mindless is a password manager that generates passwords using facial encodings: Throughout this process, no password, or facial data is ever stored, and password retrieval is done purely using functions.
Pretty much every password manager works by storing passwords in some "secure location". But really, how "secure" is this "secure" location? A reminder that Twitch, a company that makes billions a year, and is owned by Jeff Bezos, was hacked recently, leaking pretty much the entireity of the Twitch codebase. What if that happens to a password manager service? Are these companies that store millions, if not billions of passwords, not huge honeypot just waiting for something wrong to happen?
How do we avoid this? Well... why not just don't store the data in the first place? You can't possibly hack into something that isn't even being stored, can you?
mindless takes facial landmark encodings and generates a key based off of multiple landmark encodings that is isolated from face data. Everytime a password is to be retrieved, this key is used in conjunction with the encodings of a person's face based off of their landmarks, and a resulting password is generated via a hash function combined with other information. This means that in all, we are able to generate and retrieve passwords without ever storing a bit of face data or passwords.
Here.
Multiple sample face encodings are generated on multiple different sample images with face-recognition, all of a face in different positions. Then, the encodings are rounded and compared to eachother, and a "key", called "lock numbers" in mindless, are generated by finding positions in the rounded face encodings that every sample face encoding happens to share. These "lock numbers" are then stored and the facial data is then discarded.
Every password in mindless has 2 values associated with it: a label, and a domain the password is for. Whenever a user wants to retrieve password, mindless fetches new face encoding data from the webcam. This encoding data is then rounded, and values in the positions pointed out by "lock numbers" in this encoding is then used to generate a string. This string is then combined with the password's label and domain and put into a non-reversible hash function to produce the final password.
Because of this, whenever a user wants to make a new password, it's as simple as storing a domain that the password is for, along with a label on the domain. This data could be used at any time to generate/retrieve said password.
Because "lock numbers" are separated from the face data, there is no need to store the face data. And since the passwords can be generated from face data paired by the "lock numbers", there is no need to store the password, in the end creating a system that does not need to ever store the passwords themselves.
pip install face_recognition numpy opencv-python flask flask_cors pyperclipYou may want to consider creating a virtual env before doing this, this does pollute your user packages.
python app.py