A simple, open-source password manager that encrypts and manages your files locally. Includes basic features and some unique. It is also a good template for you to build upon your own, custom password manager that fits your needs!

Hello product hunt community, Today I am publishing a 4 month project of mine, Secret Scribble. It is an open-source, offline password manager. It began as a personal project, but now it can serve as a template for anyone looking to build their own custom password manager! It’s also a good standalone product that’s very simple to use. Essentially, it functions as a text editor that allows you to encrypt and decrypt text documents with a password. You can download it directly from its website for free and install it through an easy, standard process. The code may be a bit rough and could have minor security flaws, but you’re welcome to contribute and help improve it! You can find it on my GitHub [https://github.com/Drimiteros/Se...], where you’ll also find instructions on linking.

Hey @drimiteros, from a cursory glance: - You are not using a password derivation function on the user-provided password/key. There is some weird shuffling going on in the "grade" function, but that is very predictable, and I wouldn't even call it a "weak" password derivation function. - You are using AES CBC mode with a fixed, never changing, null-byte IV. Apart from the fact that CBC is no ideal for this kind of application, you *have* to use a unique, random IV for every ciphertext and *never* re-use it. CBC also lacks authentication. - Less critical, but bad practice: You are using rand() to generate random passwords. The c/c++ standard does not give any guarantees for the rand() function that would make it suitable for anything secure/related to cryptographic operations. You also seed it with srand(time(0)), which means that the output of the password generator is predictable. - Lastly, you leaked your own loginInfo.txt, which given the weak password derivation could potentially allow someone to recover your password. Unfortunately, this is all very bad. While I generally encourage others to get into cryptography and security and to not be afraid to play around with it, publishing and advertising this project like this seems at least somewhat irresponsible. I highly encourage you to read up on: - AES cipher modes, including modern ones with authentication (e.g., AES-GCM). - What IVs actually do and why they need to be unique and random for each encryption operation. - Password derivation functions (e.g., PBKDF2, bcrypt, or Argon2) to securely derive cryptographic keys from passwords. - Cryptographically secure random number generators (CSPRNGs) - How other password managers handle encryption, key management, etc. You might also want to look at key wrapping techniques. I would also recommend adding a proper disclaimer on top the GH project highlighting that this is a toy project and currently not suitable for real-world use. I hope this message does not sound to discouraging and I that you'll keep going at it - everyone has to start somewhere!

@yann_leretaille Hey! Valid points, I will be preparing a reply to your issue on GitHub for the technical stuff. Stay tuned! 🙂

@drimiteros Sounds good! I'll keep an eye out!

Congrats on the launch! This looks like a great, simple solution for managing passwords securely. Any plans for adding more features down the line?

@ihuzaifashoukat Yes! You can see what is in the works in the download section in the app's website! For a more detailed roadmap you can visit the app's trello page: https://trello.com/b/HFSmdyyM/se...

Secret Scribble

An offline, open-source password manager for Windows

An offline, open-source password manager for Windows

Secret Scribble

An offline, open-source password manager for Windows

An offline, open-source password manager for Windows

Do you use Secret Scribble?

Do you use Secret Scribble?