4 Fatal Flaws in Deterministic Password Managers
Date: November 22 2016
Source 1: https://tonyarcieri.com/4-fatal-flaws-in-deterministic-password-managers
Abstract or Summary:
Wouldnít it be nice if your password manager didnít need a database? Instead of synchronizing a password vault between your devices, you could use the magic of cryptography to magically transform a master password into a unique password for each site.
There have been a numerous and ever growing implementations of this idea. Much of the marketing material for these tools talks about how using a deterministic scheme allows "sync-free" operation, is "more secure" than a password vault, and often that itís a newer idea than encrypted password vaults.
In this post, I will argue that you canít practically provide "sync-free" operation without making your password manager unusable, how using a deterministic scheme harms security, and how itís actually an old idea which never caught on for good reasons.
Do you have additional information to contribute regarding this research paper? If so, please email firstname.lastname@example.org with the details.