8 comments

[ 2.9 ms ] story [ 22.8 ms ] thread
I'm still not sure if this idea is any good. Let me know what you think.
The obvious problem with this is that the user has to trust passwd.io. Even upon auditing the website's code, it could change the next time the page is accessed. Not only does the user have to trust passwd.io, they have to trust that passwd.io doesn't get hacked. This is a fundamental problem with a web-based solution.
Yes, that's true. I've thought about that a lot. Maybe the solution is something like a third party monitoring the client side code or something.
What if you rely on the service to know all your password and you only know your key to the service .. and then somebody manages to take over your account (getting access to your mail address) and to delete all your data?

That would be not as bad as him knowing your passwords, but still inconvenient.

This might sound stupid, but the most straightforward solution I can think of is to back up the passwords locally every now and then.

Some background: I wrote this to scratch my own itch. I have really secure passwords, and different ones for every site I use. I keep those in a Truecrypt container, which is stored on my Dropbox.

That's secure, but it's not convenient. I simply can't securely access my passwords while on the road, e.g. from a friends computer or from my iPhone. I would always have to install Truecrypt and get the image file from Dropbox etc.

I wanted something with a true zero setup. I can still back up the passwords to my Dropbox Truecrypt image once per week.

(comment deleted)
Hey, that's a lot like what I built--and from the comments so far, the gripes about having to trust that the files are not modified would also apply to Cryptasia (http://www.cryptasia.com).

Having to trust that the site won't be hacked is an interesting problem--I suppose both our projects could be made more Trustworthy if users had a separate service that ensures that files served by the website don't change... a Chrome extension might be an interesting way to do this validation. Sounds like another weekend task :)

Anyway, cool project!

Indeed, looks like we found a problem worth solving :)

Edit: cryptasia is a really clever idea, kudos!