Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I think these concerns are slightly misleading. 2., 3. and 4. boil down to 1.

1. is a problem. If one password is compromised it is possible to brute force the master password. This is mitigated by a key-derivation function.

2. is also mitigated by a key-derivation function. Also you still need to test the guesses, which requires knowing one password or trying to log into a website. The second option should be equivalent to compromising one password via brute force.

3. is not true, they need to know a password or try to log into a website for every guess.

4. Again, this is only true if one site password is compromised.



You are assuming that the site is not evil.


The site being evil is equivalent to the password being compromised.


And the password is the hash of the master password, which gives the evil all other passwords.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: