Interesting concept from Hackaday. HIPPO is a proposed storeless password manager — instead of encrypting and storing your passwords in a vault, it computes them on the fly every time using an oblivious pseudorandom function (OPRF). Two secrets go in: your master passphrase on the client side, and a secret key held by the HIPPO server. Neither is ever transmitted raw. The output is a unique, deterministic, high-entropy password for each site — generated fresh on demand, never stored anywhere.
The tradeoffs
The upside is real: no vault means nothing to crack. The tradeoff is equally real: you’ve just moved the single point of failure from your vault to the HIPPO server and its secret key. Vault compromise vs. server compromise — different attack surface, similar consequence if it goes wrong.
One commenter put it bluntly: “So, we’re back to one password for everything?” — which isn’t quite accurate, but the concern behind it is. Your master passphrase still carries enormous weight. If it’s weak or exposed, the server secret becomes your only line of defence.
The other gap: no native 2FA support. You’d need to layer that separately, which means HIPPO alone isn’t a complete solution.
Not a live service yet, so this is still theoretical. But the approach is worth watching — especially for anyone already sceptical of trusting a third-party vault after the LastPass breach, where stolen encrypted vaults were still being cracked years later.
Worth noting: one commenter suggested a mental algorithm instead — derive passwords from a formula in your head using site names and a memorable phrase. Neat in theory, but the moment someone figures out your algorithm, every password you’ve ever made is compromised. At least with HIPPO the server secret is an additional unknown.