• 0 Posts
  • 4 Comments
Joined 1Y ago
cake
Cake day: Jul 09, 2023

help-circle
rss

It’s not the legal name, it’s whatever you want it to be, or your name with a salt. There is no requirement for the “user” and “site” fields to be: your name or your webpages name, you just need to remember your pattern. Your User could be a complex password too . Your sites could have another complex password preceding them. Your website format could even be preceded by another generative password. eg getting my lemmy creds would look like: pwd sup3rs3cure%, user w0ntc4tchm3^ , website: Naqm3~KinoZiju.lemmy , not my actual email, or my display username here, nor the actual plain url of the website . Good luck getting any other website password if “sup3rs3cure%” is leaked, which is hardly possible as it is never uploaded anywhere .


It says about spectre:

With these 2 password managers, if I know your master password, all I need to do is to find your username/email address(which is trivia cuz usernames are public and email addresses are not confidential), and I can derive every single password you have and completely mess you up

But you clearly must not use your email as your “user”, and you can also salt your “website” too, eg: I am James Wililiams, email: jimmyw@gmail.com, I want a password for lemmy.world, if your spectre usage is: user: jimmyw@gmail.com, masterpassword: mydogsname99, site: lemmy.world, your masterpassword leakage might be dangerous. But if you generate your passwords in the form of: user James MyMagicSalt Williams, password: ASuperCrazyMasterP455w0rdW1th1337, and website: anotherOfMySalts.lemmy.world, there is nothing wrong with someone getting your master password, good luck getting any real passwords from it. You would need to straight up be keylogged and be inputting the 3 settings while somebody knowing you are doing it in order to make sense of the keylog.


Once you master password gets leaked, attackers would also need to know:

  • the master “user” (basically a second password)
  • the website/app name pattern you use (basically a third password)
  • Which algorithm or password generator you are using, and in what setup/config/

Stopped reading at “storing my passwords on a db”. Even if you encrypt the data, is it not just plain better to use a generative algorithm for passwords instead that needs no cloud? Why would you even introduce the vulnerability yourself of storing passwords somewhere in the first place? Keep it simple, you don’t want to over-engineer yourself to death, especially if you are actually downgrading your security by building too far ahead of what you actually need.