What you write is correct, and I/we think that's actually the real feature of MemPa: to access your most critical passwords you do NOT need a password db (as I mentioned in the post, this is not for all your passwords, you certainly need a vault for existing secrets.)

I personally don't think that "the attacker needs also to steal the password db" is a good security feature. The reason is that you (as a user) want availability, and so your password db is replicated on multiple devices, and many times also available on a publicly accessible cloud service. I think that the real security is given by a strong master password. If the attacker gets it, you're doomed.

Also, I don't think this is exactly as a brain wallet. In a wallet you have money. In a password manager you have passwords. To access my money I want a password and something I own. To access my passwords, I just want my brain.

Hope this explains, happy to chat more.


Forging the Everdragons2 NFT. Former security at Pinterest.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store