“If you have anything less than 100 user accounts across the internet, I do not consider you a human being” -anonymous
If you indeed have more than 100 accounts and you remember the passwords for them all (ok, I do not count test1234 as a password), then you are not a human either! My biggest problem is having strong random passwords across different services on the internet. There are a number of techniques people use to slightly vary their password across different online services but none of them are failsafe. All it needs is one password to figure your pattern of varying and then, your password is as good as test1234.
A number of us use password managers like keypassx but it becomes hard to manage it across multiple computers (think about a friend’s laptop that I borrowed). Dropbox like services to keep your keyfile is great, but think about requiring a password on your mobile phone to log into an app. Let us agree that there is no clear way to do this (If there is one, I would love to hear about it. If you said lastpass like service, keep reading!).
You are still reading! great. Companies like lastpass might do a great work of protecting you, but for one thing, all my data is going to be in one unknown basket (this is not about lastpass, but all companies that provide such services). I always dream about a random intern who might walk into any startup/small company and flip the switch for “world access”. I am very uncomfortable giving all my password to one single password management company.
This brings me to my final point, who would I trust? I think I will trust myself (I am sure I will not steal my password. Even if I did, I think it would not hurt me).
I now have an implementation of a small Flask application called PersonalPassword (creative name!) that will encrypt your password (with your master password) in the browser and send the encrypted data across the wire (https) to google app engine servers and store it your personal google account datastore.
In order to lookup/store passwords:
1) you must be logged in into your google account
2) you must also know your mater password.
You are free to fork it and comment on the non-trivial security issues with this approach. We all understand SSL MITM and security vulnerabilities on your browser. Given that you are aware and careful about these things, what else do you think is a security risk with this approach?