Show HN: What I learned building a local-only password manager (PassForgePro)

Posted by can-deliktas 3 days ago

Counter5Comment1OpenOriginal

Show HN: What I learned building a local-only password manager (PassForgePro)

Hi HN,

I built PassForgePro as a learning project to better understand password manager design, local-first security, and common cryptographic pitfalls.

The goal was not to replace mature tools like Bitwarden or KeePass, but to explore:

* how a local-only, zero-knowledge style design can work * key derivation with PBKDF2 and encrypted SQLite vaults (AES-256-GCM) * handling sensitive data in memory and clipboard cleanup * defining a realistic threat model and its limitations

This project is experimental and unaudited. I’m sharing it mainly to get feedback on the architecture, crypto choices, and overall approach, and to discuss what I got wrong or could improve (audits, reproducible builds, testing, etc.).

I’d really appreciate feedback, especially from people with security or cryptography experience.

Repo: https://github.com/can-deliktas/PassForgePro Docs / demo: https://can-deliktas.github.io/PassForgePro

Comments

Comment by ximm 1 day ago

The README talks a lot about crypto. But the interesting bit is how you can access the passwords. Is there an API? If yes, how does it protect your passwords from malicious software? If not -- are you sure? (Have you checked for example accessibility APIs by the platform?)

Comment by elbci 3 days ago

[dead]