Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

We really need passchange.js: an open source collection of headless JS scripts that can programmatically change your password on a given website. Then you would continuously rotate _all_ your managed passwords as well as your master.

Not a panacea, but significantly minimizes the length of a theoretical breach.



I have been working on-and-(mostly-)off on something like this for a while: https://github.com/scoates/celobox

Wish I had more time to spend on it.


This is a fantastic idea, just a simple config file which describes how to change a password for a site, which different programs can then interpret differently.


Thanks. Yeah; that's the idea for bootstrapping. At some point, I'd love it if sites themselves published APIs or at least manifests (similar to /robots.txt or favicon or a URL in a HTTP header, etc.) of how to programmatically change passwords.

A real problem I ran into is that a full browser is required for many operations, now. Instagram.com, for example, is completely opaque to non-DOM+JS browsers. Right down to the shamefully empty `<noscript>` block.


I don't think this is a good idea.

Please don't get me wrong, it would be great to have a service to centralize all your passwords including rotation, but this already exists. It's Google/Facebook if you choose to use oauth to sign in into other sites.

If this kind of api/js would exist and work, an attacker could exploit it to automatically change user's password.

Note that changing password is often used also as a simple mechanism to log out all the sessions (simple = easy to understand for the end user).

In summary, I really hope all website would do all they can do to protect their change password endpoints from automatic tools.

For me, passwords need to exist and need to be remembered, because if this is not the case, then many other security assumptions fail. With this I don't want to say that the current state of affairs is good, I definitely think that we need to invest in more mechanisms to help users remember their passwords, or reuse them in secure ways.


pass-rotate[0] by @Sir_Cmpwn does this, is open source (Python), and accepts pull requests to add more services.

0. https://github.com/SirCmpwn/pass-rotate


This would be a great feature for 1Password to adopt.

I’m not sure what you mean by “as well as your master”, though. If your master password is programmatically changed, how would you be able to access any of your stored passwords?


Dashlane can change your password on a lot of sites. Unfortunately they do it server-side.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: