I’m Guillaume, the creator of LessPass and I ‘ll explain why these three questions will help you forget your passwords

You need a password Manager

Today you need to remember many passwords (email, Facebook, Twitter, Windows, etc…). Security on those sites can be compromise, so you should use different passwords for each account.

A password manager helps you to manage your passwords in this way.

First problem : sync your passwords database

There are a lot of open source password managers, but they all suffer from the same plague : they store all your passwords in a single database. So if you want your passwords on your computer, your smartphone or your tablet, you have to share this database between all those devices.

I don’t want to share my passwords even encrypted on internet

If like me you used KeePassX, you probably had a personal cloud (Seafile, Owncloud) solution to share your password manager database between all your devices.

On a new device, you need to install a cloud client, find the password of your personal cloud, sync your password manager database before you can access your passwords.

Second problem : closed source isn’t secure

If you don’t want to sync your passwords manager database, current solution is to pay a couple dollars for a closed-source (central-point-of-failure-insecure) solution. I don’t like the idea to put my secrets online, even more in the trust of a 3rd-party, moreover if I can’t see the source of the code.

Why can’t I host Lastpass/OnePassword on my server ?

LessPass to save them all

LessPass is open source solution, that don’t need any cloud storage.

It’s a webapp, with some Javascript, that derive your password in a secure way.

How it works

If I ask you how much is 1 + 2 + 3 ? You will answer me 6.

But If I ask you what are the operations to obtain 6 ? You will probably answer 1 + 2 + 3. But you could have answer 3 × 1 + 3 or 18 × 18 - 318 and you will be right. There are a lot of solutions.

Replace 1,2 and 3 by the answer of the three questions (who, what, where), and the + operation by some key derivation functions and you can understand the concept behind LessPass.

LessPass use different key derivation functions to transform your personal information into an unique password.

LessPass: Who are you ?

Guillaume: I’m Guillaume

L: What is your secret ?

G: I love chocolate !

L: Where are you going ?

G: on twitter

L: your password is: zAC9:esIM6?

Key derivation functions

LessPass use the answer of the two first questions to create a unique hash with Password-Based Key Derivation Function 2 (PBKDF2). We use 8192 iterations and HMAC-SHA256 for calculating our hash

"I’m Guillaume" + "I love to much chocolate !" = 57d0851a1a73f4e4…

PBKDF2 applies a pseudo random function and repeats the process many times to produce a hash. We use PBKDF2 because it adds computational work, and makes password cracking much more difficult.

Custom passwords

Sometime you need some password composed with a certain type of char (i.e. only numbers), a specific length (i.e. length of 10).

LessPass provide default settings, but you can customize them.

hash = '57d0851a1a73f4e4…';

entry = {

site: 'on twitter', // Where are you going ?

password: {

length: 10,

settings: ['numbers'],

counter: 1 // change password without changing your secret

}

};

With those information and again different key derivation functions,we compute/derivate a unique password

hash + entry = 6724697291

LessPass core is 100% tested and you can have a look at its full source and check whether the algorithms are implemented correctly. If you are a cryptography and computer security expert, feel free to give us some feedback.

The future of LessPass

LessPass is free and always be.

We are developing a web extension to reduce friction and give a seamless experience.

Sources are on Github. We plan to migrate on Gitlab.

Privacy matters and transparency too

We don’t use any third parties and we will never do.(e.g. no Google Analytics, no social buttons, no adds, etc).

No tracking, no server communications, only static files.

The last intelligence law in France has force us to migrate our web server in Germany. Our web server is hosted in Frankfurt with the help of Vultr.

Our DNS are managed by Gandi, and our TLS certificate managed by COMODO CA Limited.