Thread

🛡️
Introducing... Vault - NOSTR Password Manager A free, open source, and decentralized password manager. Download extension: https://chrome.google.com/webstore/detail/vault-password-manager-on/namadahddjnkmjgdnncdlhioopmjiflm Source code:
GitHub
GitHub - jinglescode/nostr-password-manager: A free, open source, and decentralized password manager, powered by NOSTR
A free, open source, and decentralized password manager, powered by NOSTR - jinglescode/nostr-password-manager
 -- == -- More info: Vault utilizes zero-knowledge encryption to safeguard your data while storing it on NOSTR network for enhanced resilience. Vault saves all your passwords and notes securely by encrypting your data twice; once with your secret key and once with your passcode. Your data are not stored on any centralized server, but rather on a set of relay servers. This means that it is resilient to attacks and that you are the only one who can access your passwords. Security experts recommend that you use a different, randomly generated password for every account that you create, and Vault makes this easy. Vault can generate passwords and store them for you, this means that you only need to remember one password, your passcode. Looking to store and swiftly retrieve your data? Vaults facilitate searchable items, allowing you to effortlessly copy the desired information with a single click. Vault is free, open source, and decentralized; and will always be. -- == -- Status and questions: - Version 1.0.0 approved on Chrome Web Store. Version 1.0.1 is the real version I wanna push to you guys, might have to wait for 24 hours for approval - Enhanced Safe Browsing? - Apparently for new developers, it generally takes a few months to become trusted. - Read history? - not really, just that need to read what page you are currently on and paste the URL when you add new items -- == -- @The Nostr Report @jb55 @ODELL @Gigi @fiatjaf @jack @Derek Ross

Replies (83)

🛡️
↩ replying to Max
“not sure if it’s a great idea to use Nostr for this.“ I don’t see why not. It’s a great use case. Data are not stored on a single server that don’t belongs to you. Data and services are not govern by one company. Here we encrypt data with our key, and a passcode. In near future, include one time password (like google authentication). This is secure, and free.
🛡️
I love the idea and will probably test it for some small stuff. The only feedback I might give is that one potential downside is the the encrypted data is publicly available, which isn’t true for a normal password manager. Of course the data is still encrypted, but there are some concerns. Leaked keys and passwords carry much higher risk since it’s guaranteed that the hacker already has access to the encrypted content. Phishing attacks may be extremely prevalent and people need to be extremely careful of the client implementations. Again, I love seeing new implementations on Nostr and have always thought a password manager would be interesting, but want to make sure we are talking about all the potential risks! Would be curious to hear your thoughts on these issues and how they could be mitigated
🛡️
↩ replying to armstrys
Hey. In my next version which is currently being review. It has a bit more explanations in the FAQ section. I’m short, it’s pretty save in my opinion. Because it’s is encrypted twice with 2 different things. You need to lose your secret key, and also the password. In order to lose your data. Also, if the community and user base likes it, I have plan to include one time password, so you can encrypt and decrypt with google Authenticator (or equivalent).
↩ replying to armstrys
Isn't that always the case? I mean, it's true that putting databases on relays instantly makes them public, but believing that in other implementations they are private is another security issue imo. Maybe I'm missing something, but everything on the internet should be treated as if it were public, don't be fooled into thinking that your passwords are private in the hands of a company. Even using solutions like keypass there are no guarantees, data can be intercepted at any time if shared between devices, strong encryption is the best solution we have.At least this is what I understand about online security, please correct me if I'm wrong
↩ replying to hodlbod
that's a good question and valid concern. so, we can store them also on our own relay. what about maybe a sync feature where all passwords are stored also in a local database that can be re-broadcasted to different relays in the future? so, if your relays disappear, you aren't screwed because you at least have a locally encrypted copy?
🛡️
↩ replying to Jingles
I don't think clients should run relays. Not doing so forces clients and relays to come up with an incentive model for the service they're offering. If a client runs a relay for their special purpose, the relay is artificially supported by the client service. If the incentive model for other relays to exist doesn't exist, the client becomes a centralized service with a front end and a database for the majority of users. Of course, you could run your own to experiment with how such a relay should operate, but an accepted model for relays to accommodate encrypted data needs to emerge.
🛡️
↩ replying to Jingles
Yeah, client operators running a particular type of relay for a particular use case is totally fine. I think something like pay per event might work. Keeping a balance might be tricky though if the user wants to stay anonymous (as is common with encrypted data). Maybe a relay could issue a payment key out of band and have the client AUTH with that?
Great works @Jingles doing "other stuff" in Nostr :) Maybe this is just a bit of idea, you can probably offer dedicated relay as server (like BitWarden) and also with custom relay setting for user who want to self host on their own private relay. Additionally, you can also use NIP-42 auth if the relay support it to make sure only specific user can access safely. :)
↩ replying to Jingles
Nice. Yes, some relays implementation have supported NIP-42 authentication which protecting event from unauthorized read (only whitelisted pubkey can read). We can check their support based on NIP-11 information. I think nostr-tools library already suppport NIP-42, so for certain relays you can probably utilize it to make it more secure.
🛡️
↩ replying to Jingles
image Things are getting bigger so I chickened and decided to reduce the reward to 100,000 sats If you hack its vault successfully, you’ll get 12 word seed phrase to access 2 utxo with total 100,000 sats I hope this amount will be enough to bring active attacker to that account. Ps. I’ve setup the account with different nostr private key on the laptop that I’m going to factory reset it, just to make sure that the attacker must aim their ion cannons to the vault’s backend/cloud or anything thats store the data and not from the user side and I’m not a techy guys I don’t want my laptop being targeted by bunch of hackers 😂 Good luck challenger ! Also, I will notify on this post again when I bored and decide to withdraw the reward.