Tell me why this a terrible idea [RYO Password Manager]
So I'm not a huge fan of the password managers I've tried, they usually feel slow and clunky.
I created a simple little Jekyll site to host encrypted versions of passwords, and to decrypt all the passwords to plaintext client-side once a password is entered. New passwords can be encrypted client side and added manually to the Jekyll site via committing to the git repo. It's hosted for free on Github pages. Something like Netlify CMS could remove the manual aspect of it by providing an auth+backhaul to update the git repo via a client side gui.
Is this a terrible idea? If so, why?
Demo repo: https://github.com/cameroncowden/passwordman
Demo site: http://ge0de.ninja/
11 comments
[ 2.8 ms ] story [ 39.3 ms ] thread1Password has a secret pre shared key that a client must use along with your password to unlock the vault.
The other problem is someone can cache the encrypted version forever then if they later discover what your password WAS then they are in!
You can create a cloud app with strong security like Azure keyvault to make the idea robust and safe
When you go to that site and enter your master key to decrypt all the passwords, how do you guarantee that the script served by the site is the version of the script you expect, and not some other script that quietly posts your master key to a remote server? TLS + your own custom certificate + serving all resources from a domain that only has content you control ( not GitHub pages domain filled with content from arbitrary people) would help for a start. Maybe also https://developer.mozilla.org/en-US/docs/Web/Security/Subres...
Need to be able to have reasonable confidence that your deploy pipeline and your repo holding the application code cannot be tampered with. How do you do that?
If you outsource storage of your encrypted passwords, how do you know your vendor still wants to provide service to you next week? Why should they still want your business? What do you do if they lose your data and cannot restore from backup? Might be worth spending a little money here for privacy & alignment of interests, or hosting it yourself.
How do you know you got the crypto right?
For anyone who isn't you, how do they know you got the crypto right?
no use, make it more interesting/better or it's useless