It sounds like a cool concept, but I can’t see anyone migrating to this service since there is no logical way to import your current passwords.
Am I missing something?
This is extremely impractical for daily password use. Not being able to ever change your master or the passwords to your sites is a deal-breaker for the security minded who wouldn’t even want the risk of an encrypted password wallet.
This seems like someone learned about key derivation functions and applied it to passwords. So with this system, it’s stateless and no passwords are stored (encrypted or not). You need 4 things to generate passwords:
- Your full name
- Spectre secret
- Site Domain
- Master password
This seems counter intuitive to the stateless nature, since at least one (the spectre secret) will need to be stored somewhere. For UX the full name probably would also be stored, and the site domain can be gotten via some API on password use. This leaves the master password as the only portion not stored, and on “unlocking” the database it would probably be stored on the users device for a period of time.
This also ignores some of the requirements of websites needing passwords (some support all characters, some only a-z0-9_, etc etc). If supported, this metadata would also need to be stored somewhere. The cons of not being able to change passwords is also a huge issue, as passwords should be changed often, or replaced with keys (which you also replace often!).
For attackers, this seems not much different than a database file. In most cases, they’ll already know two of the 4 (site domain and full name, especially in corporate environments). This leaves only the spectre secret and the master password doing the heavy lifting of security. This sounds a lot like a traditional password manager, where you have a master password, a database file, and an optional key file.
So the process to attack a traditional database system is to acquire the needed information (database file, master password/key file) and lookup the password (site domain/description). The process to attack spectre is to acquire the needed information (full name, secret, master password) and lookup the password (site domain/description). These have the same challenges of acquiring/brute forcing the master password and key file, and are essentially the same in the eyes of an attacker.
Overall I think passkey’s will replace passwords, or something along that line. Keys have been used for a long time in security sensitive areas, can be swapped out easily and provide much more protection than a password when large enough.
Any “password” that cannot be revoked is a bad password.
This is also why biometrics are bad. You can’t replace your fingers, eyes, etc… These are good usernames.
I don’t think passwords have to be changed very often. When you use a password manager and 30 character random generated passwords (or why not 64 characters or even more if the site allows it) separately for each site. If there isn’t a breach: why should I change the password?
That’s a singular used very complex password which only my password managers knows changed against another singular used very complex password which only my password manager knows.
If it is long enough, even brute force shouldn’t be a problem if someone is trying every single combination possible for 30 or more characters (where he doesn’t know how much characters he has to find). 🤷♂️
Often is probably a bad way to phrase it, but there is a reason TLS certificates are changed regularly. Generally this isn’t a big concern if you are the sole user and a set of known devices are used. Once you start handing passwords to others to use (such as is common in corporate environments) the problems being to show. Resetting the password is just a sure fire way to revoke access to anyone that may of had access that shouldn’t, for whatever reason.
You are correct though, that as long as the password isn’t being used on public terminals or in areas it might be compromised, it’s generally secure.
if my securely generated password to example.com gets leaked in a data breach, my only options are to ignore the leak or regenerate all my passwords with a new master password?
i don’t think this works for me
So… you need a master password, you can not switch your master password, any password you generate can not be changed in case of leaks or ugly police to change every X days. Plus, having access to your master password give you access to every single password you ever created or will create.
I stay with single master password with random password.
There are some things I’m missing.
What if I need or want a certain passwod length? Because a site only allows X or I want to have Y amount of signs.
What about the control over special characters in the password or not. Sometimes I need to generate passwords without any special character.
Where is the 2FA aspect? Sure there is no datavse with my passwords. But at least my DB is secured with username + password + 2FA Code
I still need to trust a website or app where I put my credentials in. Or is it 100% offline? Like I am with KeePass and/or selfhosted Bitwarden at home.
How do I change passwords without the need of keeping track of website name changes?
And just as a note, things like Bitwarden or KeePass are much more than only a password generator.
Extra note: we are heading towards a passwordless future with passkey etc. anyway.
This is often called a “stateless” or “generative” password manager, and while they do have some benefits they tend to be rather niche.
The main issue is losing the ability to easily change the master passwords as well as making it more difficult to deal with password requirements.
Also, for most users the sort of access needed to steal an encrypted password vault isn’t much different from what is needed to grab a master password as its being used, so the benefit is very limited.
I would absolutely migrate to this if there were a good android app for it. The one that exists doesn’t seem to have support for android’s password autofill system though
Have been using a manual method of consistently generating passwords for a while now so given good app/browser extensions it’s a direct upgrade
I will stick with keepass. Seems interesting, but not my cup of tea
Seems interesting, but yeah I don’t see how it’d be possible to import existing passwords.
If I remember correctly, LastPass used to have a function where they’d go through your insecure passwords and automatically change them. Maybe Spectre could do something like that.
I have been using https://getvau.lt for years. It is really just a very small JS lib. No need for paying for complicated services in my opinion.
Seems like you’ve got it right, but I don’t think a lot of security minded folks who moved to a system like this would scoff at changing their passwords again.
All these people exchanging opinions and information about password manager options and me… Funmbling with the paper booklet I’ve been using to track my passwords for the last decade
I actually see myself being able to use this password manager; although it really does require that you approach passwords with a much different paradigm.
- Spectre requires 3 input values. A “Full Name”, a “Master Password” and, a site name or domain name.
- In order to manipulate the passwords provided you must manipulate these three values.
- We can assume that “Full Name” is only changed or rotated when you are changing identities
- We can assume that “Site Name” is only different when you are logging into a different website
- We can assume that your “Master Password” or “Secret” is any old arbitrary string you choose.
Depending on the behavior of this generator we can always vary our input for #5 and, maybe vary the input for #4. I don’t know if it allows us to manipulate #3 after initial input though.
If 3 and 5 are variable with each use and 4 is auto-detected through software means, and stapled to the domain name value, then we already have two factors of information and we can use two ‘passphrases’ to derive one. You could insert a nonce into your First Name or Master Password. Maybe you only change the nonce word in your Name when making accounts for different purposes and change the nonce word in your Secret when a site needs a new password.
Full Name: First <Nonce> Last
(change the nonce to change the account selected)Master Secret: Password <Nonce>
(Change the nonce only when you need to kill the old password.You remember: The Name, Secret, the Name Nonce and, the Secret Nonce. (This compresses down to three things if the nonce is same for both because the account has never been breached)
If only 5 is variable after initial setup and 3 is written only once and 4 is automatically determined; we can still vary the input of that to increment the passwords. You just have to add a nonce value or counter to your master password:
MasterSecretHere <Nonce>
You remember: Master Secret and the Nonce. Maybe you have to remember if you’ve changed the Nonce for this website if it’s been breached.
If all three values are input to generate the password by you; then you have complete control over the generated password. You can insert your nonce into any, some or all of the values to change the desired password output.
Your remember: All three base inputs; Full Name, Site Name, and Master Secret. You may use as many or as few nonces as needed and you can make them memorable.
(Maybe Bad) Nonce Examples: (Please; be more creative than these nonces; these are only here to explain things.) [Please note that all names, sites and passwords/secrets presented are fictional and used only for example purposes. Do Not Use any of these examples as your own password generation inputs]
-
First (Assumes Name and Secret can be variable; but not site name)
- Full Name:
Harry Muggle Dresden
In this case; we use ‘Muggle’ as a memorable nonce to select his “Muggle” or “ordinary accounts” for handling his real life stuff like bank passwords. - Site Name:
somewherenationalbank.com
We assume this is set by his helpful browser plugin and he’s never had another account here; so we choose not to add any nonce here (if we even could). - Master Secret:
Abracadbra-Alpha
Here we follow a simple nonce list; since we haven’t needed to change the password yet; But if for some reason the bank gets a wild hair up it’s rear end and requires a new password; we would just cycle through the list of nonces as follows;Alpha, Beta, Delta, Gamma, Iota, Kappa, Omega
- Full Name:
-
Second (Assumes only the Secret is variable)
- Name:
Harry Milford Dresden
- Site Name:
spicymeatballsubsanywhere.com
- Master Secret:
Alakazam!Alpha
He knows those nasty heckers at the FBI has been trying to snoop on his secret sub orders…so he’s using a different Secret base;Alakazam!
to throw them off and prevent hacking. He would still just cycle through the list of nonces as follows;Alpha, Beta, Delta, Gamma, Iota, Kappa, Omega
…if the password needs changing.
- Name:
-
Third (Assumes all three can be input at each password creation/retrieval)
- Name:
Harry <Purpose> Dresden
You see; he’s a Wizard; so for times he’s being a Wizard for a client he usesWizard
, when he’s enforcing magic law he usesWarden
and when he’s doing mafia work he’s usingWinter
to replace the <Purpose> token. - Site Name:
<Username>@<domainname.tld>
This should be obvious but this encodes his username and site name here. - Master Secret:
<Passphrase>:<nonce>
Pretty easy; he has a different passphrase for each purpse; all secret of course; and if a site gets hacked he changes the passphrase; if a site just needs a new password he changes his nonce by just cycling through the list of nonces as follows;Alpha, Beta, Delta, Gamma, Iota, Kappa, Omega
- Name:
@imaginary doesn’t seem to be that much of a novel concept. I was interested into such a password manager that generates your paswords each time you access it instead of storing them. Indeed, for some (probably security related) reason you have to change your passwords to every service you use
Calling this “manager” seems a bit of a stretch. What exactly does it manage? It only seems to derive passwords. Unless I have a database I can search in (and get convenience shit like the information how old or weak existing passwords are or maybe even which sites have been compromised in the meantime), I would not call it a manager.