Previous screenshot shows a minor improvement: website name is a link now. Here is one more: you can copy the user name from the password menu. Oh, and you can navigate both the password list and the password menu with arrow keys: https://pfp.works/documentation/keyboard-navigation/
The visible change: sync should now work with any server supporting remoteStorage protocol (https://remotestorage.io/). The bigger but rather hidden change: sync protocol requires even less trust in the storage provider now, no tampering with the data should succeed.
Oh, and did I mention keyboard navigation being more convenient and working far more consistently now?
Full list of changes: https://pfp.works/release-notes/2.2.0/
It's a neat idea and I respect your work.
However isn't this in general a bad idea and not really a password manager?
#PfP: "Most passwords never stored but generated when needed"
I'm no #mathematician but _generating_ or in this case aka _storing_ passwords like this is inherently insecure?
@sillystring It all boils down to the password derivation algorithm that you choose, weak master passwords should not be too easy to guess. I wrote about it here: https://palant.de/2016/04/20/security-considerations-for-password-generators/ - and most password generators indeed didn't perform well. PfP was called Easy Passwords back then and used PBKDF2, we now upgraded to the more secure scrypt algorithm.
@sillystring In the end: yes, generating passwords will always have this additional attack vector, as opposed to merely storing them. However, with a proper derivation algorithm and a master password that isn't "password1" the risk here will be very low, particularly if compared to the other risks password managers are exposed to. Yet the gain when you need to recover your data is massive and outweighs the risk by far.
A Mastodon instance for info/cyber security-minded people.