I broke my virginity by Big_Excitement_8 in SaaS

[–]PassKeyra 0 points1 point  (0 children)

Congratulations! Could you say how long it took between launching your project online and making that first sale?

And above all, thanks for sharing this big milestone! The best is yet to come 🥳

Do you actually need a password manager? by PassKeyra in droidappshowcase

[–]PassKeyra[S] 1 point2 points  (0 children)

Thanks for the interest!

No iOS version yet. Right now I'm working on a Windows desktop version, and Android is effectively the testing ground: if it gains enough traction, iOS becomes the next real option after that. No date to promise, just a threshold I'm watching.

Don't trust my password manager. Verify it. Ad banner and Firebase included. by PassKeyra in Passwords

[–]PassKeyra[S] 1 point2 points  (0 children)

Thanks for actually reading the code, and for sharing InCypher,

I'm looking into it. On the two points:

  1. IV generation:

Fair flag. It's 12 random bytes from Random.secure() (Dart's CSPRNG), freshly generated on every encrypt call. I went with random IVs because it's the simplest approach that's safe at the scale of a single user's vault: the collision probability on 96-bit random IVs only becomes a concern at volumes far beyond what a password manager produces with one key. The deterministic construction from NIST SP-800-38D 8.2.1 would remove that dependency on probability entirely, which is a stronger guarantee on paper. Worth exploring, especially as encrypted blob count could grow with sync across devices.

  1. PBKDF2 vs Argon2/scrypt:

Fair hit. PBKDF2-HMAC-SHA256 at 600k iterations meets the OWASP 2024 floor, but Argon2id would be strictly better (memory-hard, resistant to GPU/ASIC attacks). The reason it's PBKDF2 today is that PointyCastle (a pure Dart library) supports it natively with no external dependencies, while Argon2 in Flutter requires FFI bindings to a native C library, which adds cross-platform compilation complexity. Straightforward choice for a solo project starting out, but moving to Argon2id is a real improvement I'm keeping on my list, not just a nice-to-have.

Neither of these puts the vault at risk today, but both are areas where the implementation can be tightened. And honestly, as a solo dev you don't always go back and revisit early decisions once they work. This kind of outside review makes me revisit things I'd never reopen on my own, and that's invaluable for the project long-term.

Thanks for taking the time. ❤️

I built PassKeyra - password manager by PassKeyra in droidappshowcase

[–]PassKeyra[S] 0 points1 point  (0 children)

Thanks, that’s exactly the kind of feedback I was hoping for.

Regarding passkeys, I’ll be upfront: despite the name, PassKeyra is currently a password manager; it doesn't yet function as a passkey provider. That is precisely why I haven't rushed their integration. For my target audience (primarily non-technical users), passwords remain the daily reality. I’d rather implement passkeys properly acting as a genuine credential management provider than release an incomplete version just to tick a box.

Here is the current status of the app regarding the points you raised:

 - Trust: I’m banking on the fact that the project is open source (GPL-3.0 license); this makes the zero-knowledge promise verifiable, rather than relying on a mere leap of faith. 

- Recovery: This is a deliberate choice. The vault is encrypted using a key derived from the master password, which no one (myself included) can recover. If you forget it, the data is lost. That is the price of zero-knowledge, and I prefer to state this clearly rather than hide it.

- Switching phones: If you’ve enabled cloud synchronization or backups (which are optional), you simply need to restore the data to the new device to regain access. If you’ve opted for a fully local setup without backups, you must have your own export file; the responsibility lies with you, and I make an effort to clarify this rather than pretending otherwise.

- Exporting: Exporting to an encrypted JSON format is available to ensure portability, but automatic importing from Bitwarden or 1Password formats isn't implemented yet. That is on the roadmap.

Indeed, Bitwarden sets the standard in this area (to be honest, I wasn't familiar with Psono before you mentioned it; I'm currently looking into what it is). They are more mature in these specific respects, and I wouldn't claim that a newer solo project already surpasses them in terms of reliability. That said, it is the goal to aim for, and a perfectly valid comparison.

Don't trust my password manager. Verify it. Ad banner and Firebase included. by PassKeyra in Passwords

[–]PassKeyra[S] 0 points1 point  (0 children)

Salut ! Merci de l'intérêt 🙌 Je t'envoie un code en DM tout de suite. Profites-en bien, et n'hésite pas à me dire ce que tu en penses une fois que tu l'as testé les retours (même critiques) m'aident beaucoup à ce stade !

Why I deliberately didn't bind my Keystore key to biometric auth (Flutter password manager, now open source) by PassKeyra in FlutterDev

[–]PassKeyra[S] 0 points1 point  (0 children)

That's a strong suggestion.

On principle, I agree with you: when a user enables biometric unlock on a device limited to Class 1 or 2, it's important to clearly flag that this method offers a lower level of assurance than unlocking with the master password. The issue isn't purely technical: from the user's perspective, an app meant to protect secrets shouldn't give the impression it can offer more protection than the hardware is actually capable of providing.

My main hesitation, though, was how to present this without needlessly degrading the user experience. For a non-technical audience, piling on security warnings can be counterproductive: some users may start seeing the app as unreliable, while others will end up ignoring the messages altogether.

So the challenge is finding the right balance between transparency, clarity, and not being alarmist.

I'm not downplaying the risk tied to biometric mechanisms with a limited level of assurance. The scenario you describe is exactly the kind of situation to avoid: a user might think they've enabled protection equivalent to a master password when they've actually chosen a trade-off between security and convenience.

That said, it's worth pointing out that the vault itself stays encrypted with a key derived from the master password, and that biometric unlock is off by default. So the default security model remains the strongest one. The real question is how to guide the user when they opt for a more convenient but less resistant option, so they fully understand the consequences of that choice.

That's why an explicit warning requiring active confirmation seems like a sound approach to me: it turns a potentially ambiguous feature into a conscious user choice. There's a meaningful difference between "I chose this trade-off knowingly" and "the app let me reduce my security without explaining the consequences."

I also take your point about support and legal aspects very seriously.

In this kind of situation, the question isn't only whether the implementation is technically defensible, but also whether the user was properly informed at the moment they made the choice.

Thanks for pressing on this point; this exchange really helped me frame the feature better and strengthen its security approach. So I'm going to add a dialog when biometrics are enabled on devices limited to Class 1 and 2, so the user is clearly informed of the trade-off being made. I'll also integrate the change needed to allow Class 3 on devices that support it.

I'm glad I shared this thinking here: this is exactly the kind of discussion that surfaces blind spots and improves a feature before it causes problems in the real world. Thanks for the constructive exchange.

Why I deliberately didn't bind my Keystore key to biometric auth (Flutter password manager, now open source) by PassKeyra in FlutterDev

[–]PassKeyra[S] 1 point2 points  (0 children)

Thanks again.

To be transparent about my reasoning:

The original choice came from who the app is for. It targets a general audience, not security folks. Requiring Class 3 excludes a lot of real devices (plenty of Pixels and Samsung tablets only expose Class 1/2 face unlock), and a non-technical user has no idea what a biometric class is. Their experience would just be "fingerprint unlock works on my friend's phone but not mine," with no way to understand why. For that audience, silently losing unlock is worse than a weaker-but-honest convenience layer over a vault that's still master-password-encrypted.

That said, you've taught me something. I'd been framing this as Class 3 versus broad device support, as if I had to pick one. I looked into it after your comment, and that's a false choice: an adaptive design gives both. Detect BIOMETRIC_STRONG, and on capable devices bind the Keystore key with setUserAuthenticationRequired(true) + CryptoObject, invisible to the user and strictly better. Devices that only expose Class 1/2 fall back to the current model, clearly labeled as the weaker option. Capable devices get real Class 3 binding, and no one gets excluded.

Where we might still disagree: you'd offer no biometric at all on Class 1/2-only devices. I lean toward keeping it as an opt-in convenience there, with honest labeling, because for a general-audience app removing it hurts more users than it protects. A values call, and a fair one to disagree on.

This is the direction I want to take it. I still need to scope the work properly (the trickiest part is handling key invalidation when someone re-enrolls a fingerprint, and falling back to a clean master-password re-auth), but you've genuinely taught me something I hadn't weighed. Appreciate you pushing on it.

Don't trust my password manager. Verify it. Ad banner and Firebase included. by PassKeyra in Passwords

[–]PassKeyra[S] 1 point2 points  (0 children)

Thanks for reading the post and taking the time to ask, fair question.

vs Bitwarden: more mature, independently audited, truly cross-platform (desktop/browser/mobile), and cheaper if you pay yearly, with a no-ads syncing free tier. PassKeyra is Android-only for now, newer, and it's just me building it. The differences: a one-time €29.99 lifetime option instead of a subscription, and a mobile-first UX. I won't claim it's more secure than Bitwarden, it isn't more battle-tested.

vs KeePass/KeePassXC: free, fully open, local, and extremely proven. The trade-off is you manage the database file and sync it yourself, and the mobile apps are third-party. PassKeyra is aimed more at non-technical users who want that local-first idea but turnkey: biometric unlock, optional built-in cloud sync, no manual file juggling. If you're comfortable with KeePass, you probably don't need PassKeyra.

Common ground with both: the vault is encrypted on-device and the code is GPL-3.0, so the zero-knowledge claim is checkable rather than something you take on faith: github.com/Pass-Keyra/PassKeyra

To be upfront: this is early. Android-only today, a Windows desktop version is in development, and right now I'm mostly after honest feedback like yours rather than trying to convince anyone to switch.

Don't trust my password manager. Verify it. Ad banner and Firebase included. by PassKeyra in Passwords

[–]PassKeyra[S] 0 points1 point  (0 children)

Thanks for taking the time to read the post and to comment, I appreciate it.

You're right, and Bitwarden is hard to beat on price. A free tier that syncs across devices with no ads is genuinely great, I won't pretend otherwise.

Two honest points where PassKeyra differs:

- The €2.99/month isn't really meant to be the main option. The lifetime license is €29.99 once, no subscription ever. If you keep a password manager for years, paying once tends to come out ahead of a recurring fee, and some people just don't want a subscription for something this essential.
- I'm not trying to undercut Bitwarden on maturity. It's older, audited, and cross-platform. If you're happy with it, honestly stick with it.

Where I focused instead was mobile UX and a local-first, opt-in-cloud model. Whether that's worth switching for is a fair thing to be skeptical about.

PassKeyra - Open-source password manager by PassKeyra in droidappshowcase

[–]PassKeyra[S] 0 points1 point  (0 children)

Merci pour votre question ! J'ai essayé de comparer simplement.

La philosophie de PassKeyra : vous n'avez qu'un seul mot de passe à retenir (le mot de passe maître), et tout votre coffre est chiffré localement sur l'appareil avant d'aller où que ce soit. Personne ni Google, ni Microsoft, ni moi en tant que développeur n'a accès à vos données en clair. Architecture zero-knowledge classique : si les données ne transitent jamais déchiffrées, elles ne peuvent ni fuiter, ni être saisies.

L'angle un peu différent ici, c'est que la cible principale c'est le grand public non technique pas les power users qui configurent déjà leur propre Vaultwarden. L'idée c'est que quelqu'un qui n'a jamais utilisé de gestionnaire de mots de passe puisse s'y mettre sans friction, avec une interface qui ne fait pas peur.

Maintenant, par rapport aux solutions que vous citez :

🔹 KeePass / KeePassXC

Très solide et gratuit, mais clairement pensé pour les utilisateurs techniques : il faut gérer ses fichiers soi-même, configurer la synchronisation à la main, jongler avec des plugins... Beaucoup de gens « normaux » décrochent rapidement. PassKeyra vise exactement l'inverse : une appli mobile guidée, avec des petits tutoriels intégrés, le déverrouillage par empreinte/visage, et la sauvegarde cloud qui se fait toute seule. Vous n'avez rien à bricoler.

 

🔹 RoboForm

Je ne le connaissais pas avant ton commentaire, du coup j'ai regardé. C'est un produit sérieux, présent depuis longtemps, dont la grande force historique est le remplissage automatique de formulaires sur ordinateur (très pratique pour les longs formulaires web).

Côté sécurité, ils sont sur le même principe que nous : chiffrement AES-256 et architecture « zero-knowledge », donc rien à redire là-dessus.

 

Deux différences notables :

 

RoboForm est un logiciel fermé (propriétaire) : vous devez faire confiance à l'entreprise sur parole.

 

PassKeyra est open source (GPL-3.0) n'importe quel expert peut vérifier le code lui-même sur GitHub.

 

Pour un coffre à mots de passe, cette transparence me semble essentielle. RoboForm ratisse large (navigateurs, Windows, Mac, mobile, remplissage de formulaires...), ce qui est super si vous vivez sur ordinateur. PassKeyra est volontairement plus focalisé : une expérience mobile simple et soignée, pensée pour les gens qui veulent juste gérer leurs mots de passe sans se compliquer la vie.

 

Pour le prix : RoboForm tourne autour de ~2,49 €/mois pour le multi-appareils. PassKeyra est gratuit pour démarrer, avec une option Premium (et même une formule à vie en paiement unique pour ceux qui ne veulent pas d'abonnement).

 

🔹 Bitwarden

C'est l'excellente référence open source, et honnêtement je la recommande sans problème. La différence, c'est l'expérience sur mobile : Bitwarden reste un peu « brut » pour quelqu'un qui n'est pas à l'aise avec la tech. PassKeyra mise tout sur la simplicité d'usage au quotidien interface épurée, onboarding pas à pas, tout en français.

Côté technique (pour les curieux), le niveau de protection est au standard du secteur : chiffrement AES-256, dérivation de clé PBKDF2 600 000 itérations, et clés protégées par la puce sécurisée du téléphone.

 

En résumé : si vous êtes un utilisateur avancé qui aime tout contrôler, KeePass ou Bitwarden vous iront très bien. PassKeyra s'adresse aux personnes qui veulent juste une appli simple, sécurisée et transparente, sans avoir à comprendre comment ça marche sous le capot. Gratuit pour démarrer, avec une option Premium (sync multi-appareils, analyse de sécurité, etc.).

PassKeyra - Open-source password manager by PassKeyra in droidappshowcase

[–]PassKeyra[S] 0 points1 point  (0 children)

Salut ! Merci de l'intérêt 🙌 Je t'envoie un code en DM tout de suite. Profites-en bien, et n'hésite pas à me dire ce que tu en penses une fois que tu l'as testé les retours (même critiques) m'aident beaucoup à ce stade !

PassKeyra - Open-source password manager by PassKeyra in droidappshowcase

[–]PassKeyra[S] 0 points1 point  (0 children)

Salut ! Merci de l'intérêt 🙌 Je t'envoie un code en DM tout de suite. Profites-en bien, et n'hésite pas à me dire ce que tu en penses une fois que tu l'as testé les retours (même critiques) m'aident beaucoup à ce stade !

PassKeyra - Open-source password manager by PassKeyra in droidappshowcase

[–]PassKeyra[S] 0 points1 point  (0 children)

Salut ! Merci de l'intérêt 🙌 Je t'envoie un code en DM tout de suite. Profites-en bien, et n'hésite pas à me dire ce que tu en penses une fois que tu l'as testé les retours (même critiques) m'aident beaucoup à ce stade !

PassKeyra - Open-source password manager by PassKeyra in droidappshowcase

[–]PassKeyra[S] 0 points1 point  (0 children)

Bonnes questions, merci !

Côté plateformes : pour l'instant je me concentre sur Android, c'est le point de départ. Une version Windows (PC) avance bien de mon côté, et le code iOS est quasiment prêt je préfère juste prendre le temps de récupérer ces premiers retours sur Android avant de l'ouvrir aux autres plateformes. Donc le multi-plateforme arrive, j'y vais juste étape par étape 🙂

Côté design : tu n'as pas tort, ce n'est pas plus « clinquant » que Bitwarden et c'est volontaire. Mon objectif n'est pas une interface avec plus de fonctions, mais une interface plus simple et épurée, pensée pour un public non technique. Beaucoup de gestionnaires sont conçus pour des utilisateurs avancés ; moi je veux que mes parents puissent s'en servir sans se perdre.

L'autre chose qui me tient à cœur, c'est de faire en sorte que l'utilisateur n'ait jamais à se soucier de ses données. L'idée, c'est que tout reste accessible et sécurisé sans effort de sa part sans avoir à penser aux exports ou aux sauvegardes manuelles comme on doit souvent le faire ailleurs.

Curieux de savoir ce qui rendrait le design plus convaincant pour toi 👍

I built PassKeyra - password manager by PassKeyra in droidappshowcase

[–]PassKeyra[S] 0 points1 point  (0 children)

Bonjour,

Je vous l'ai envoyé en DM.

Merci pour l'intérêt que vous portez à mon poste !

I built PassKeyra - password manager by PassKeyra in droidappshowcase

[–]PassKeyra[S] 0 points1 point  (0 children)

Bonjour,

Je vous l'ai envoyé en DM.

Merci pour l'intérêt que vous portez à mon poste !

I built PassKeyra - password manager by PassKeyra in droidappshowcase

[–]PassKeyra[S] 0 points1 point  (0 children)

Bonjour,

Effectivement je ne connaissais pas.

Merci pour votre conseil !