Show HN: Self-hosted and self-contained web app password manager written in Go
I have written a passwords/secrets manager for my personal needs. Maybe it solves some of your problems too.
It is written in Go and is a self-contained executable for a small web-app: https://github.com/jarmo/secrets-web
There is also a CLI version if that is your taste: https://github.com/jarmo/secrets-cli
To read about more technical details, look into the core repository at https://github.com/jarmo/secrets
Any questions/comments/suggestions are welcome in here or via GitHub pull requests.
22 comments
[ 3.4 ms ] story [ 51.1 ms ] threadAt least with all these DIY password managers which are open-source you can see all the code, which is not true for any 3rd party custom made solutions.
Also, one of the reasons why I went with libsodium as an encryption solution is the exact same reason - I'm not a cryptograper and libsodium offers an easy and fool-proof API to not mess things up accidentally. This is not true for many other (popular) cryptography solutions.
*edit... well except the autofill, but that's why there is good old copy and paste :)
You get one additional feature that others don't get, and that's Google and likely all sorts of government agencies being able to record all your passwords. Great feature.
But yeah, as already mentioned - it breaks the privacy and security principles. I would recommend you try anything else, which is actually meant for storing passwords/secrets and when switching, then change all your passwords :)
Its open source(https://github.com/bitwarden), so self hosting is possible as well => https://help.bitwarden.com/article/install-on-premise/
Disclosure: I've been using it for a year now. $10 per year paid plan. Just renewed again.
I use it across my iPhones and iPads, and all the major browsers on my Mac. Plus, my business partner and I have a shared vault in 1Password for commonly needed account passwords. It’s super useful.
https://www.passwordstore.org/
Caveat: It's self-hosted.
Windows, Mac, Linux, CLI, supports all major browser and supports filling on iOS (Don't have experience with Android). It's just not open source but it's a pretty great package and I'm using it for a long time already.
This project has it all except autofill. Okay, to be really honest then on mobile you need to access secrets via browser (UI is responsive though) and there's no separate app for that.
Autofill is not supported and I don't plan to add it on purpose. It's even written in the core project (https://github.com/jarmo/secrets) README:
"does not auto-fill any passwords anywhere (you don't want that anyway) - it's up to you how you will fill your passwords;".
There's one link to an article regarding possible problems with autofills https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-u...
When it comes to mobile apps then I don't find them that important to add yet another possible attack vector (also mentioned in the README) since it's pretty easy to copy-paste whatever is needed.
I got fed up with switching these services so often and didn't want to do the same thing yet again (and can't remember what alternatives existed back then).
Since security has been my point of interest for years I decided to look into building my own so that I would actually know for sure (as long as cryptography itself is secure) about all the parts - how secrets are encrypted, how they're stored and how they're synced. It was spring 2015 when I wrote my first password manager in Ruby. It worked great, but the problem was that I didn't want to install Ruby and its gems on every system where I wanted to access my secrets so I went with Go and this is where secrets-cli (https://github.com/jarmo/secrets-cli/) grew up. After that I decided that I'd also want to access secrets via browser and created secrets-web (https://github.com/jarmo/secrets-web/). Web and CLI versions are interoperable between each-other so that you can use either one of them or both at the same time.
Regarding this:
> There should be no problems with running on a publicly-accessible server [...]
Looking at the https://github.com/jarmo/secrets-web source code, I don't see any place where it sets the `Content-Security-Policy` header. Or am I missing something?
Thanks for making me look into it and finding out about this problem.