Password Chef

Create a recipe. Forget your passwords

Reviews

Discussion

You need to become a Contributor to join the discussion - Find out how.
Yoav Anaki@yoavanaki · COO, Yala
This is a super creative approach to password management. Cheers!
Robert Merrill
Maker
@rfmerrill · Co-founder, Naranja Studio
Thanks for sharing Password Chef, Eric. We’re honored! Hello Product Hunt. I’m Rob, one of the makers of Password Chef. Password Chef helps you design a personal algorithm (we call them ”recipes”) which generates unique, complex passwords for all your accounts, and enables you to recall them from anywhere. We want to free people from their sticky notes and traditional password managers, and make them self-reliant with their passwords. I’ll be on here all day with my fellow maker, Tim. We’d be happy to answer any questions!
Marius Masalar@mostlymarius · Tech Writer, Photographer
This is a really cool concept, congrats on a wonderful design and compelling video! Putting my skeptical hat on for a moment though, there seems to be a bit of a problem with the system (unless I'm missing something): what happens when you need to change a password? Maybe one was leaked in a breach, maybe your work has a policy that passwords need replacing every so often, maybe you're worried about your ex hijacking your Netflix account, etc. By definition, each recipe will provide only one password for each site, so what's the expected procedure when you have to replace your password for that site—is it to create a new recipe? Or a new secret key element? If so, doesn't that quickly get unwieldy as you add more password changes? Suddenly you don't have a single easy-to-remember recipe across all your accounts, you have several and have to remember which one is in use for each site, for which you need to check the app...at which point, you're back to the experience of using a password manager. I also wonder what the risks are if one of your passwords is compromised. After all, if all your passwords are recipe based and someone reverse engineers the recipe, they need only one of your passwords to effectively gain access to everything (even if it takes a while to crack the secret key bit). Super unlikely, I realize, but I'm comparing this to a password manager where at least every generated password is entirely unique, so one being compromised isn't deadly. I'm sure you guys have thought of these things, I just wanted to find out how you're accounting for them as I'd really like to introduce some of my more security-vulnerable friends and family to Password Chef (seems like they might prefer it to a standard password manager). :)
jeremy carson@thejeremycarson · Founder, creata.co
@mostlymarius needing to create a new password is my biggest issue with these "recipe/formula" password creators. they're great until you have to change one or two passwords. then you have multiple recipes, and you have to remember which one work for which passwords, which essentially defeats the purpose of the "easy-to-remember" system.
Tim Winfree
Maker
@timwinfree · co-founder, Naranja Studio
@mostlymarius Thank you so much for the kind words, Marius. And great questions. We've given those concerns a lot of thought. Here's how we tackled them: 1. Notes. At some point, you may encounter a site that doesn't accept the password your recipe produces. So we offered a "notes" field to jot down the adaptation you may need to make (e.g. "For bank, limit to 10 characters"). We imagined you could write a similar note in the event a single password needed to be changed (in the event of a breach). 2. "Enter Characters." This is an option in the word pool that lets you add an explicit character/phrase into your passwords. Perhaps you want to start every password off with "$5" so you wrote "Enter '$5'" as your first step. However, we also saw an opportunity for people to use it as a variable. So instead of "$5," you might use "birth year." This allows you to further protect your recipe with steps only you'll know how to execute. But, this variable idea is also useful for those office workers who have to change their password periodically. So that using a variable like "month" or "quarter" would allow them to avoid writing a whole new recipe. 3. Multiple Recipes. I use several. The recipe that includes my email account, for example, is significantly more secure than the recipe I use for Pandora, Netflix, etc. So there's no connection between my most and least secure accounts. Even with a single recipe, as you noted, you're at very limited risk. Someone would need to recognize your password as recipe-based, and potentially make a few guesses on how it was engineered. If you use a secret code, that could be especially difficult. And as our library of word pool options grows, the difficultly is increased even further. Lastly, I'll say this. It sounds like bull, but it's true. Coming up with a good recipe is satisfying, and the more you use the app, the more "tricks" you'll discover–ways to recall passwords faster, or type them more quickly, while maintaining good strength. Whenever I stumble upon one, I actually look forward to any poor excuse to write a new recipe and update every single password (in that category) so I can put my new trick to use.
Marius Masalar@mostlymarius · Tech Writer, Photographer
@timwinfree Thanks so much for the thoughtful response, Tim! I'm glad and entirely unsurprised that you guys have given these things some serious thought. I'm looking at this from the perspective of someone who might be trying to introduce a non-techie to password management in general, so I'm weighing the demands of the recipe system against the demands of a password manager. The satisfaction you mentioned (and the general value of a metaphor as accessible as a cooking recipe) is very valuable during the onboarding phase, but I have to weigh that against the ongoing demands of the system. In my head I'm comparing to 1Password, my current solution. In essence, Password Chef asks its users to memorize a different kind of information than 1Password does—an algorithm instead of a master password. The advantage is that the algorithm IS the password—for everything—so you theoretically don't need the app. But I think the problem I'm having is that the "Mental Effort" portion of your chart is super important. The difference between minimal mental effort and a little is actually a huge divide. Besides security, the whole purpose of password management is convenience. Consider a practical example: logging into an account on your computer... Option 1: With no password manager, Steve McUserton pulls out his password notebook (this is a real thing I encourage family members to stop doing), flips through to the relevant letter, and painstakingly copies out each character. This generally happens twice because Steve's handwriting isn't great so he'll have to take another swing at some characters. Option 2: With Password Chef, Steve has repurposed his password notebook as bedding for his parakeet, and instead appeals to his memory to retrieve his password recipe...he remembers most of it, pops out his phone to check, then dutifully computes the password and logs in successfully. Or he remembers it correctly and doesn't need his phone at all. Either way, much quicker than his old method. Option 3: Steve tries out 1Password. Instead of an algorithm, Steve memorizes a song lyric that he loves. In fact, he's had it memorized since high school when his first kiss happened to that song, but he remembers which letters he capitalized and which he replaced with numbers to make a more secure master password. Once unlocked, 1Password logs in for him. If it was already unlocked, he could have just pressed Ctrl/Cmd + \ and not had to think about passwords at all. The crucial difference that worries me is that Password Chef asks for two things, not one: you must remember a recipe, and then use it to compute your password for any given login. For 1Password, you're only asked to remember a password. A long one, to be sure, but...it's one simple task and you don't have to manipulate the information you remembered, just type it in. You see my concern. And that's without even delving into the entirely new dimension of convenience afforded by TouchID in conjunction with 1Password's extension when you're on your phone. I guess my struggle is that while Password Chef is easier to grasp and get started with, it has some fundamental limitations to its convenience level, which could be a deal-breaker when considering day-to-day usage and long-term scalability for people. To be clear, I see this as a problem with the recipe system in general, it's not a problem with Password Chef specifically—I think it's obvious that yours is the finest implementation of this idea that I've encountered. None of this is meant negatively, by the way; I'm convinced that there are use cases for which the recipe system is undoubtedly better than a standard password manager (with or without a centrally stored database), but this is the kind of thinking that was going on in my head as I considered introducing family, friends, clients, etc. to the app.
Jonathon Blok@jblok2 · Developer
This is a really secure approach to passwords. The only potential stumbling block for non-technical users will be trusting that the passwords aren't stored by the app - telling them is fine, but it's also a trust issue that may take time. Also, I love the promo video!
Tim Winfree
Maker
@timwinfree · co-founder, Naranja Studio
@jblok2 We hope the secret code, as something you can create/change in your mind, communicates that we truly aren't interested in users' passwords. Agree that time will probably help as well. And so glad you like the video! More than once we asked ourselves, "people will like this, right? Not think it's weird?" Thanks for a little validation.
Justin Krup@jkrup · Founder, BOKUGA
This looks great! Finally a password cipher manager instead of a much more risky password manager. I've been using a technique like this for all of my passwords for years, the only thing I'll say though is since using this technique it's way easier to memorize your password I don't know how often I would need to use this app. But it really seems awesome.
Robert Merrill
Maker
@rfmerrill · Co-founder, Naranja Studio
@mazlix Thanks, Justin! You hit on what we hope for all of our users: that they become so familiar with their recipes, that they no longer need to reference the app, and can recall their passwords from anywhere. So our biggest role is in helping people come up with a great recipe. We show users how it's performing against a variety of site names, as it's being written, as well as which common password requirements are being fulfilled. And occasionally, you'll find a reason to replace a recipe, or write a new one altogether. So we want to make that fun and easy, and provide a means to store multiple recipes.