
Show HN: Self-hosted and self-contained web app password manager written in Go - jarm0
I have written a passwords&#x2F;secrets manager for my personal needs. Maybe it solves some of your problems too.<p>It is written in Go and is a self-contained executable for a small web-app:
https:&#x2F;&#x2F;github.com&#x2F;jarmo&#x2F;secrets-web<p>There is also a CLI version if that is your taste:
https:&#x2F;&#x2F;github.com&#x2F;jarmo&#x2F;secrets-cli<p>To read about more technical details, look into the core repository at https:&#x2F;&#x2F;github.com&#x2F;jarmo&#x2F;secrets<p>Any questions&#x2F;comments&#x2F;suggestions are welcome in here or via GitHub pull requests.
======
mholt
Cool project. Unfortunately, the reality with password managers is that if I'm
going to use it, then it needs to support Windows, Mac, Linux; have a good
CLI; support all major browsers; and have apps and autofill on most mobile
devices. And they need to sync, through my own server. Most password manager
projects have one or two of these, but it's gonna need the whole package for
me to switch to it.

~~~
thrownaway954
and this is why I use a Google Sheet as mine :) I know most will say I'm
nuts... but I'm sure I'm not the only one out there and I get everything you
just described for free.

*edit... well except the autofill, but that's why there is good old copy and paste :)

~~~
dastx
> I get everything you just described for free.

You get one additional feature that others don't get, and that's Google and
likely all sorts of government agencies being able to record all your
passwords. Great feature.

~~~
thrownaway954
I don't kid myself... I'm not that important... no one is looking through the
crap I have on my Google Drive.

------
trulyrandom
Neat. I'm curious, which problems did you have with existing password managers
that made you write your own? You mention Lastpass and mitro in the REAMDE,
but there are lots of other good options available, like KeePass or Bitwarden.

~~~
jarm0
I was using LastPass at first. I even paid them some money to have support on
mobile. I didn't like LastPass because their UI was just really ugly and I saw
some security problems being discovered. Switched to mitro since it was free
and UI wasn't bad. Worked great, but unfortunately they ceased their service.

I got fed up with switching these services so often and didn't want to do the
same thing yet again (and can't remember what alternatives existed back then).

Since security has been my point of interest for years I decided to look into
building my own so that I would actually know for sure (as long as
cryptography itself is secure) about all the parts - how secrets are
encrypted, how they're stored and how they're synced. It was spring 2015 when
I wrote my first password manager in Ruby. It worked great, but the problem
was that I didn't want to install Ruby and its gems on every system where I
wanted to access my secrets so I went with Go and this is where secrets-cli
([https://github.com/jarmo/secrets-cli/](https://github.com/jarmo/secrets-
cli/)) grew up. After that I decided that I'd also want to access secrets via
browser and created secrets-web ([https://github.com/jarmo/secrets-
web/](https://github.com/jarmo/secrets-web/)). Web and CLI versions are
interoperable between each-other so that you can use either one of them or
both at the same time.

------
juliend2
Congrats for doing this!

Regarding this:

> There should be no problems with running on a publicly-accessible server
> [...]

Looking at the [https://github.com/jarmo/secrets-
web](https://github.com/jarmo/secrets-web) source code, I don't see any place
where it sets the `Content-Security-Policy` header. Or am I missing something?

~~~
jarm0
All security headers were supposed to be added by gin-contrib/secure
middleware ([https://github.com/gin-contrib/secure](https://github.com/gin-
contrib/secure)). However, your comment made me verify that it actually works
as it was doing at the time of starting to use that. I noticed that headers
were not present - it seems that somehow the order of registering middlewares
had made it not work. I've released a new version where they all work
[https://github.com/jarmo/secrets-
web/releases/tag/v1.0.1](https://github.com/jarmo/secrets-
web/releases/tag/v1.0.1)

Thanks for making me look into it and finding out about this problem.

------
kissgyorgy
This is like Vault:
[https://www.vaultproject.io/](https://www.vaultproject.io/)

