Hello product hunt community, Today I am publishing a 4 month project of mine, Secret Scribble. It is an open-source, offline password manager. It began as a personal project, but now it can serve as a template for anyone looking to build their own custom password manager! It’s also a good standalone product that’s very simple to use. Essentially, it functions as a text editor that allows you to encrypt and decrypt text documents with a password. You can download it directly from its website for free and install it through an easy, standard process. The code may be a bit rough and could have minor security flaws, but you’re welcome to contribute and help improve it! You can find it on my GitHub [https://github.com/Drimiteros/Se...], where you’ll also find instructions on linking.

Hi @drimiteros. Congratulations for crating such a product. I can see how much effort has gone into it. It's great that it's open source, and the choice of technologies is interesting. It would be nice to build it for MacOS as well. I'd like to mention few things I noticed: 1) In the description, it's listed as a password manager, on website as a file encryptor, and in the screenshot - there is a password generator. :) 2) I think it would be a good idea to add a link to the GitHub repository on the landing page - it would increase trust in the product. 3) The idea of showing a screenshot of the current development is great. I would suggest considering a tool that allows you to publish a public development roadmap. Good luck with your project!

@drimiteros Hi, I like the product, but I’m still not convinced why I should change from LastPass. Does it offer any unique features?

Congrats on the launch! This looks like a great, simple solution for managing passwords securely. Any plans for adding more features down the line?

Hey @drimiteros, from a cursory glance: - You are not using a password derivation function on the user-provided password/key. There is some weird shuffling going on in the "grade" function, but that is very predictable, and I wouldn't even call it a "weak" password derivation function. - You are using AES CBC mode with a fixed, never changing, null-byte IV. Apart from the fact that CBC is no ideal for this kind of application, you *have* to use a unique, random IV for every ciphertext and *never* re-use it. CBC also lacks authentication. - Less critical, but bad practice: You are using rand() to generate random passwords. The c/c++ standard does not give any guarantees for the rand() function that would make it suitable for anything secure/related to cryptographic operations. You also seed it with srand(time(0)), which means that the output of the password generator is predictable. - Lastly, you leaked your own loginInfo.txt, which given the weak password derivation could potentially allow someone to recover your password. Unfortunately, this is all very bad. While I generally encourage others to get into cryptography and security and to not be afraid to play around with it, publishing and advertising this project like this seems at least somewhat irresponsible. I highly encourage you to read up on: - AES cipher modes, including modern ones with authentication (e.g., AES-GCM). - What IVs actually do and why they need to be unique and random for each encryption operation. - Password derivation functions (e.g., PBKDF2, bcrypt, or Argon2) to securely derive cryptographic keys from passwords. - Cryptographically secure random number generators (CSPRNGs) - How other password managers handle encryption, key management, etc. You might also want to look at key wrapping techniques. I would also recommend adding a proper disclaimer on top the GH project highlighting that this is a toy project and currently not suitable for real-world use. I hope this message does not sound to discouraging and I that you'll keep going at it - everyone has to start somewhere!