17
kiki
300d

Bipp — the CSS file that you include and your raw HTML instantly looks good, with animations and stuff. Already did v1 alpha, but Iwant to work on it more to grow it into Bipp UI and add UI components such as tabs, sliders and other common things.

Noo — the ultimately secure password manager that syncs your passwords across unlimited device without any kind of network connection. Noo cannot be compromised without the attacker having full access to your browser or your computer. Already made it, just didn't launch it yet.

Hazmat — the browser extension that blocks subreddits from what you see on reddit. Again, made it together with Floyd, but never released it because I deleted my reddit account halfway through because I never even really was using it as it's nothing but toxic wasteland.

Also, I want to explore WebRTC. I want to make p2p video calls and file sharing app.

Comments
  • 1
  • 4
    Any link to Bipp? And how does Noo work? Sounds interesting, and slightly impossible.
  • 4
    Noo syncs without network? Can you scan a QR code or something to share items? Does it require physical network connection?

    ...carrier pigeons?
  • 1
    @AlgoRythm it generates your passwords for you like this:
    hash(masterPassword + domainName)

    Yes, you can’t change passwords. It’s a proof of concept after all
  • 1
  • 1
    @AlgoRythm when you want to add a second device, you enter a master password there, and voila, same domain names will get you same passwords (your passwords), and sync just happened without network
  • 2
    @kiki Hmmm... Something about that feels wrong... Perhaps it isn't, but it doesn't feel right... Too much pattern
  • 2
    @kiki
    Hmmm, it's true you avoided the Problem with network sharing. But you intriduced an even larger flaw in form of master Password guessing

    Consider this:
    1. A database with passwords leak
    2. The attacker knows that some users use your password manager
    3. He can run an offline dictionary or bruteforce attack on a master password, he knows the domain name and just compares the resulting hash as normal
    4. If he finds a match, he has all your passwords now for all domain you use even through they are Unique

    It will take him twice as long, because he needs to hash things twice (once your app hash, once server) but that is still subject to precomputed hashea and rainbow tables since you don't (and can't) use salting
  • 1
    Given that the domain name is obvious in case of a leak, the secret becomes simply your master password. Yes it's preventing simple credential stuffing, but if the attacker knows that you're using this scheme it's trivial to brute-force the master password.
  • 1
    @Hazarth @saucyatom it’s not feasible as master password is only allowed to be long. I also use Keccak and not some shit like md5.

    Again, I agree, if your master password is leaked, you’re fucked. That’s why it’s only a proof of concept and not a product that is released upon general audience who use “Password1” as their password for every service they use, including banking.

    I personally use 2FA with authenticator for every website that allows it. If not, I use 2FA with email.
  • 1
    I'm using this now.
  • 2
    I see. So you've invented a hashing service based off one master password and some salt.
  • 1
    Sounds like the trick of appending the domain to your normal password
  • 1
    @ScriptCoded that’s basically it but with Noo, your actual master password can’t be decoded from your website password that easily
  • 0
    Thinking through your proof of concept with Noo:
    - If you were to pick a Noo "username" in addition to your master password, does that provide an additional "salt" that wouldn't normally be part of the domain and master password? 🤔
    - Additionally, what if you add a "Method" selection that in effect (under the hood) lets the user pick the order in which keys are hashed together for the password, you introduce another element that increases the combinations significantly.
    - Third: Hash twice or more... first time, it's the elements of user data, subsequent hashes are a hash of the first hash. Let the user pick that number or bake in some presets into the method selection.

    Overall, I think it is a unique concept.
  • 0
    @T3hbeowulf thanks!

    All three lies under “security by obscurity” category, thus not secure.
  • 0
    @kiki all three are "something you know", equivalent security to password. None are security through obscurity.
  • 0
    @T3hbeowulf
    1. If the username is the same for all domains, it will not be any different than extending the password by the same length. If they're hashed seperately it makes a small difference.
    2. Basically increases the complexity so much that it would go against the use-case (passwords on multiple devices without copying a keyfile).
    3. Letting the user supply a number for the hash rounds would make brute-forcing harder because of the increased computational complexity, but otherwise deriving this from the password would have the same effect (if the number was added to the password). A sane default would probably be good better for ease of use.
  • 1
    Great work!

    I also like fast-image-zoom.
Add Comment