- What’s your ENow AppGov Score? Free Microsoft Entra ID app security assessment - Thu, Nov 30 2023
- Docker logs tail: Troubleshoot Docker containers with real-time logging - Wed, Sep 13 2023
- dsregcmd: Troubleshoot and manage Azure Active Directory (Microsoft Entra ID) joined devices - Thu, Aug 31 2023
Spectre a password manager developed by Maarten Billemont. It started under the name Master Password but has now been rewritten with modernized software and reborn as Spectre. It is designed to help users create strong, unique passwords for each account.
The difference with Spectre is it works off the principle of statelessness. Wher most password managers store all passwords and attempt to protect them, Spectre does not save the password, meaning there is nothing to protect. So, if no password is saved, how does it work?
How does Spectre work?
Users who sign up for a new account enter their master password. Spectre then generates a unique password for each website based on the master password.
The tool uses the following information to generate each site's password:
- Your full name
- Spectre secret
- Site Domain
It uses cryptographic information to regenerate the same password each time you pull up the site, meaning that the password is never stored or synchronized to a cloud environment. Hence, it cannot be hacked or stolen by a third party.
Spectre cryptographic algorithm overview
Spectre uses several different hashing algorithms to generate passwords, which makes it more difficult for attackers to crack them. In addition, it adds salting as an additional layer of security to each password. The app is designed to be used offline and does not share data with any third-party services.
Spectre can also obscure your login names by cryptographically generating them.
Changing the master password
It is obvious that Spectre will generate different passwords for all websites after changing the master password. So, if for some reason your secret has been compromised and needs to be replaced, then it is necessary to renew the password on all websites managed with this app. This is not the case with traditional password managers
And it goes without saying that you better don't forget the master password.
Using Spectre
Currently, the rewritten Spectre app is only available for iOS, with other platforms coming soon. Several users in the App Store criticize the usability of the redesigned interface compared to the predecessor app Master Password.
Apple IOS Spectre app available for download
You can clone down the source code and build the app before it is officially available.
Other platforms for Spectre coming soon
Other platforms for Spectre coming soon
You can try Spectre on the app's homepage.
Once you log in to the app with your Spectre secret, your site passwords are cryptographically recomposed as the same password on any device, whether a new device, a friend's device, etc.
Test Spectre password generation
Another feature of Spectre that makes it easy to use is its ability to generate offline passwords. This means that users can create passwords even when they are not connected to the internet.
Password sharing
Spectre does include a way to share your site passwords with friends if you have specific secrets you want to share with others.
Availability
Spectre is licensed as open source and therefore freely available. However, this only applies to the basic product for generating passwords. The premium version, on the other hand, requires a subscription, which costs 4.49 USD per month or 44.99 USD per year.
The developer does not provide any exact information on his website about the advanced features included in the Premium Edition. Among other things, these provide for integration features with various web browsers like autofill, whereas you have to transfer the passwords via copy & paste in the basic version.
Wrapping up
Spectre provides a unique password manager solution, unlike any other solution. Its concept of statelessness is undoubtedly appealing, with the threat of password manager breaches and cloud data leaks a looming possibility.
Subscribe to 4sysops newsletter!
Additionally, the app's focus on user privacy and its open-source nature makes it a trustworthy option for those who want to secure their online accounts.
Read the latest IT news and community updates!
Join our IT community and read articles without ads!
Do you want to write for 4sysops? We are looking for new authors.
Sounds like a pretty cool way to manage your passwords securely. What if you already have hundreds of secure passwords? Is there a way to import them into Spectre?
Interesting concept. I haven’t seen or heard of this before. So there’s a new data breach that affects 1 or more of your 100 accounts? Simply change your master password once and all of your account passwords are changed with a single click. Not bad! The idea is interesting. This has the potential to solve one of the biggest problems that’s common among all password managers, namely the inability to update the passwords on the remote systems. For as long as password managers and remote sites don’t communicate, and there is no common standard in place for this, this problem will not go away.
So for that reason, I see one big pitfall with using this new Spectre approach: good luck visiting each site to update the password for each of your potentially 100 or more accounts (I myself am up in 1000 territory so I know the pain in updating). Without having a record of the previous passwords you used, you may not be able to change the password on most sites, as most sites will require you to not only log in with your current password to set a new password, but also provide the old password for verification. So what it comes down to, when using Spectre, is you have to be logged in to all 100 accounts, put in your current passwords in all the right Change Password boxes on all 100 sites (or more), before you click to update your master password in Spectre, thereby generating new passwords for all 100 accounts (or more), which you then have to transfer using copy and paste operations, one site at a time, and click to save each of them.
God help you if they require a CAPTCHA to change the password. By the time you make a full circle and visit all these sites, CAPTCHA may have expired (Google reCAPTCHA in particular), and require you to complete the CAPTCHA again and provide the current or “old” password once again, which you no longer have, since you clicked to change your master password in Spectre and all the passwords were changed in an instant, and since this manager is “stateless”, there should be no record of what your previous passwords were. Talk about digging your own grave with this manager!
I hope I’m not correct in my assumptions here. For now, I’m sticking to traditional offline managers. But it is an interesting concept, and I will make a mental note of this new manager, and it will be interesting to see where this goes. I believe more in passkeys as a future solution to passwords, because of the tight integration with remote systems and industry recognition and acceptance. But for at least another 10 years, passwords will not get old and replaced with passkeys.
I’m 90% sure it’s not possible.. it doesn’t store the passwords – it generates it’s own passwords with it’s own specific algorithm, which is why it can always recreate them.
One issue I can see from this is if you have a different URL where you create the password vs. where you login to them. i.e. I create an account at “accounts.domain.tld” but login to “www.domain.tld” it might think they’re supposed to be different passwords.
The other issue I can think of would be that the passwords might not be long enough or might be too long for a specific site or somehow violate the site’s password requirements (might be too many things or too few things, etc.)
David F.
I thought for a second this was addressed to me. But I see now that this was a reply to the question posted by “s31064”. I agree, seeing how Spectre is designed to work, it would mean that it’s not possible to import existing passwords from other password managers. That would be akin to fitting a model (passwords) to an equation (algorithm), rather than using an equation (algorithm) to produce the model (passwords). I will say I have not tried Spectre myself, so I can’t be sure, but yeah, this is highly likely to fail: you cannot import existing passwords to Spectre. (I don’t have an iPhone, never had any Apple device, and Spectre doesn’t work on Android, or on Windows, or on Linux. So I am not able to use it even if I wanted to.)
You bring up two good points about different URLs and password requirements. The way I usually handle sites that have several URLs with same login, is by using references. So, for example, I might have one entry for YouTube and another for Google Drive, but I will have the password set only for the Google Account or Gmail entry, and then reference that password in the password field for YouTube and Google Drive. As for password requirements, it’s so silly to see that websites still have 8 character passwords as minimum requirement. But it’s even more silly to have a highly constrained upper limit, like 12 characters. The bare minimum should be 12 characters today for a strong password (assuming it’s randomized, uses all kinds of characters and so on), and the upper limit can affordably be set to as high as 30 characters.
Now that I think about the issue that I brought up, I think it can be solved by changing back your master password to what you had previously. Given that nothing else was changed, that should produce the same passwords you had previously on each site. But what an annoyance and inconvenience, having to change back your master passwords, just because some site (or sites) asked you to confirm a password change by providing your old password. Wow! This statelessness doesn’t seem very appealing to me. I would want to have a record of my previous passwords. I have been in many situations where I was asked for my previous password, for example when restoring an old Microsoft or Google account and they want to know what my most recent password was that I remember.
“This statelessness doesn’t seem very appealing to me. I would want to have a record of my previous passwords.”
I forgot to add one thing here! “I would want to have a record of my previous passwords.” As long as the password manager cannot communicate directly with the site for which the account password is being changed!
I completely agree on the 8 character minimum, and even a 30 character maximum is on the small side to me. I will go as strong as I can, since I’ve got a good password manager (BitWarden). That’s probably my biggest frustration is websites not telling you the actual rules they use for their passwords. I realize from a security perspective that stating the max length is technically a ding against the security, but from a usability perspective, I think it’s far outweighed by the convenience factor. i.e. Windows has a max password length of 256 characters, and I’ve been to some places that use 128 length passwords for some of the service accounts.
I hadn’t thought about the previous password history. Theoretically, with Spectre you could generate your password again before you got a new one and record it. But even thinking about it more.. if a site is compromised, you don’t have a good way to change your password in Spectre — because the URL etc. will be the same, so it will always generate the same password. You’d have to change your master key to change the salt, which would invalidate everything already generated. The only thing I could think do do in that circumstance might be adding a pin or something to the generated password.
Going to have to go check the site, because now I’m even more curious 😀
David F.
I have been to sites that will inadvertently tell you the maximum password length if you overstep the limit while creating your account. That’s how I have been able spot and observe what’s commonly used. From what I’ve seen, these sites usually have a modest upper limit of around 30 characters.
I could agree that it’s on the small side, but then again, I bet even this “low” upper limit will go unnoticed, because most users today are still using short passwords and they don’t use password managers that can remember these super long and complicated passwords for them. You know what these users think of password lengths? The shorter, the better! I would like to see more people make better use of the character space available to them, even if it’s as low or as modest as 30 characters, and for that to happen, more people need to start using password managers.
Another weird aspect of this that I have come across when setting up a new account, is that some poorly designed websites will truncate the password I paste in without me noticing or the site giving me any input length validation error. I have seen this with maybe one or two sites, as far as I remember, so it’s not that many. In both cases, I used a fairly long password in the 60 character territory that was suggested to me by the password manager, and I was too lazy to shorten it or to use my own template, and so I just pasted it. Later on I could not log in and I could not figure out why if my life depended on it. I would reset it, set a new password, maybe log in if it logs me in automatically, log out, try to log back in and it would not let me in. Rinse, repeat. Then I figured it out, had a good laugh, and adjusted the length accordingly and it worked each time and every time from that point on.
From the top of my head, I seem to recall that BitWarden supports password history, which is a big plus for this manager, in my book. It’s also the only password manager that I know of that supports file attachments and custom fields. I know of and I tried a dozen of them, including big ones like 1Password, but I never tried BitWarden. But I don’t need to try BitWarden to know I would like it. The features I listed are pretty much a must-have for me, and none of the other managers tick all the boxes for me. Because, I am neck-deep in KeePass, and it supports all of this. KeePass (and its variants to some extent) have kept my passwords safe and secure for two decades! It even has its own viewers for file attachments. It’s like an aircraft carrier, it is self-sustained and has just about everything you could possibly need on board the ship. So BitWarden is the obvious choice for me to migrate to, if or when I decide to abandon KeePass.
As you can tell, I am excited about BitWarden. It took me a few rounds of testing and researching various password managers to discover BitWarden. Even so, I overlooked it and went on testing others. It doesn’t get talked about as much as the other commercial options. It’s only in the wake of the LastPass disaster that BitWarden started getting more attention (along with 1Password). To me at least, and for reasons I mentioned, BitWarden is the better choice. For me at least, it’s not about the price, it’s mainly about the feature set and having a good product overall. If it’s open source and comes with a free tier, that’s even better. But I don’t mind paying a monthly fee for a quality product. I often donate to open source projects, without anyone pushing me to do so. I have donated to KeePass for example. I read in the news that you can even run your own instance of BitWarden now, if you really want to or need to. So yeah, BitWarden is awesome. But I am not ready to make the jump just yet.
Going back to Spectre again, yes, you can’t change the password for a single site, for any reason – be it that the site is compromised and you want to change the password or that it’s that time of the year when you change your password on a schedule. You have to change the master password, which will change the password for that single site, which will consequently also change the password for every other site as well.
This wouldn’t be so bad, if Spectre could communicate this out to the remote systems, to the sites in question. So you don’t have to sit and click around 100 sites to update them on the change of passwords you made in your password manager. Periodically changing your passwords is a good thing. But to my knowledge, there are no password managers that can solve this disconnect. Password managers can’t push your password changes to the sites, and sites can’t push password changes to your manager. All password managers rely on add-ons (browser extensions) to fetch your passwords or password changes from input fields, to have them synchronized.
LastPass has a nifty little feature that’s supposed to help you with this to some extent, whereby I think it will open a new browser tab and navigate to a given URL/route on the site for which you have made a password change in LastPass, and then insert that password in the right input box on the site, and save the change. It sounds like magic, and a possible solution, but I doubt that it works correctly and that it works at all times, even as sites get updated. I haven’t tried it myself. But they have the right idea. More effectively, you would use an API for something like this, not some scripted browsing which is prone to error.
Putting a pin on all but a single password sounds like a good idea. It’s like pulling hand break while you push the gas and accelerate! 🏁🚗 Spectre definitely sounds like a fun ride! 😉
Thanks Brandon for this article, this product has an interesting concept for password management. It needs to be verified how secure the idea of generating a password using a series of keywords, as required for instantly generating the access password for a specific website, actually is. But it’s worth giving it a try and seeing how it works.
awesome