Replies (102)
I tried building an easy to use a password manager for the normie market 8 years ago.
One of the biggest problems I had was how I might easily backup and sync their passwords across devices without trusting me, a single point of failure. Never figured it out.
When I learned about nostr this was the first non-social media use case that came to mind. So glad to see someone run with it!
View quoted note →Firefox supports MV3 extensions since v109 released in January. I’m willing to port, publish and support a Firefox version. 🤙🏻 I’ve been a Firefox dev since the Phoenix days. 😎
@JeffG
Remember the non social use case, and nostr fixes this?
I would be interested in a Firefox extension. 🤙🏻
I’m glad to see your message mate.
Try version 1.0.1 tomorrow after google is approve it.
Its great.
This is interesting. Would love to hear feedback from devs and other independent tech security folks on this as it progresses 🤙🏻
❤️
Yes! I wasn’t able to do it yet. Would love to work with you on it. I’ve also set up geyser fund and ready to go.
💜
🚀
Exactly. I hope devs can help audit it.
But so far, it’s pretty simple, using the same encryption we used to hash DMs, as add another hash on top of it, using standard package to hash with your passcode.
Try it! Version 1.0.1 is under review. Should be out tomorrow. That’s the major release.
Whoa, this is amazing.
ahahah, I don't mind!
I just think it settles down a little and you arrive at something that looks like a final format for the events -- or when someone else starts to implement the same standard -- we write a NIP describing what you're doing.
I already found it in Chrome.
duuuude so cool!
@Max will be happy 😀
YUUUGE
We are all here building products, to provide use-cases to onboard non-bitcoin users, into freedom tech world.
I love the idea and will probably test it for some small stuff. The only feedback I might give is that one potential downside is the the encrypted data is publicly available, which isn’t true for a normal password manager.
Of course the data is still encrypted, but there are some concerns. Leaked keys and passwords carry much higher risk since it’s guaranteed that the hacker already has access to the encrypted content. Phishing attacks may be extremely prevalent and people need to be extremely careful of the client implementations.
Again, I love seeing new implementations on Nostr and have always thought a password manager would be interesting, but want to make sure we are talking about all the potential risks! Would be curious to hear your thoughts on these issues and how they could be mitigated
Yup.! That’s version 1.0. I thought google allow me to update the package after reviewing. But nope! I need to submit another one. Which takes another 24 hours lol
🤝
I’m going to write NIP for it. Or at least a “format docs” for it. I have also embedded a schema version into it currently, so it doesn’t break apps.
Hey. In my next version which is currently being review. It has a bit more explanations in the FAQ section.
I’m short, it’s pretty save in my opinion. Because it’s is encrypted twice with 2 different things.
You need to lose your secret key, and also the password. In order to lose your data.
Also, if the community and user base likes it, I have plan to include one time password, so you can encrypt and decrypt with google Authenticator (or equivalent).
Fuck yes finally!
👀👀👀👀👀
Authenticator would be a great addition IMO - especially if you can do physical security keys using U2F. Looking forward to the FAQ and congrats on the release!
💪🏻🔨🔥
That's awesome!
If you make it cross platform, I'll pay out my 2.1 mil sat bounty
Not sure what’s the background story. But making someone happy is indeed great!
Try it tomorrow! Version 1.0.1 is under review right now. It’s just “more complete” that’s all.
“not sure if it’s a great idea to use Nostr for this.“
I don’t see why not. It’s a great use case.
Data are not stored on a single server that don’t belongs to you. Data and services are not govern by one company.
Here we encrypt data with our key, and a passcode. In near future, include one time password (like google authentication).
This is secure, and free.
Are relays going to store encrypted data for you though? It would suck to lose all your passwords.
Context: I'm working on multiple features that rely on storing encrypted data on relays.
Wow, very excited to play with this! Thanks 🤙
charges a ridiculously small price to store your pictures today.
If we have 3 of these providers you can probably pay them all a total of 50 satoshis and they will store your stuff for a million years.
Having them just be content-agnostic Nostr relays makes the integration easier for everybody.
Try it! It’s working good.
Try it tomorrow for version 1.0.1, it’s pending approval. It’s just “more complete”.
Man, that is a high risk-high reward project. Great when it works but if something fails your passwords out really out there bro.
SLAs
As more and more valuable data is ingested by Nostr use cases this will need to happen (and pretty sure will happen organically)
It’s in my plan to launch relay just to store this for users. Do you think that would be a good idea that would partially solve this?
Isn't that always the case? I mean, it's true that putting databases on relays instantly makes them public, but believing that in other implementations they are private is another security issue imo. Maybe I'm missing something, but everything on the internet should be treated as if it were public, don't be fooled into thinking that your passwords are private in the hands of a company. Even using solutions like keypass there are no guarantees, data can be intercepted at any time if shared between devices, strong encryption is the best solution we have.At least this is what I understand about online security, please correct me if I'm wrong
that's a good question and valid concern. so, we can store them also on our own relay. what about maybe a sync feature where all passwords are stored also in a local database that can be re-broadcasted to different relays in the future? so, if your relays disappear, you aren't screwed because you at least have a locally encrypted copy?
absolutely. i really think we'll see NIP-95 relays at some point as well. specialized relays will become commonplace. your purplepag.es relay is a great example of this too.
oh. was there a bounty for a password manager? 👀
I think if we don't see this it'll be a sign that nostr failed
Yup. I’m version 1.0.1, there is a roadmap section. A specialised relay is part of the plan.
Amazing. Thank you for your work on this.
🔥🔥🔥
I’m the current code. Encrypted data are stored locally. And IF for some reasons relay you are connected to says “no data” it will NOT override your local data.
See GitHub for implementation.
🙏🙏🙏
Yes exactly!
Yea. Currently all the password managers out there, people are trusting a company to safe guard encrypted passwords in their database, encrypted with one master password.
One of those great ideas that are totally obvious in hindsight! Nostr is amazing
View quoted note →Great works
@Jingles doing "other stuff" in Nostr :)
Maybe this is just a bit of idea, you can probably offer dedicated relay as server (like BitWarden) and also with custom relay setting for user who want to self host on their own private relay. Additionally, you can also use NIP-42 auth if the relay support it to make sure only specific user can access safely. :)
it won't help all that much, but maybe we'll see people generate specific sets of keys for password management so that it's not specifically tied to their main keys.
@geeknik seems to be onboard to make one for Firefox.
Then we need someone to make on React Native, for iOS and android.
And then mass adoption for nostr protocol.
💜
Absolutely awesome!
Does need a custom logo though 😜
I do imagine people will eventually have 10 keys for 10 different purpose in the future. No one says you can only have 1 key.
Just that right now, the “and other things” are coming.
Ya!! I m embarrassed to ask you. But your work is amazing
I was thinking. This logo is bad! It’s some one looking at my password. Lol
Instead of trusting one company now I have to trust 30 relays? Not going to end well
Already have some ideas 🤗. On it!
This is cool, but also a honey pot.
😍
You don’t have to trust them at all. They are just holding things for you.
Trust in your key and your passcode.
Next will be adding one time password, so you can trust that 30 seconds of 6 digit numbers too.
How’s that sound?
Indeed! It’s in the roadmap. In version 1.0.1 there is a roadmap section. Specialised relay to provide this service.
I have not looked into NIP 42. Mmm
medium. you'd have to crack both encryption methods.
Why increase the attack surface? Doesn’t benefit anyone at all especially now when you can host your own server yourself
Nice.
Yes, some relays implementation have supported NIP-42 authentication which protecting event from unauthorized read (only whitelisted pubkey can read). We can check their support based on NIP-11 information. I think nostr-tools library already suppport NIP-42, so for certain relays you can probably utilize it to make it more secure.
Yup. And plans to open source a specialised relay so anyone can spin up their own just to store all sorts of sensitive data.
I don't think clients should run relays. Not doing so forces clients and relays to come up with an incentive model for the service they're offering. If a client runs a relay for their special purpose, the relay is artificially supported by the client service. If the incentive model for other relays to exist doesn't exist, the client becomes a centralized service with a front end and a database for the majority of users.
Of course, you could run your own to experiment with how such a relay should operate, but an accepted model for relays to accommodate encrypted data needs to emerge.
Cool. I think I’m just searching the NIP surface. There’s so many going on.
I have a thought about you saying “storing sensitive data”. I was thinking we can make a specialised relay, open source relay, for storing all sensitive data. So anyone can spin up their own if they like. Otherwise, we can host one or two too.
Yes, nostr developments are really fast to catch up 😅
Also, Good luck with your Geyser fund proposal, hopefully you can get some support there
Yeah, client operators running a particular type of relay for a particular use case is totally fine. I think something like pay per event might work. Keeping a balance might be tricky though if the user wants to stay anonymous (as is common with encrypted data). Maybe a relay could issue a payment key out of band and have the client AUTH with that?
Food for thought.
If you have similar use case, and we can get more hands on deck to design something.
🙏
Yes, let's put a pin in it. I want to address this at some point, but don't currently have the time and public relays seem to be ok with encrypted data for the most part. Once they start rejecting encrypted events and it breaks Coracle this will be top of the list.
Whoa. This looks cool. Going to dig in tomorrow.
Why tho?
Run your vaultwarden server at home and be done with it. 🤷♂️
This is freaking awesome! And surprising someone hasn’t already created it. Can we get a Firefox extension too?
👏👏👏
Aside from the Nostr-based aspects of this, I see no advantage this has over a self-hosted Bitwarden server or cloud-synced KeePass solution.
Okay I’m going to prove its effectiveness,
I’ll save my seed phrase to segwit wallet that store 0.01 btc inside with this thing.
With no further infomation available, hack it and the funds is yours.
Yea you can say so.
1. Technology exploration.
2. There are a ton of password managers out there, there is no advantage to use lastpass (just for instance)
3. Giving people the options
4. Inspiring other devs to think outside social use case
I hope a dev will port it. Just wait and see. It might happen.
I mean yeah it’s cool but not seeing the value add here. Can I get an eli5?
I’m thinking where should I put this information. GitHub? This is a great bounty and hackathon. 😄
The more cool stuff like this the more I regret not being able to trust my private key because I generated it on Iris
View quoted note →Feel free to share this challenge everywhere you see fit. But I might have to take few days (or weeks) to setup this password manager because I’m not a very techy guy.
Generate new ones for new use cases. On the extension it’s just a single click, to on-boarding.
I expect nostr users will have 10 keys for 10 different unique use cases in the future.
เอา password มาใช้ในระบบ Nostr
ขอรอดูก่อนว่าจะปลอดภัยไหม
View quoted note →Interesting..
Hey, its just an easy extension setup, I think I can easily deposit it tonight 🤣
Alright man! I’m setting up a bounty page. For finding bugs, finding vulnerabilities, and feature requests.
If you’re sponsoring a challenge, I’ll gladly post it very clearly.
Things are getting bigger so I chickened and decided to reduce the reward to 100,000 sats
If you hack its vault successfully, you’ll get 12 word seed phrase to access 2 utxo with total 100,000 sats
I hope this amount will be enough to bring active attacker to that account.
Ps.
I’ve setup the account with different nostr private key on the laptop that I’m going to factory reset it, just to make sure that the attacker must aim their ion cannons to the vault’s backend/cloud or anything thats store the data and not from the user side and I’m not a techy guys I don’t want my laptop being targeted by bunch of hackers 😂
Good luck challenger !
Also, I will notify on this post again when I bored and decide to withdraw the reward.
Vous êtes tous énormément drôles en toutes circonstances. J'admire votre capacité de travailler ensemble de manière particulière . Merci pour tout 🙏🗽💜♾️
🫶🏻
Since the npub tags aren’t working when published via Habla.news 😬
Moderated communities:
@Vitor Pamplona
Proxy tags:
@Alex Gleason
NIP 65 rewrite
@Vitor Pamplona
Vault
@Jingles
Nostrscript
@jb55
Relay backup
@iefan 🕊️Stoked for this at steady state
-- == --
More info:
Vault utilizes zero-knowledge encryption to safeguard your data while storing it on NOSTR network for enhanced resilience.
Vault saves all your passwords and notes securely by encrypting your data twice; once with your secret key and once with your passcode.
Your data are not stored on any centralized server, but rather on a set of relay servers. This means that it is resilient to attacks and that you are the only one who can access your passwords.
Security experts recommend that you use a different, randomly generated password for every account that you create, and Vault makes this easy. Vault can generate passwords and store them for you, this means that you only need to remember one password, your passcode.
Looking to store and swiftly retrieve your data? Vaults facilitate searchable items, allowing you to effortlessly copy the desired information with a single click.
Vault is free, open source, and decentralized; and will always be.
-- == --
Status and questions:
- Version 1.0.0 approved on Chrome Web Store. Version 1.0.1 is the real version I wanna push to you guys, might have to wait for 24 hours for approval
- Enhanced Safe Browsing? - Apparently for new developers, it generally takes a few months to become trusted.
- Read history? - not really, just that need to read what page you are currently on and paste the URL when you add new items
-- == --
@npub19mdu...6vzk
@jb55
@ODELL
@Gigi
@fiatjaf
@jack
@Derek Ross
