You are right, probably I should choose something less offensive, but I saw a different "Alzheimer" named project https://github.com/tpruzina/alzheimer and as this password "manager" does not need to store passwords at all, I have used this one.
Hi, author here. You are right, the password is generated on the fly using URL, unique seed and provided passphrase.
The extension javascript is sandboxed from the webpage, so it is not possible to obtain the inputs to the PBKDFunction from the context of website.
I have coded this for myself and using it more than 2 years. The only problems are with some dynamically created login forms, like new reddit login.
Actually, the use case is not cloud image at all.
One of the first problems was how to overcome having preinstalled cloud-init, polipo and other packages shipped with the OS cloud images.
I can brainstorm an attack on your organization, and help you improve security. I can be part of a Tiger/Red team. I am able to audit, improve or design you key management within an organization. I know how Hardware Secure Modules (HSM) works. I can design and implement custom secure communication channel using open source implementations of ECDH, RSA, XSALSA, however. I can test an existing crypto implementation against test vectors, or find some obvious bugs in high level design. I can reverse engineer not so sophisticated malware found on your secretary's laptop, and even develop disinfection scripts. I am watching trends in cybercrime, malware and cryptography. I read scientific publications, blogs, news. I like to write my thoughts, occasionally I even publish something.
If you need infosec guy (or writer) in your remote team, please contact me.
I have created Alzheimer Password Manager on the same ideas as this one.
I believe the better idea is to use also user specific salt per browser. In that case, the passwords are more unique, and the threat model changes dramatically.
Current Threat Model:
* No one with an access to the PC with installed extension should be able to authenticate without knowing the correct passphrase.
* The same passphrase used in two different web browsers should produce two different passwords (cryptographic salt will solve this problem).
* If an attacker obtains password for some websites, she should not be able to derive passwords for another websites using that knowledge.
* Attacker should not be able to brute force master passphrase from the salt and knowledge of one password (PBKDF with lots of iterations).
* it provides protection against basic keyloggers (but they can read our salt from the memory / file...)
Some times ago I created my own file encryption software using libsodium. It uses XSalsa20, hmacsha256, pbkdf. It hide password input on the terminal. It is really slow for large files (GBs)...
