Tell me why this a terrible idea [RYO Password Manager]

[sevsco]

So I'm not a huge fan of the password managers I've tried, they usually feel slow and clunky.

I created a simple little Jekyll site to host encrypted versions of passwords, and to decrypt all the passwords to plaintext client-side once a password is entered. New passwords can be encrypted client side and added manually to the Jekyll site via committing to the git repo. It's hosted for free on Github pages. Something like Netlify CMS could remove the manual aspect of it by providing an auth+backhaul to update the git repo via a client side gui.

Is this a terrible idea? If so, why?

Demo repo: https://github.com/cameroncowden/passwordman

Demo site: http://ge0de.ninja/

[shoo]

There's a few associated problems to solve. not impossible, just work to be done. Here's some off the top of my head:

When you go to that site and enter your master key to decrypt all the passwords, how do you guarantee that the script served by the site is the version of the script you expect, and not some other script that quietly posts your master key to a remote server? TLS + your own custom certificate + serving all resources from a domain that only has content you control ( not GitHub pages domain filled with content from arbitrary people) would help for a start. Maybe also https://developer.mozilla.org/en-US/docs/Web/Security/Subres...

Need to be able to have reasonable confidence that your deploy pipeline and your repo holding the application code cannot be tampered with. How do you do that?

If you outsource storage of your encrypted passwords, how do you know your vendor still wants to provide service to you next week? Why should they still want your business? What do you do if they lose your data and cannot restore from backup? Might be worth spending a little money here for privacy & alignment of interests, or hosting it yourself.

How do you know you got the crypto right?

For anyone who isn't you, how do they know you got the crypto right?

[auganov]

Most immediate concerns:

   - you're leaking the list of websites
   - even if you encrypt everything you'd still be leaking the fact of adding/removing something
   - if your one password gets compromised all the others do
   - rouge extensions
   - keyloggers 
   - you're making yourself a target

If you host this behind a server-side login screen I think it's fine (besides browser vulnerabilities).

[poletopole]

Can we make this a regular thread on HN? Perhaps TMWN HN (Tell Me Why Not HN)? I have tons of ideas that I'm too embarrassed to get initial feedback on from HN. Once a month we can all pitch each other ideas and give feedback on others'.

[yesenadam]

I like it! Or maybe HNAsksHN: Is this a terrible idea? and explain the concept for the uninitiated. I nominate you to post it every month.

[poletopole]

I'm going to do it then! I'll make a thread on the 5th next month and if it goes well it'll be every 5th from there.

[mplewis]

If I clone this repo, I can take all the compute I want and crack your password brute force. How long is your password?

1Password has a secret pre shared key that a client must use along with your password to unlock the vault.

[quickthrower2]

You’d need 12 random generated words from a big dictionary or something like that as the password. Which puts more onus on memory.

The other problem is someone can cache the encrypted version forever then if they later discover what your password WAS then they are in!

[dsaravanan]

If one has a Blockchain mining gig, the passwords can be cracked consuming the enormous computation power

You can create a cloud app with strong security like Azure keyvault to make the idea robust and safe

[speedgoose]

The derived key is 256bits long. It should be fine unless someone plans to boil the oceans.

[thiago_fm]

all password managers i know work better than this, the paid ones offer infinitely more, the OSS one, keepass, is better and safer, it also has multiple integrations

no use, make it more interesting/better or it's useless

[mod]

What could go wrong?