Disclaimer, I don't have idea what I'm talking about. I mean somehow use cryptography to derive passwords (into a specific encoding that satisfies typical password requirements) such that the experience is "like" LNURL-Auth
In there, secret = hmac(private key, site.com) ; perhaps using those per-site secrets and derive from there. https://fiatjaf.com/e0a35204.html
Any derivation metadata along with username etc, could more safely go to relays (still encrypted) as there would be no passwords. Logging in somewhere would require hmac signing with the nsec.
Feel free to discard if this totally stupid lol
I think this could be a good idea.
This means that, users just have to safe guard their secret key on their machine.
A password is generated based on the secret key, the site, a passcode, a username. And there is nothing to sync to any relay.
Thatβs sounds brilliant? That is a great difference to existing password managers too.
Iβll explore with the codes, and give it some thoughts. Are there any down side to this solution? Mmm
Mmm, that sounds π€―
Keen to learn more and understand what you mean by using LNURL auth to derive passwords.
My five month old, Jelly Cat.
We can DM again, Iβll put it in, and show it to you how it looks when itβs small, and on the landing.
Iβm sorry π
Thank you π«‘
Food for thought.
If you have similar use case, and we can get more hands on deck to design something.
Thank you nostr:npub18ams6ewn5aj2n3wt2qawzglx9mr4nzksxhvrdc4gzrecw7n5tvjqctp424 for being the first early funder.
I have a thought about you saying βstoring sensitive dataβ. I was thinking we can make a specialised relay, open source relay, for storing all sensitive data. So anyone can spin up their own if they like. Otherwise, we can host one or two too.
We have not!
But if youβre im Japan in November, Iβll be there.
Cool. I think Iβm just searching the NIP surface. Thereβs so many going on.
Yea I feel the superpower today after launching a new project on geyser
Yup. And plans to open source a specialised relay so anyone can spin up their own just to store all sorts of sensitive data.
Does calling ndk functions count?
signer.encrypt()
Also, I have just ask for funding, if approved, a share of it is paid for security audit and code audit.
To be honest, I think the encryption is fine, the algorithm itβs not written by me, but using packages that everyone are using to encrypt stuffs.
Im more concerned about your passwords missing entirely because of the relays.
Your key, your passcode. And upcoming versions one time password if you opt in 2FA.
You donβt have to trust them at all. They are just holding things for you.
Trust in your key and your passcode.
Next will be adding one time password, so you can trust that 30 seconds of 6 digit numbers too.
Howβs that sound?
I was thinking. This logo is bad! Itβs some one looking at my password. Lol
Ya!! I m embarrassed to ask you. But your work is amazing
I do imagine people will eventually have 10 keys for 10 different purpose in the future. No one says you can only have 1 key.
Just that right now, the βand other thingsβ are coming.
nostr:npub1fk8rya2ra7lp8m60f8jrjg4yqfv2cc8dah8wqc49drccs3dqngzqtgc5sk seems to be onboard to make one for Firefox.
Then we need someone to make on React Native, for iOS and android.
And then mass adoption for nostr protocol.
Yea. Currently all the password managers out there, people are trusting a company to safe guard encrypted passwords in their database, encrypted with one master password.
Iβm the current code. Encrypted data are stored locally. And IF for some reasons relay you are connected to says βno dataβ it will NOT override your local data.
See GitHub for implementation.
Yup. Iβm version 1.0.1, there is a roadmap section. A specialised relay is part of the plan.