Today I was playing a bit with ‘useless stuff’ like Client Certificates, S/MIME email encryption, email certificates, passwordless ideas, and static web generators.

Aaaand also learning Ruby with the fantastic series of books Head First (I learned C#, I think, in 2008)

Was a nice Tuesday, he

@eaplmx@twtxt.net @prologic@twtxt.net If you’re interested I did my own deterministic password manager solution, entirely client side as a PWA, it’s called Vector Pass

The login form is only used to generate a token and to store the data locally, absolutely no information is sent outside of the app.

I mainly built it for myself and does not depend on any external library except for the UI management, there’s an option to store data using a technique taken from here.

It also feature things like generating throwaway email accounts, PIN and can generate an TOTP code from the key of the service.

Everything can be exported and imported via JSON or arbitrary URL.

Right now it’s not welcoming for new users but I’m working on it, I’ll make the source public once I get some things right and polish it a bit.

I’m also planning to have a compatible CLI version but right now I’m focusing on the PWA.

@prologic@twtxt.net Thanks! Well, a vaultless password manager is not ‘passwordless’ but I get your point. Not having to actually remember a password.

I’ve been playing with https://spectre.app although I think having to remember a Master Password + your accounts makes it difficult to use for the average user. You have to remember how exactly the username is stored, or… Having a vault again.

I’m thinking more of getting a Dynamic password, like a 9 digits OTP or similar, with seeds/keys stored in some device, like we actually do for 2FA/TOTP. I’ll be not a 2 factor authentication, so I’m going around in circles.
Also, I’ve heard of OPAQUE as a way to avoid transmitting passwords, but that’s another topic https://ctrlc.hu/opaque/

And lastly (for my 280+ characters twt), I like WebAuth with multiple implementations. Perhaps with the support of OS designers, it would be easier for users https://www.wired.com/story/apple-passkeys-password-ios16-ventura/ https://docs.microsoft.com/en-us/windows/security/id

@justamoment@twtxt.net Thanks! So far it’s looking awesome. Congrats on making it with PWAs, it has been an idea from my side, but haven’t found time to do it. Kudos for including OTPs.

If I can suggest something, I started changing my passwords to Passphrases, since these are easier to type in some situations when I can’t copy-paste them, and due to the length/entropy should be more secure

from
SHCFELe-WpSjR*Zv9VCaFqc2t%Wq7HAvjrG?Ug6mB
to
Empathy-Move-Busybody-Tamper9-Curdle-Kilowatt-Vest-Unsaved

I’ve seen BIP39 from the cryptocurrency world for deterministic creation of the phrase, but perhaps there is some open alternative for it https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki

@eaplmx@twtxt.net interesting proposal!

I’m not sure I would try implementing it too soon but it might be some i can try to play with when everything is a bit more polished.

The main inspiration was from https://spectre.app/, https://www.lesspass.com/, https://aprico.org/ and https://altopass.io/.

Also, implementing features is pretty easy with my structure, once it’s completed and public feel free to play with it!

@mckinley@twtxt.net Sounds like an interesting project!

I didn’t know about v3 addresses, so I don’t know the details rather than
The address is "the first 80 bits of the SHA-1 of the 1024-bit RSA key"

So, did the keyphrase work for the conversion? Perhaps you could use the BIP39 word list (with 2,048 instead of 65,536 from keyphrase)