Feature: Add the MasterPassword pass derivation algorithm

[Atrate]

The MasterPassword algorithm is a password derivation algorithm that uses a single master password (and the site URL + a counter) in order to generate unique, but reproducible passwords without the need to store them.

Since there are no secure (with encrypted storage) and nice looking apps utilizing that algorithm, I personally think that passwd could include it as another method of generating passwords, alongside Diceware and the random method.

https://masterpassword.app/masterpassword-algorithm.pdf
https://gitlab.com/MasterPassword/MasterPassword

[gargakshit]

Hey Atrate
First of all thanks for the feature request.

So from what I understood, this is like HOTP for a password (instead of a 2FA OTP) 🤔
Please correct me if I am wrong here.

PS: I am still reading the document, and will reply as soon as I am finished. From what I have read till now, this seems to be implementable.

[gargakshit]

Also, I wanted to know which sites support that algorithm (just out of curiosity)

[Atrate]

Also, I wanted to know which sites support that algorithm (just out of curiosity)

It is not website-dependent. It simply generates passwords from a set of variables (master password, website name, counter). If the user provides the same variables on e.g. another device, the generated password will be the same.

A non-technical information sheet can be found here: https://masterpassword.app/how/

[gargakshit]

Also, I wanted to know which sites support that algorithm (just out of curiosity)

It is not website-dependent. It simply generates passwords from a set of variables (master password, website name, counter). If the user provides the same variables on e.g. another device, the generated password will be the same.

A non-technical information sheet can be found here: https://masterpassword.app/how/

It needs the name to generate the layer 1 (the key). So I guess I will implement this after completing sync, as I will request the user's email and backup password to login and decrypt the backup.

[gargakshit]

So the counter is the number of times you have changed your password (to get a unique password)

[Atrate]

MasterPassword has changed its name to Spectre: https://spectre.app/

[gargakshit]

I think their design goals are different from our design goals. Also for that algorithm, we would need to enable sync (which is currently self hosted only)

[Atrate]

Also for that algorithm, we would need to enable sync

Spectre/MPW is stateless, it doesn't really need any kind of synchronisation

[gargakshit]

Also for that algorithm, we would need to enable sync

Spectre/MPW is stateless, it doesn't really need any kind of synchronisation

Actually I get it. It would be a stateless synchronization. Would be a good idea to implement a similar feature. Are you present on telegram? I would like to have a quick chat with you :)

[Atrate]

No, but you can hit me up on Matrix at @Atrate:matrix.org or via e-mail