Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: Keycat – A self-hosted end-to-end encrypted password manager (key.cat)
87 points by acasajus 11 days ago | hide | past | web | favorite | 25 comments

Sidenote: Catalonia top level domains (.cat) require the web to be served in Catalonian as well. That's probably why you see the link in the top-right to see it in català (or maybe it's done from a person/group from Catalonia).

The TLD has an interesting history: https://en.wikipedia.org/wiki/.cat

Edit: the name of the main contributor is a typical catalonian name, so maybe the requirement is not the main reason for the dual language.

How is this better than Bitwarden?

I think self-hosting, or using a regular account with BitWarden is the way to go. I just don't think E2E encryption is strong, unless implemented carefully?

Bitwarden also has self-hosting ;)

I think self-hosting is risky.

I trust bitwarden to fix, deploy, remedy, and investigate security fixes better than I can do :)

I agree. That’s why I use normal account. I have had clients need a self hosted solution. I think Bitwarden is good. I haven’t checked the website for their security audit. I’ll check now

Is this maintained? It seems like none of the repos have had a commit in 6 months.

If the code is stable, why does it require maintenance at all? I dont think the amount of commits in last 6 months should even be a metric. Issues would be a better place to look for maintenance.

There's no such thing as "permanently stable", just "it worked the way we expected at release time". As it keeps being used in different environments, with different inputs, different use cases, etc, suddenly it's not working the way someone originally expected, or it doesn't work with newer stuff. Then bugs happen, or it requires new ways to work with newer software. So code changing over time is a sign that it's actually being used and someone is continuing to make it work.

Example: Linux 2.0.39 [1] was released in January 2001, no code changes since then. Some might say it's really stable by now, right? But that doesn't make sense; how could it be more stable than when it was released in 2001? Actually, it's much less stable. Try to download it, compile it, and run it on your modern system today. Will it even compile? Is your hardware fully supported? Will any new software break running under that old of a kernel? Probably all these and more problems will happen; yet we call it "stable". If you want to actually use it today, you would need to maintain the code.

This is why most of the cost of software is in the maintenance. As long as you're running it, you're maintaining it. (The exception is mainframes running the same hardware & software forever)

[1] https://mirrors.edge.kernel.org/pub/linux/kernel/v2.0/linux-...

There are multiple issues from over 5 months ago that have no response


And allegedly, security issues too, including possible SQL injection.



>If the code is stable, why does it require maintenance at all?

That attitude is fine for left-pad, security-centric products, not so much, in my opinion.

Can I suggest a link on the landing page to your keycatd releases? It was quite confusing at first.

Once I created the similar solution for my own needs, and now I'm successfully using it for around 4 years:


Obviously it's much less powerful compared to LastPass and similar services but works for me well, allowing to securely access my passwords from any location and device.

Do you have browser extension/ mobile app? How do you use it conveniently?

I don’t have any of this :(

Why not self host git with pass.

I’ve been playing with the idea of storing json blobs in gnu pass and using it as a queryable object with xdotool and xclip to manipulate output.

I like pass but lacks functionality that other managers have

Curious what you miss? I recently started self hosting a Gitlab instance and switched from Lastpass to pass. Wouldn't of done it without the `passforios` foss app. Maybe I wasn't using Lastpass to its full potential (only used the CLI)?

Of course now I have to make sure to git push/pull on all my devices. That's annoying (but at least it drafts its own commits).

I’m pretty sure you can auto push with pass.

I miss browser auto fills, But I don’t like the idea of plugins in the browser like last pass etc, I do use inbuilt autofill because I trust that more, but that won’t generate my initial passwords and there’s situations where I have multiple accounts (legitimately, testing in prod where passwords matter).

MacOS seems to have really nice host integration but that’s coming from an outsider who’s never really touched one.

I also end up in situations where ‘xdotool type’ is the path of least resistance. VMs with no paste buffer, Citrix sessions, etc. so integrating xdotool type would be nice.

I also really like the idea of spawning an authenticated browser session from the shell.

Any obvious advantages over, say, Keybase + Pass?

(You should add a comment to the thread giving the backstory of how you came to work on this, and explaining what's different about it. That tends to seed discussion in a good direction. Good luck!)

Absolutely. I come here for the story, not the product.

I was expecting a command line tool for concatenating and printing keys

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact