Ask HN: Feedback on my stateless password manager (no stored secrets)

1 points by yoyo250 251 days ago | 0 comments

Hi HN,

I built a prototype password tool that never stores passwords or vaults. Instead, it derives them on the fly using:

* A hardware OpenPGP key (smartcard/YubiKey/etc.)

* User inputs (domain + login + a simple passphrase)

* Deterministic signing + KDF

So as long as you have the hardware key and the same inputs, you can always reproduce the same password. Nothing is stored locally.

Current status:

* Python CLI, pre-release v0.9.0

* Tested only on Windows 10 with RSA4096 keys

* Requires GPG installed

* English default + Chinese i18n (basic)

Limitations:

1. Not audited (research/PoC)

2. Only RSA tested

3. No GUI (TUI planned)

4. Not tested on other platform

5. Some sites may reject the generated charset (You can edit, but it may cause a mess.)

Looking for feedback on:

1. Security flaws in this design?

2. Portability to Linux/macOS and non-RSA keys

3. Possible ways to use hardware keys without shelling out to GPG

4. Usability / UX ideas (TUI, i18n, etc.)

Links:

GitHub: https://github.com/biliyoyo520/paasword/

Blog: https://blog.yoyo250.fun/archives/coding/16.html

Thanks!

No comments yet