I commented about LessPass, and I think it applies here too. In summary, you still need to run MasterPass to retrieve their passwords, not here.

Security-wise, my construction might be slightly less secure, but you can recover the same level of security with a slightly longer passphrase (and, unless I misread their code, they also use a deterministic salt in scrypt, which is a debatable choice).

As I said about LessPass, it would be great to hear from the author(s) what they think.


Forging the Everdragons2 NFT. Former security at Pinterest.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store