What you write is correct, and I/we think that's actually the real feature of MemPa: to access your most critical passwords you do NOT need a password db (as I mentioned in the post, this is not for all your passwords, you certainly need a vault for existing secrets.)

I personally don't think that "the attacker needs also to steal the password db" is a good security feature. The reason is that you (as a user) want availability, and so your password db is replicated on multiple devices, and many times also available on a publicly accessible cloud service. I think that the real security is given by a strong master password. If the attacker gets it, you're doomed.

Also, I don't think this is exactly as a brain wallet. In a wallet you have money. In a password manager you have passwords. To access my money I want a password and something I own. To access my passwords, I just want my brain.

Hope this explains, happy to chat more.



Forging the Everdragons2 NFT. Former security at Pinterest.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store