I finally released : Pain-free Passwords 2.2.0! Get it here: pfp.works/

This is a major one, lots improvements here. The most noticeable one is the user interface, the tab strip on the left should make it much easier to navigate.


It's a neat idea and I respect your work.

However isn't this in general a bad idea and not really a password manager?

: "Most passwords never stored but generated when needed"

I'm no but _generating_ or in this case aka _storing_ passwords like this is inherently insecure?

@sillystring It all boils down to the password derivation algorithm that you choose, weak master passwords should not be too easy to guess. I wrote about it here: palant.de/2016/04/20/security- - and most password generators indeed didn't perform well. PfP was called Easy Passwords back then and used PBKDF2, we now upgraded to the more secure scrypt algorithm.


@sillystring In the end: yes, generating passwords will always have this additional attack vector, as opposed to merely storing them. However, with a proper derivation algorithm and a master password that isn't "password1" the risk here will be very low, particularly if compared to the other risks password managers are exposed to. Yet the gain when you need to recover your data is massive and outweighs the risk by far.

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.