ZeroStore - password storage, without the storage app for iPhone and iPad
Developer: Pitou Technologies, LLC
First release : 12 Sep 2015
App size: 14.83 Mb
Password storage, without the storage!
ZeroStore is a new kind of password manager. Instead of storing all of your passwords on your device and in the cloud, ZeroStore generates them when you need them.
You can use TouchID to authenticate and generate your passwords, or type in your master password each time. ZeroStore has an app extension too, so you can easily access it inside all your favorite web browsers! Just open the extension, use your Master Password or TouchID, and your service password is copied to your clipboard.
---
How does it work?
Passwords are generated based on a service name and a master password. The service name is unique, and therefore unique passwords are generated for each service.
Using your master password, a master key is derived in such a way that increases the difficulty of brute-force attacks. The service name is used as a salt, which prevents a pre-computed table of values being used across different users or domains.
The master key is then used as the key for a SHA256-HMAC of the service name. This ensures that generated passwords should have no detectable relationship with each other, and cannot be computed without knowing the master key.
The HMAC is then base64-encoded, truncated to given length, and used as the per-service password. This is designed to be compatible with as many services password requirements as possible.
This app is based on zerostore by joseph346: github.com/joseph346/zerostore. This project is open source, and was made with approval.
---
DISCLAIMER:
This is a proof-of-concept. Im not a cryptography expert, and I only made this for fun and education. It should generate fairly secure passwords, however, use at your own risk.
---
Known Issues:
It is currently difficult to use ZeroStore when a service require you to change your password. One option is to change your master password; however, this will change the passwords generated for all of your services. This is a known issue, and we are currently working on a solution.