> 1. If I have to change my password for any reason, I would have to come up with a new secret key since the site/username would never change. Suddenly I'm stuck having to remember multiple secret keys.
Yep, just like you would with a normal password. Pashword is not a password manager replacement, it's just a helper for when you wanna generate strong passwords that you re-generate anytime.
> 2. Poor control over the length of the passwords - you only provide 3 options, and 20 characters is pretty low.
The point is to not remember the password length for each website, hence the 3 options.
> You can't exclude certain certain characters - yes, it's stupid for companies to not allow certain characters in the password, but many sites still do so.
You can, actually. Just press the 'Not working?' button :)
> 4. If I try to just put in an app name, you tell me to use a real URL.
Oh right, that's a valid point. I'll remove the domain requirement.
> 5. It was SLOW. Maybe it's just busy, but I'd rather not have to generate the password every time.
The algorithm is pretty computation heavy, to avoid brute force attacks even with ASICs. If you use Bromite, the privacy settings can cause issues with the website's cryptography algorithms.
> 6. Even people experienced in cryptography and hashing make mistakes. A product made by someone learning about them is... Suspect.
That's why it's open source and uses standard algorithms like Scrypt, SHA256, SHAKE256 to derive passwords. Pashword is a simple PKBDF algorithm at the end of the day.
> A password manager is 100% the better choice every time. For the people in my life who don't want to learn how to use a password manager, then a notebook at their desk at home is the second best option.
I agree that password managers are better but the second one is not a good advice. I'd argue Pashword is a much better choice.
> You can, actually. Just press the 'Not working?' button :)
I'm not clear on how this works. It sounds like this submits a request to change the rules for the website in question. But what happens in the meantime when you want to get your password? Do you have to click that button and fill out the form each time, remembering the rules you submitted?
What happens if multiple people submit that form, but choose slightly different options, i.e. I say "length 15", but someone else says "length 14". Presumably, the site now generates the wrong password for one of those users, and they have to either reset their password, or remember what length they used and keep going through this dialog.
> The algorithm is pretty computation heavy, to avoid brute force attacks even with ASICs. If you use Bromite, the privacy settings can cause issues with the website's cryptography algorithms.
Couldn't you just derive a base key once, and keep it cached in memory for as long as the app is open? That is, do the slow thing to generate <expanded secret>, and then when you want the password for a given website, you just compute SHA-512("<expanded secret> news.ycombinator.com johndoe") to derive the password. It'd still be slow on first launch, but not if you're keeping the app open while you browse.
Yep, just like you would with a normal password. Pashword is not a password manager replacement, it's just a helper for when you wanna generate strong passwords that you re-generate anytime.
> 2. Poor control over the length of the passwords - you only provide 3 options, and 20 characters is pretty low.
The point is to not remember the password length for each website, hence the 3 options.
> You can't exclude certain certain characters - yes, it's stupid for companies to not allow certain characters in the password, but many sites still do so.
You can, actually. Just press the 'Not working?' button :)
> 4. If I try to just put in an app name, you tell me to use a real URL.
Oh right, that's a valid point. I'll remove the domain requirement.
> 5. It was SLOW. Maybe it's just busy, but I'd rather not have to generate the password every time.
The algorithm is pretty computation heavy, to avoid brute force attacks even with ASICs. If you use Bromite, the privacy settings can cause issues with the website's cryptography algorithms.
> 6. Even people experienced in cryptography and hashing make mistakes. A product made by someone learning about them is... Suspect.
That's why it's open source and uses standard algorithms like Scrypt, SHA256, SHAKE256 to derive passwords. Pashword is a simple PKBDF algorithm at the end of the day.
> A password manager is 100% the better choice every time. For the people in my life who don't want to learn how to use a password manager, then a notebook at their desk at home is the second best option.
I agree that password managers are better but the second one is not a good advice. I'd argue Pashword is a much better choice.