Show HN: Self-hosted and self-contained web app password manager written in Go

40 points by jarm0 ↗ HN
I have written a passwords/secrets manager for my personal needs. Maybe it solves some of your problems too.

It is written in Go and is a self-contained executable for a small web-app: https://github.com/jarmo/secrets-web

There is also a CLI version if that is your taste: https://github.com/jarmo/secrets-cli

To read about more technical details, look into the core repository at https://github.com/jarmo/secrets

Any questions/comments/suggestions are welcome in here or via GitHub pull requests.

22 comments

[ 3.4 ms ] story [ 51.1 ms ] thread
Cool project. Unfortunately, the reality with password managers is that if I'm going to use it, then it needs to support Windows, Mac, Linux; have a good CLI; support all major browsers; and have apps and autofill on most mobile devices. And they need to sync, through my own server. Most password manager projects have one or two of these, but it's gonna need the whole package for me to switch to it.
Add a security team on top of that. Unless I'm a crypto expert, it's unlikely that I'll use some DIY password manager on my desktop. Also agree that browser support is quite a major reality of password managers today. Unless you can do that, you're basically a "secrets storage".
That's a good principle in theory, but how do you know that using any 3rd party password manager is any better? There has been plenty of security problems with all of the major providers as far as I'm concerned.

At least with all these DIY password managers which are open-source you can see all the code, which is not true for any 3rd party custom made solutions.

Also, one of the reasons why I went with libsodium as an encryption solution is the exact same reason - I'm not a cryptograper and libsodium offers an easy and fool-proof API to not mess things up accidentally. This is not true for many other (popular) cryptography solutions.

and this is why I use a Google Sheet as mine :) I know most will say I'm nuts... but I'm sure I'm not the only one out there and I get everything you just described for free.

*edit... well except the autofill, but that's why there is good old copy and paste :)

> I get everything you just described for free.

You get one additional feature that others don't get, and that's Google and likely all sorts of government agencies being able to record all your passwords. Great feature.

I don't kid myself... I'm not that important... no one is looking through the crap I have on my Google Drive.
Yea you have zero security w/ this solution. I doubt it's even encrypted.
This is a really simple and definitely a better solution than not using any password manager at all (if we leave out possible government/Google issues, which I personally would definitely not leave out).

But yeah, as already mentioned - it breaks the privacy and security principles. I would recommend you try anything else, which is actually meant for storing passwords/secrets and when switching, then change all your passwords :)

Looks like https://bitwarden.com/ meets all your requirements

Its open source(https://github.com/bitwarden), so self hosting is possible as well => https://help.bitwarden.com/article/install-on-premise/

Disclosure: I've been using it for a year now. $10 per year paid plan. Just renewed again.

How are bitwarden/1password better than password manager for chrome and other browsers?
They work outside the browser. They work in more than one browser. They have more features.
This.

I use it across my iPhones and iPads, and all the major browsers on my Mac. Plus, my business partner and I have a shared vault in 1Password for commonly needed account passwords. It’s super useful.

Have you heard of "pass"? It's a minimal but very practical password manager best used on *nix terminal, but has great extensions and works on Android and iOS. (the iOS app is the main thing keeping me on my iPhone...). Everything is free and open-source.

https://www.passwordstore.org/

Caveat: It's self-hosted.

https://1password.com/downloads

Windows, Mac, Linux, CLI, supports all major browser and supports filling on iOS (Don't have experience with Android). It's just not open source but it's a pretty great package and I'm using it for a long time already.

Thanks!

This project has it all except autofill. Okay, to be really honest then on mobile you need to access secrets via browser (UI is responsive though) and there's no separate app for that.

Autofill is not supported and I don't plan to add it on purpose. It's even written in the core project (https://github.com/jarmo/secrets) README:

"does not auto-fill any passwords anywhere (you don't want that anyway) - it's up to you how you will fill your passwords;".

There's one link to an article regarding possible problems with autofills https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-u...

When it comes to mobile apps then I don't find them that important to add yet another possible attack vector (also mentioned in the README) since it's pretty easy to copy-paste whatever is needed.

Neat. I'm curious, which problems did you have with existing password managers that made you write your own? You mention Lastpass and mitro in the REAMDE, but there are lots of other good options available, like KeePass or Bitwarden.
I was using LastPass at first. I even paid them some money to have support on mobile. I didn't like LastPass because their UI was just really ugly and I saw some security problems being discovered. Switched to mitro since it was free and UI wasn't bad. Worked great, but unfortunately they ceased their service.

I got fed up with switching these services so often and didn't want to do the same thing yet again (and can't remember what alternatives existed back then).

Since security has been my point of interest for years I decided to look into building my own so that I would actually know for sure (as long as cryptography itself is secure) about all the parts - how secrets are encrypted, how they're stored and how they're synced. It was spring 2015 when I wrote my first password manager in Ruby. It worked great, but the problem was that I didn't want to install Ruby and its gems on every system where I wanted to access my secrets so I went with Go and this is where secrets-cli (https://github.com/jarmo/secrets-cli/) grew up. After that I decided that I'd also want to access secrets via browser and created secrets-web (https://github.com/jarmo/secrets-web/). Web and CLI versions are interoperable between each-other so that you can use either one of them or both at the same time.

Congrats for doing this!

Regarding this:

> There should be no problems with running on a publicly-accessible server [...]

Looking at the https://github.com/jarmo/secrets-web source code, I don't see any place where it sets the `Content-Security-Policy` header. Or am I missing something?

All security headers were supposed to be added by gin-contrib/secure middleware (https://github.com/gin-contrib/secure). However, your comment made me verify that it actually works as it was doing at the time of starting to use that. I noticed that headers were not present - it seems that somehow the order of registering middlewares had made it not work. I've released a new version where they all work https://github.com/jarmo/secrets-web/releases/tag/v1.0.1

Thanks for making me look into it and finding out about this problem.