So I'm not a huge fan of the password managers I've tried, they usually feel slow and clunky.<p>I created a simple little Jekyll site to host encrypted versions of passwords, and to decrypt all the passwords to plaintext client-side once a password is entered. New passwords can be encrypted client side and added manually to the Jekyll site via committing to the git repo. It's hosted for free on Github pages. Something like Netlify CMS could remove the manual aspect of it by providing an auth+backhaul to update the git repo via a client side gui.<p>Is this a terrible idea? If so, why?<p>Demo repo: https://github.com/cameroncowden/passwordman<p>Demo site: http://ge0de.ninja/
There's a few associated problems to solve. not impossible, just work to be done. Here's some off the top of my head:<p>When you go to that site and enter your master key to decrypt all the passwords, how do you guarantee that the script served by the site is the version of the script you expect, and not some other script that quietly posts your master key to a remote server? TLS + your own custom certificate + serving all resources from a domain that only has content you control ( not GitHub pages domain filled with content from arbitrary people) would help for a start. Maybe also <a href="https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity" rel="nofollow">https://developer.mozilla.org/en-US/docs/Web/Security/Subres...</a><p>Need to be able to have reasonable confidence that your deploy pipeline and your repo holding the application code cannot be tampered with. How do you do that?<p>If you outsource storage of your encrypted passwords, how do you know your vendor still wants to provide service to you next week? Why should they still want your business? What do you do if they lose your data and cannot restore from backup? Might be worth spending a little money here for privacy & alignment of interests, or hosting it yourself.<p>How do you know you got the crypto right?<p>For anyone who isn't you, how do they know you got the crypto right?
Most immediate concerns:<p><pre><code> - you're leaking the list of websites
- even if you encrypt everything you'd still be leaking the fact of adding/removing something
- if your one password gets compromised all the others do
- rouge extensions
- keyloggers
- you're making yourself a target
</code></pre>
If you host this behind a server-side login screen I think it's fine (besides browser vulnerabilities).
Can we make this a regular thread on HN? Perhaps TMWN HN (Tell Me Why Not HN)? I have tons of ideas that I'm too embarrassed to get initial feedback on from HN. Once a month we can all pitch each other ideas and give feedback on others'.
If I clone this repo, I can take all the compute I want and crack your password brute force. How long is your password?<p>1Password has a secret pre shared key that a client must use along with your password to unlock the vault.
If one has a Blockchain mining gig, the passwords can be cracked consuming the enormous computation power<p>You can create a cloud app with strong security like Azure keyvault to make the idea robust and safe
all password managers i know work better than this, the paid ones offer infinitely more, the OSS one, keepass, is better and safer, it also has multiple integrations<p>no use, make it more interesting/better or it's useless