Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

How does lesspass handle password rules?

i.e. one site allows special characters, others don't?

Or say one of your passwords gets compromised and you need to change it.

It doesn't seem like lesspass would be able to do so without a db.



I've been trialing it recently on sites of lesser importance, and in the configuration OP described, it doesn't - everything is deterministic from login+site+master password.

It does however you set password profiles, which alter how the password is generated. Here's an abridged example from their FAQ[0] with my notes about what each option does:

    "login": "contact@lesspass.com", # User name
    "site": "example.org",           # Domain name
    "lowercase": false,    # Site accepts lower case characters (Default: true)
    "uppercase": false,    # Site accepts upper case characters (Default: true)
    "symbols": false,      # Site accepts symbols (Default: true)
    "numbers": true,       # Site accepts numbers (Default: true)
    "counter": 1,    # Increment e.g. on compromise and the generated password is changed  (Default: 1)
                     # Password entropy is derived from pbkdf2, counter is used as part of the salt
    "length": 8,     # Password length to be generated (Default: 16)
In the default configuration, these profiles are stored in the browser's local storage, so lost if/when that is cleared. LessPass provide a service to store these profiles on their server (log-in is generated from the master password using a default password profile), and provide the scripts (Docker) that let you self-host this data (the browser extensions include a field to set server domain).

For me, it's a useful balance of convenience and security (each site gets a strong unique password, but I can regenerated them on devices where I haven't synced a password DB) vs. KeyPass which I was previously using.

I'm probably going to switch to 1Password thought - it gives the same "any device" benefits, has basically the same risk model (compromise of the master password is a full-compromise, and because I need the synced profiles I need to put _some_ trust in a third-party anyway[1]), but it gives me the full flexibility of a real password manager (store associated data, credit cards, set specific passwords if needed etc.)

[0] https://github.com/lesspass/lesspass/wiki/FAQ [1] 1Password: need to trust their client isn't malicious/capturing the password at login and is secure; LessPass: need to trust the webclient is never changed to exfil. the master password, (theoretical?) risk of brute-forcing master password from a generated password, and sends sites/username metadata to a largely unknown third party (could run my own server, but it would likely get neglected and fall behind on security updates etc.).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: