The "email is authentication" pattern

1. protocol

   1 1 5 5.2

   Overall description of the DeRec protocol and associated state diagrams. (by derecalliance)

   

   The Decentralized Recovery (DeRec) Alliance has recently launched to solve this very problem. Dr. Leemon Baird gave a talk last year on how this works at a higher level [0]. The alliance is comprised of members from the Algorand, Hedera, Ripple crypto communities but the application of proper DeRec would be certainly applicable anywhere you have any type of secret; in fact I believe you can be a DeRec 'helper' right now. There's a robust primer on the protocol published as well [1], here's a pull-quote:

   > Decentralized recovery is a method of safeguarding a user's secret by distributing shares of that secret among multiple helpers, who store their individual share on their local device in order to help the user recover that secret in future. The shares are constructed under a threshold secret-sharing scheme (e.g. Shamir's secret sharing scheme), with a chosen threshold (defaults to half) -- at least three helpers must be present in order to use the protocol. Should the user lose access to their device, they can recover their secret data by retrieving the previously-distributed shares from at least half of their helpers. For successful recovery, the user only needs to recall the identities of half of their helpers and authenticate with them in-person.

   [0]: https://www.youtube.com/watch?v=AcF4abPoveM

   [1]: https://github.com/derecalliance/protocol/blob/main/protocol...

2. CodeRabbit

   coderabbit.ai featured

   CodeRabbit: AI Code Reviews for Developers. Revolutionize your code reviews with AI. CodeRabbit offers PR summaries, code walkthroughs, 1-click suggestions, and AST-based analysis. Boost productivity and code quality across all major languages with each PR.

   

3. ASVS

   2 9 2,879 9.8 HTML

   Application Security Verification Standard

   

   https://github.com/OWASP/ASVS/raw/v4.0.3/4.0/OWASP%20Applica...

   - "adequately secure" as in NIST SP 800-160 Vol. 1 Rev. 1, 3. System

4. keepass2android

   3 21 5,083 9.3 Java

   Password manager app for Android

   

   I can save you some of that research. The KeePass family of password managers are open source and based around a shared file format. They save your passwords in an encrypted file on your computer or phone’s local drive. An ecosystem of apps by different people can parse that file format (after you enter your master password), and at least one app can export as CSV or HTML, so migration is not a problem.

   Since your passwords are in a local file, there is no online password manager that can be hacked. If you worry that your local password manager software will have malicious updates posted, you only have to read news at the time you download an update, which can be as infrequent as you like.

   If you need to share passwords among your devices, you can store the encrypted file in a generic file syncing service such as Google Drive or Dropbox. Those services are less of a target for hackers than dedicated password managers, and even if someone obtains that file, your passwords will be safe as long as your master password is strong.

   Specific KeePass clients I recommend: https://keepassxc.org/ on desktop, https://github.com/PhilippC/keepass2android on Android.

5. keepassxc

   4 541 22,661 9.2 C++

   KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”.

   

   I can save you some of that research. The KeePass family of password managers are open source and based around a shared file format. They save your passwords in an encrypted file on your computer or phone’s local drive. An ecosystem of apps by different people can parse that file format (after you enter your master password), and at least one app can export as CSV or HTML, so migration is not a problem.

   Since your passwords are in a local file, there is no online password manager that can be hacked. If you worry that your local password manager software will have malicious updates posted, you only have to read news at the time you download an update, which can be as infrequent as you like.

   If you need to share passwords among your devices, you can store the encrypted file in a generic file syncing service such as Google Drive or Dropbox. Those services are less of a target for hackers than dedicated password managers, and even if someone obtains that file, your passwords will be safe as long as your master password is strong.

   Specific KeePass clients I recommend: https://keepassxc.org/ on desktop, https://github.com/PhilippC/keepass2android on Android.

6. rooster

   5 4 159 6.3 Rust

   A simple password manager for Windows, macOS and Linux.

   

   > Then keeping on top of the news for the rest of your life to see if your password manager is going down the gurgler or been hacked. Also, will my passwords be available when I travel to a country with restricted internet? Who knows. Can I export my passwords to any other password manager or a text file if I need migrate? That's part of the research needed to even get started using a password manager.

   These are pretty much the exact reasons I created https://github.com/conradkleinespel/rooster. It's a simple password manager for the command line. It's offline. It's open source. It's stable. It can export passwords to plain text in different formats.

   And its feature-set is intentionally limited, so I can maintain it with little work, to avoid it going down the gurgler. It's been available and maintained since 2015.

7. SaaSHub

   www.saashub.com featured

   SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

   

Suggest a related project