
Show HN: Secrets 2 – Simple, secure password manager for Mac and iOS - pfandrade
https://outercorner.com/secrets/?utm_source=hn
======
kameit00
The information, that it's free for only 10 items is quite hidden. For me,
that is not so confidence-inspiring.

1.) Because the first thing I thought was 'what's their business model?'.

2.) Because why not calling it an unlimited Trial with 10 items, to make it
clear it's not free.

Don't get me wrong - I like to pay for software, because I want to honour the
work of others.

~~~
mathgeek
Agreed. This is shareware more than freemium. I actually prefer the correct
terminology in this case as freemium implies ads (in my mind).

------
pfandrade
Secrets 2 is out and it's going Freemium!

For the past 6 months since our initial release, we've been squashing bugs,
implementing features that didn’t make our MVP and applying polish throughout.
At the same time, we’ve been studying various options to provide a trial for
users wanting to test Secrets before buying.

To address this need and to show users new to password managers just how easy
and efficient using one can be, we're making Secrets and all its features free
to use with up to 10 items. Unlocking unlimited items is done via an In-App
purchase.

With Secrets we put security first. Secrets stores your data using the OpenPGP
standard, a battle proven standard that has already seen a few revisions. This
also allows users to easily self verify how their data is stored using third
party tools.

We also strived to make it extremely simple to work with, not just from an UX
perspective but also from a security perspective. Only the main app will ever
handle your passphrase and encryption/decryption. Helper apps, browser
extensions, etc must go trough it to get to your data (and require user
confirmation).

So if you haven't tried Secrets yet now is the time! Download Secrets for Mac
and iOS today.

~~~
nixgeek
What's the communication path between untrusted <-> trusted components look
like and are you doing anything special which might prevent the
vulnerabilities which Project Zero recently reported in 1Password[1],
LastPass[2], Dashlane[3] et al?

[1] [https://bugs.chromium.org/p/project-
zero/issues/detail?id=88...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=888) [2] [https://bugs.chromium.org/p/project-
zero/issues/detail?id=88...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=884) [3] [https://bugs.chromium.org/p/project-
zero/issues/detail?id=89...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=890)

~~~
pfandrade
No untrusted component will have access to your data without user
confirmation. This means you'll always have to click a button on the main app
to fill a login for example.

There are two ways in which logins are filled in the browser:

\- One is based on OS X Automation and AppleScript (this will work with Chrome
and Safari without our Safari App Extension enabled). Succinctly, with this
solution, Secrets will execute a small JS script on your frontmost browser
windows to see if there are any logins to be filled. If so, it will present
you a "Fill" button. Pressing that button will execute another JS script that
will fill that form. In this scenario your data is send via Apple Events.

\- When you have the Safari App Extension enabled, the process is similar. But
instead of Secrets actively looking for logins forms on frontmost browser
windows, the extension will let it know what is available. Again you will
still need to press a "Fill" button on Secrets. Once you do your data is
placed on a private clipboard that the extension uses to then fill the login.

There are no local servers, and the extension doesn't have access to your
data. By design, none of the linked vulnerabilities would apply.

If you're wondering why the two methods, the Safari App Extension came later
and the reasons are detailed here:
[https://outercorner.com/2016/10/19/version_1.4.0.html](https://outercorner.com/2016/10/19/version_1.4.0.html)

------
nixgeek
Looks neat. What's the elevator pitch on why to use this, over and above
existing solutions like 1Password or LastPass?

~~~
pfandrade
By using an open standard to store your data besides being as transparent as
possible on the storage format which you can verify on your own using third
party tools (we have a post about that
[https://outercorner.com/2016/08/01/storage_format.html](https://outercorner.com/2016/08/01/storage_format.html))
we also benefit for the scrutiny OpenPGP as been through.

We also wanted to make a simpler and safer option (and in our eyes, more
pleasant to look at) to existing password managers.

~~~
codebeaker
1Password's format is also documented [1], though I'm not aware of any 3rd
party clients to parse/work with it. That's actually a thing I was thinking
about writing (I commented about trying to write something in C++14 in another
front page thread, this was it)

1Password also uses standard encryption, from the link [1]:

> We use Encrypt-then-MAC authenticated encryption everywhere we use
> encryption. The MAC is HMAC-SHA256 and encryption is AES-CBC using 256-bit
> keys. Key derivation is uses PBKDF2-HMAC-SHA512. More detail about these
> choices will be presented in the relevant sections on key derivation and
> item encryption.

> In this document we will refer to “blocks of data”. Unless otherwise stated,
> blocks are the length of AES blocks, 128 bits (16 bytes).

Edit: apparently Github lists [2] four libraries for reading OPVault, one each
in Python, Haskell, Go and Ruby

[1]: [https://support.1password.com/opvault-
design/](https://support.1password.com/opvault-design/)

[2]:
[https://github.com/search?q=opvault&ref=opensearch](https://github.com/search?q=opvault&ref=opensearch)

~~~
homakov
Using open standard for data isn't proof of quality password generation, it
can be biased if code is proprietary.

~~~
codebeaker
Did you reply to the wrong parent? I wasn't making any statements about the
quality of password generation.

I was replying to address two of the three points that these people invested 6
months to build YAPPM (Yet Another Proprietary Password Manager).

As is typical of developers they've solved a problem that _probably_ didn't
need to be solved. With a more product orientated mindset a business plan, and
some market research probably would have preceded six months of engineering
effort.

The "more beautiful" is subjective, I'd argue that having only one platform
targeted makes it much easier to build an app in-keeping with one platforms
HCI guidelines. I happen to use a Mac, an Android phone, and a Linux desktop,
thanks to WINE I can use 1Password everywhere, and knowing that the format is
public, and documented, and there are 3rd party implementations I don't need
to worry about AgileBits ceasing to exist.

I'm left seeing some developers making the same mistakes that I have made when
building a product before finding out if the world really needs a _subtly_
different app to solve an already solved problem.

~~~
nixgeek
"So… apparently it took me over 5 years to launch Secrets "

[https://twitter.com/pfandrade_/status/730681656496001024](https://twitter.com/pfandrade_/status/730681656496001024)

I think the developer invested nearly 6 years into it, and the comment about 6
months was time elapsed since initial release and doing the Show HN. It sounds
like it was a spare time project for an indie developer.

~~~
pfandrade
Exactly. I've been building this for years on my free time.

~~~
codebeaker
Don't take my harsh criticism personally. I too enjoy to build things for the
joy of building, and I respect your achievement. I just doubt the world really
_needs_ what you built, perhaps because I'm not your target audience, and I
understand the trade-offs I made when choosing to commit to 1Password that I
don't feel like any alternative is compelling.

~~~
pfandrade
None taken ;). I understand your point of view and hopefully we can iterate on
the foundation we've built and make a more compelling argument for you in the
future.

------
MaKleSoft
I don't understand why so many password managers go through so much trouble to
implement auto-fill. This one has an interesting approach that seems to be
slightly less intrusive than what, say, Lastpass is doing but I still don't
really see the value outweighing the cost.

Yes, auto-fill - if implemented well - can add some convenience for the user
but it usually adds a significant amount of complexity to the codebase and
comes with some challenges regarding security. In fact, LastPass' autofill
feature is/was the root cause of some very scary vulnerabilities[1].

Copy&paste is simple, broadly understood and supported in much the same way on
every single platform. And in my experience, it's really not that much slower
than auto-fill.

It seems to me that most password managers these days are to tick off a list
of features rather than focussing on security and usability. Mind you, Secret
2 is definitely not the best example for this - I actually quite like the
clean look and simple user interface. Still, it seems like most people
nowadays are judging the value of a password manager by the number of features
rather than, say, security.

<shameless-plug>Padlock[2] is a minimalist, open source password manager
__without __auto-fill, browser-integration or any other 'advanced' features.
We believe that when it comes to features, less is often more, and it seems
there is plenty of people agree with us.</shameless-plug>

[1][http://www.martinvigo.com/even-the-lastpass-will-be-
stolen-d...](http://www.martinvigo.com/even-the-lastpass-will-be-stolen-deal-
with-it/)

[2][https://padlock.io](https://padlock.io)

------
cstuder
Is it still two-factor-authentication if you're keeping your passwords and
your one-time-password-generator in the same application?

~~~
pfandrade
We thought about calling it two-step-authentication. But most people know it
by two-factor (and that's what most sites call it also).

And you can always have the OTP generator on your iOS device without the
accompanying password to be technically accurate with the lingo.

------
mosselman
With regards to the security: Why is this free?

~~~
pfandrade
It's "Freemium". It's free to use for up to 10 items. You then unlock
unlimited items via an in-app purchase.

~~~
kimshibal
How much IAP?

~~~
pfandrade
19.99 USD for the Mac. 9.99 USD for iOS (iPhone and iPad).

~~~
oneeyedpigeon
Unless I'm missing it, why doesn't it say that on the product page? More
importantly, doesn't it need to say that on the App Store page at all?

~~~
ubernostrum
App Store pages are allowed, AFAIK, to say "Free (In-App Purchases)" and leave
it at that.

~~~
eddieroger
They could put it in the description if they desired, which would be a good
idea I think.

------
Angostura
Err, how is this better than the built-in and free Keychain and iCloud
Keychain built into OS X and iOS?

~~~
elmigranto
For one, iOS keychain won't let me see items itself, or their full
descriptions. It only allows to paste Safari website passwords. At least I
haven't found how to do more than that.

From screenshots, it looks like this app would let you browse your whole
collection in full. So there's at least one feature.

~~~
pfandrade
iCloud Keychain is handy for simple use cases. But it quickly breaks down if
you want to have a good password habits.

For example, I use my Apple ID to login to a bunch of different Apple sites.
With the keychain that would create separate entries for each site although
they are the same. Change your password and you'll end up with items with
outdated passwords (which you'll only find out when you try filling them).

The keychain is also cumbersome to create items manually (imagine you need to
save an SFTP or VNC login?). Furthermore how would you have access to these
items on your iOS device?

You also can store more than just passwords with Secrets.

~~~
stephenr
Recent versions of Keychain on OS X/macOS (and iOS I think) ask if you want to
change other entries with the same username from the same domain (i.e.
appleid.apple.com and developer.apple.com) when it detects a change.

------
joeblau
I love all of these products, (this, Dashlane, etc...) but the switching costs
are too high for me right now. Unless there is something that is extremely
compelling, I can't justify transferring 400+ passwords just for a few
features.

~~~
mathgeek
I'm only familiar with 1Password, but that does have an export feature to
something as simple as CSV. Obviously you need to be careful about security
and cleaning up after yourself, but there's no need to manually type in
everything if the software you're moving to has any sort of import
functionality.

~~~
pfandrade
Indeed. Secrets already supports importing from 1Password and LastPass for
example. More could be added if there's demand for them.

------
Tepix
What are the advantages of using Secrets over Codebook (formerly known as
STRIP)?

Codebook's database backend is open source and it's available for more
platforms.

------
mathgeek
> Better than copying & pasting. Use _the Secrets_ to automatically fill in
> login information in Safari and Chrome.

Missing a word here?

~~~
pfandrade
I don't think so. "Secrets" is the name of the app.

~~~
mathgeek
You meant to refer to it as "the Secrets" and not something along the lines of
"the Secrets browser plugin" in that specific case?

~~~
pfandrade
Oh you're right! I thought you were saying to add the "the". I wonder how I
never noticed that.

~~~
mathgeek
It happens to us all. Glad to help proofread. :)

------
Antwan
Where is that stored ? What's behind ? How could you pretend to be liable if
there are no basic explanations.

Just use pass instead and control the things on your own. See
[https://passwordstore.org](https://passwordstore.org)

~~~
pfandrade
It's stored on your local hard drive. We have more information here:
[https://outercorner.com/2016/08/01/storage_format.html](https://outercorner.com/2016/08/01/storage_format.html)

------
xrisk
Sync to iCloud doesn't seem to be working.

~~~
pfandrade
Get in touch with support@outercorner.com and we'll help you out.

------
adambowles
Can you share (and keep synced) credentials?

~~~
pfandrade
Yes, you can sync your credentials via iCloud with other Macs or
iPhones/iPads.

