVERY PASSSWORD THAT USER USES, even ones that didn't exist when the secret was stolen.

Followup question: how does Spectre plan to prevent malicious SEO-squatting like we already see in the cryptocurrency space? If this was used widely, I'd assume that the search results for "compute Spectre password" would be 100% stuffed with sites that capture the secret...

> Seems like the "Spectre secret" is a massive risk given that compromising it once without detection would compromise EVERY PASSSWORD THAT USER USES, even ones that didn't exist when the secret was stolen.

All password managers have a single point of failure: the master password. This is why 2FA is crucial. Spectre/Master Password doesn't have 2FA, but you can turn it on with all the accounts you have so there is at least that.