D-Nice's comments

Vaults, self-hosting, all these needless complications imo for what should be simple. Just give me a secure deterministic password from a website address + master pass combo.

That's exactly what my project, https://app.srspass.com aims to do.

Even though I have a super redundant NAS setup, I'd really hate to depend on a vault and have it all disappear due to some disaster. With SrsPass, I just remember one password, have a recovery/backup phrase written somewhere that it gives me which adds 128-bit of entropy to each generated password and boom, that's my password manager. Stateless, deterministic, and by using argon2id, PHC winner, on the client side it is doing what most password backends should be, but often aren't doing, which is strong memory-hard password hashing.

Why is every and any TOR and sometimes VPN user deemed a DoS attack... it discriminates against users who value privacy by forcing hCaptcha on them by default. Worst of all... it could be a de-anonymization attack as well, hence why I as a regular TOR user, just exit the page immediately when that happens.

For any of my pages that do happen to use Cloudflare, I am luckily able to disable this discrimination in the CP so kudos for that at least, but terrible defaults imo.

It's a definite improvement, and good point indeed regarding phishing... just as your answer precludes, a whole different authentication mechanism is needed to avoid phishing, that is why unfortunately that couldn't make my list. However, it does protect your other accounts from getting breached if one is either phished or breached, which I considered to be good enough.

WebAuthn does have its own issues and complications, mainly with how to handle account recovery on a lost or corrupted device. Sure, you can have a replacement device, as likely me and you try and do for most things, however, this is too burdensome for many.

I think the biggest issue with any new spec like WebAuthn is vendor adoption. As is... many banks fail to have any 2FA, and those that do, give you the terrible choice of SMS 2FA. In addition, they have odd and archaic password requirements, such as only these symbols, and only up to 20 characters etc... If they have failed on rectifying these in the last 2 decades, I'm afraid how far in the future away something like WebAuthn is to being in realized use. Hence I made SrsPass as hopefully a solution to today's passwords problems, the ones I considered sanely resolvable.

As someone whose main project surrounds passwords, I could appreciate a future without passwords, because I consider most existing solutions to be quite poor.

However, this feels more like having your sheep be herded by a fox...

Many here have already mentioned great points retorting this, so I won't beat a dead horse.

I will take the selfish opportunity to mention what my solution is that I'm working on: https://app.SrsPass.com

There's some rudimentary docs with a spec outline for those interested. But to sum it up, I share the same fears as others here of one device being some ultimate honey pot, or even worse, losing everything I have due to corruption or losing a/all devices where your pass vaults are when it comes to traditional managers. (Mind you, this coming from someone that runs RAID-Z3 NAS in multiple offsites).

Basically to keep it simple, I required the following aspects

- Available-source or Open-source (duh)

- Accessible on just about any device with a cpu, arm/x86 etc

- Vaultless & as stateless as possible

- No cloud, works completely offline

- Uses modern cryptography with sufficiently strong parameters

- Requires only one password to memorize

- Has uncrackable generated passwords (aka not feasible to crack in a long time period such as with 128 bits of entropy).

I believe SrsPass to meet all those aspects already. That is not to say that there aren't more features being worked on (the workboard is essentially public), however, I think you'd be hard pressed to find a more secure (when you build & run yourself) and accessible password manager than it.

This reads like an April Fools joke, and I'll give the author the benefit of the doubt on that one as the author's company literally works in the cryptocurrency space, except they apparently refer to themselves as a cryptoledger. So it seems like a troll post... Otherwise this makes for some terrible irony.

Or the other case could be that they feel they've lost out on investment, due to the fact that openness and decentralization is leading the charge in blockchain/cryptocurrency technologies, while he's trying to come up with a privatized solution... and why accept private when there's better and more established open alternatives already leaving their marks, no pun intended.

Run noJS by default with something like uMatrix/uBlock Origin, and never worry about this or similar problems again.

All parts of a page for me, even 1st party, have JS disabled... you'd be surprised, most useful ones work completely fine like that and things load much faster. There's exceptions that do actually need it, and if I trust them, I'll enable 1st-party JS via uMatrix.

Sigh, I remember a similar experience. It was a third-party rep they pushed us to, but we would be asking for ways to re-architect one thing we already had setup on AWS, and all they would do is just try and upsell us on random offerings that clearly did not resolve our specific needs.

Some European-based customer apparently had a requirement if we engaged with them, that our service be offered via an acceptable vendor such as GCP, for some reason AWS apparently wasn't, but it was such a nightmare to even prod about an architecture that would have feature-parity with AWS, it wasn't even worth it. Also as an fyi, I'm no AWS fanboy, I don't use it in any of my own projects to avoid vendor lock-in this company suffered from.

Try srspass.com which runs argon2id in the browser. Takes about 3 seconds on my ARM phones for the unlock, which uses quite heavy argon2id parameters, above the recommended memory and iterations.

I don't think a 3s wait for a session, for greater security, and that on an unoptimized device is going to be breaking UX.

I completely agree on server-side derivation being flawed, which is why I made SrsPass, which derives child passwords for you client side, you can use across accounts, and ensures even if you end up making a password on a shitty site that plaintexts your credentials, it won't compromise your master key, as it's 128-bit salted.

LastPass has essentially put a gun to the head of its free users. It has probably gained much traction, by offering a free service. Yet now, as it isn't actually FOSS, they are able to make a change to its model you can do nothing about. It leaves you with a few options, all worse than the current situation:

- If you want to continue using the service, as you have, you must start paying up.

- If you wish to continue using LastPass for free, you can only continue using it on either computers or tablets. A completely unnecessary barrier simply meant to on-ramp as you as a paying customer, or get you off the platform as a freeloader.

- If you wish to continue using another pass manager service for free, you will have to likely remake all your passwords there, and spend possibly hours or days changing all your account credentials over to this.

They have employed a strategy of duress on existing free customers, to make them pay. With FOSS, this would be possible too, to be fair, however, there's an easy remedy. Existing users could choose to continue using the current free software as is since they have access to the code, without this needless feature barrier that was introduced. Any security conscious person, should not use these proprietary closed-source systems in the first place, but this occurrence should clarify why non-FOSS models are absolutely terrible for users, in every possible way...

This is why the pass generator/manager I'm working on, which is very different from existing ones, and instead solely based on cryptographic principles such as crypto HD wallets, rather than vaults, is FOSS.

It's at https://app.srspass.com and under continuous development. I've used a system such as this to handle my accounts for years, and wanted for a while to release it. You don't have to worry about it working on either a phone or computer... it literally works anywhere, as it's a PWA, and it doesn't need to store any of your passwords anywhere, they are deterministically generated based on your inputs.

Speaking of competitors and alternatives to this. I've used a version of my own for years, and have recently started working on a FOSS password generator and manager, called SrsPass.

Would love feedback on it, and it has an open-spec so you don't need to dig into the code itself to at least get a high-level overview of how it works, and at same time give anyone else the power to reimplement the spec:

https://app.srspass.com for the app available as PWA

https://docs.srspass.com/tech/ for a tech overview

I have received complaints about the current unskippable setup process being somewhat cumbersome, and one of the things on the top of the list to improve that experience is allowing a quick setup, essentially postponement of saving the backup phrase to a later time, albeit I'm deliberating a safe implementation of it.