[bob1029]

I am completely over the idea of storing secrets inside of one of these 3rd party systems. I've currently got a team member writing an internal secret storage app for our organization.

Creating a SQL schema with a "Secrets" table and maybe some audit logging and organizational extras should take a seasoned developer ~30 minutes. Throwing a CRUD web app on top of this and making it accessible to your employees - maybe another day or 2.

I really don't know why you'd risk this sort of stuff with a 3rd party. It just boggles my mind. What are they doing that you can't do? Even a 3 person startup can probably find time around a weekend to knock this out once and for all.

Edit: clearly I missed an important point. We don't care about browser integration. I am not going for 1:1 feature replacement. If you seriously believe "a safe place to keep internal text" is an extremely hard problem that absolutely must be outsourced, I don't know why you would even be involved in technology.

[sk0g]

Those are the most project manager estimates I've ever heard!

Security seems to be missing entirely from the requirements, for one thing. Access control as well.

[mozman]

To be fair audit logging was mentioned, just don't log the secrets!

[sk0g]

All of that within the first 30 minutes though! I would probably take that long to stand up a DB for testing locally, re-learn $DB's table creation syntax, and connect to it from $lang.

[skrebbel]

I've wondered why so many software companies have so extremely many engineering employees. SaaSes raising a 9-figure Series D and hiring thousands of devs for a customer support app. I just never got it, I wondered about this for years.

But now, thanks to your comment, I finally understand.

[ericabiz]

Why would you spend dev time on this when you can set up something like Bitwarden across the org and have all the same benefits without wasting precious dev time on it?

FWIW I’m on 1Password and it hasn’t had any of these issues, either. I would not spend dev time on this as a startup/software company founder.

[have_faith]

Looking forward to the audit and post-mortem

[danparsonson]

> Creating a SQL schema with a "Secrets" table and maybe some audit logging and organizational extras should take a seasoned developer ~30 minutes.

No it would take a junior developer 30 minutes; a seasoned developer would look at you sideways and recommend self-hosting something like Bitwarden.

[junon]

> What are they doing that you can't do?

I highly doubt your engineer is doing proper cryptographic handling of data like they do.

[8organicbits]

LastPass hasn't been doing proper cryptography, so that part may be a fair bet.

If you use Django's default hasher, for example, you get more hashing rounds in the default config and they increase those periodically (the latter part that LastPass is struggling with, per the article).

https://github.com/django/django/blob/650ce967825aa192222391...

[wruza]

What are they doing that you can't do?

Browser and phone integration: autofill, autoupdate. You can do that too, but it’s not a trivial effort. It’s important because otherwise users will sacrifice security for convenience.

Lastpass also knows how to autochange for some sites. It was hard to lose when I left.

[8organicbits]

Self-hosting Bitwarden (edit: or Vaultwarden) may be a better approach. I'd recommend checking your feature list against Bitwarden to see what you forgot about. There's a lot of usability concerns that quickly become security-critical in a tool like this. Also review the security fixes that have been applied to BW, a rewrite will need to avoid these mistakes as well.

[rcxdude]

why not use an existing self-hostable option like bitwarden (possibly using one of the easier to setup up servers like vaultwarden)? Then your estimates might actually be accurate.

[cube00]

Never roll your own security.