Ask HN: Feedback on my stateless password manager (no stored secrets)1 points·by yoyo250·10 mesi fa·0 commentsHi HN,I built a prototype password tool that never stores passwords or vaults. Instead, it derives them on the fly using:* A hardware OpenPGP key (smartcard/YubiKey/etc.)* User inputs (domain + login + a simple passphrase)* Deterministic signing + KDFSo as long as you have the hardware key and the same inputs, you can always reproduce the same password. Nothing is stored locally.Current status:* Python CLI, pre-release v0.9.0* Tested only on Windows 10 with RSA4096 keys* Requires GPG installed* English default + Chinese i18n (basic)Limitations:1. Not audited (research/PoC)2. Only RSA tested3. No GUI (TUI planned)4. Not tested on other platform5. Some sites may reject the generated charset (You can edit, but it may cause a mess.)Looking for feedback on:1. Security flaws in this design?2. Portability to Linux/macOS and non-RSA keys3. Possible ways to use hardware keys without shelling out to GPG4. Usability / UX ideas (TUI, i18n, etc.)Links:GitHub: https://github.com/biliyoyo520/paasword/Blog: https://blog.yoyo250.fun/archives/coding/16.htmlThanks!0 commentsPost comment—
I built a prototype password tool that never stores passwords or vaults. Instead, it derives them on the fly using:
* A hardware OpenPGP key (smartcard/YubiKey/etc.)
* User inputs (domain + login + a simple passphrase)
* Deterministic signing + KDF
So as long as you have the hardware key and the same inputs, you can always reproduce the same password. Nothing is stored locally.
Current status:
* Python CLI, pre-release v0.9.0
* Tested only on Windows 10 with RSA4096 keys
* Requires GPG installed
* English default + Chinese i18n (basic)
Limitations:
1. Not audited (research/PoC)
2. Only RSA tested
3. No GUI (TUI planned)
4. Not tested on other platform
5. Some sites may reject the generated charset (You can edit, but it may cause a mess.)
Looking for feedback on:
1. Security flaws in this design?
2. Portability to Linux/macOS and non-RSA keys
3. Possible ways to use hardware keys without shelling out to GPG
4. Usability / UX ideas (TUI, i18n, etc.)
Links:
GitHub: https://github.com/biliyoyo520/paasword/
Blog: https://blog.yoyo250.fun/archives/coding/16.html
Thanks!