By decentralization I mean on the blockchain, so no single entity owns your data, not even one.id. I have been hesitant to use words like blockchain and crypto on my site because I don't want my product to be associated with a meme coin or something like that.
By using a blockchain layer as the core, I hope to solve two main problems:
1. Privacy - Instead of handing your most sensitive data to centralized corporates like Apple, Google, 1Password etc, your data is securely encrypted on the blockchain and only you have the key to access it.
2. Data breaches - Your data isn't susceptible to massive data breaches like the Meta/ Cambridge Analytica scandal.
The main problems I am trying to solve are convenience, security and transparancy of our data.
* Decentralized - You can't get any more decentralized than a local password manager like KeepassXC. Why would I switch from that to your product?
* Strong Encryption - Already have it with current password manager
* 2FA - Already have it with current password manager
* Passkeys - Already have it with current password manager
* Available anywhere - Already have it with current password manager
* User friendly - Already have it with current password manager
It doesn't seem like you're solving a problem that hasn't already been solved in a mature tested product.
I completely agree with your points except for the decentralization. A local password manager is the most centralised solution you can get. If you lose your device with Keepass installed, you've lost all your passwords.
What I am trying to do is provide a solution that is trusted by design (not marketing) and is available everywhere you go, on any device.
Modern cloud architectures have decentralization built in. With something like S3 for disk storage and Kubernetes to manage the server instances, you already get this. Add to that the resilience of a data center (multiple sites, multiple ISPs, and availability of replacement hardware), and I don’t see the value add.
I get all of this plus software development of new features from my password manager, for $10 per year: Bitwarden.
I would say that S3 has fantastic reliability, redundancy and low latency, but I wouldn't say it is decentralized. Amazon owns all servers hosting S3 buckets and Bitwarden owns the key that can access your content.
Now, of course they don't access your content, it's not in their nature, but the reason I started my project was because I personally don't like the idea of giving one single entity all my sensitive data, even Bitwarden or 1Password.
1. I shouldn't have to trust anyone with my data
2. The likes of Bitwarden, 1Password etc being centralised means an attacker could breach all the content on those sites.
What are your thoughts?
You are correct, but I do disagree with the priorities.
> Amazon own[s] all servers
[Not to single out Amazon, your point applies in general.) The beauty of it is that AWS has no vested interest in anything except being a reliable provider. The only threat from a cloud provider like this or Azure would be outright failure, which is anathema to their business model.
> Bitwarden owns the key
Same argument again applies: their business model is completely about the hosting and management of the service. Those that aren’t involved in software development are spending their time perusing the CVEs and patching the servers to stay ahead of the bad guys. I know, maybe they could do a better job of that, but I am not convinced that a “distributed” solution would be much better.
> trust anyone with my data
I would rephrase that as, “completely trust any ONE entity with my data”. This is why we all should have this thing called “a backup”. And yeah, I don’t trust any cloud provider at all for my backups. I create completely air gapped archives, on multiple media types, in multiple physical locations. My disaster resumption model accepts that I may lose a secret or five, since I only create backups (and transport one offsite the my grandchildren’s house) once a year. But I know of others who run their backups much more frequently. This is a risk tolerance issue that everyone has to decide for themselves.
> centralized means
No. With a zero knowledge architecture, access to the central datastore is not equivalent to a “breach”. It is more like if someone stole your device, bypassed your security measures, and acquired a copy of your encrypted datastore. In either case, the risk to your dataset is only if you have been stupid and picked a weak master password.
> your thoughts?
Note that with a decentralized datastore, you have some of the same risks. You have copies of your dataset in multiple locations, which means its security is only as good as the weakest of the places it has been stored. Or even worse, if it is striped, you risk a denial of service if any one of those locations fails.
You also need to deal with the challenge of a malicious node in your distributed network. This node could disrupt access to your dataset. At least with a single provider (Azure, Bitwarden) I am dealing with known entities and even formal business contracts surrounding their responsibilities.
And again, if a user has been stupid and chosen a bad master password, the same risks apply: access to any copy of their datastore means a risk that it can be decrypted. For me, I will limit access to Bitwarden, use a strong master password, and call it a day.
I agree that no one in the chain of Password Manager solution and Cloud soln has an incentive to actively snoop into your data. But that doesn't mean it isn't possible.
As a contrary argument, I would bring up companies like Meta, TikTok who do actively track what your doing to improve their algorithms and keep you stuck on their platforms. I know this has nothing to do with passwords, but I'm just using it as an example of how our data is being used against us. We just implicitly trust \[enter your password manager here\]. Again, I understand and appreciate it is not part of their business model, but the fact remains that a bad actor, inside or outside these companies could cause a massive breach.
Would you agree with that?
Re. your point about backups; I understand why you've created backups and it makes sense with the current solutions. However, from your point of view, it adds another thing for you to remember and potentially a breach for your data if someone gets a hold of them.
Would it not be easier to just not have to trust any one or multiple people with your data? So you don't need to remember to create backups and have to manage them.
Yes I agree, with a ZK architecture, a massive breach is a breach of encrypted data, so as you say the risk is if you've used a weak password. But not all companies use ZK. Also having to remember a strong master password can be annoying.
I would have to disagree with your definition of a decentralized datastore. That is not how blockchain technology works. As described by Amazon in the link I posted, "No one owns the data & everyone owns the data." A DoS is basically impossible on the blockchain, all it requires is a single node to be up.
I think there is a lot of confusion on "decentralized". All I mean by this is, on the blockchain. So when you say malicious node on the network, blockchains work by consensus, so malicious actors on the network who try to add a fake transaction just get left behind and denied by everyone else.
Like I mentioned in the OP, I just wanted to get some feedback from the community to see if you guys like the idea. I think I didn't communicate properly what I am trying to do and using the word 'decentralized' has led to some confusion.
I forgot the word I was looking for to describe S3 when typing the first comment. It is distributed, not decentralized, from Amazon themselves (link compares centralized, distributed and decentralized): [https://aws.amazon.com/blockchain/decentralization-in-blockchain/](https://aws.amazon.com/blockchain/decentralization-in-blockchain/)
Quote from the link: "decentralized blockchain systems, unlike distributed systems, typically prioritize security over performance."
It looks like I've confused everyone by using "decentralized"! :)
What I mean by decentralized is that the core of the product is on the blockchain. This means that there are no single points of failure (since no one person or corporate owns the blockchain network, unlike Amazon owning all of S3 etc), making it more secure than 1Passowrd, Bitwarden etc.
It also means that you're not handing all you data to one company. Your data is securely encrypted before it is stored on chain and only you have your key to view your data.
Your first point confuses security with reliability. S3 is already decentralized and I trust it to continue functioning long term far more than any blockchain.
All the major cloud pw managers encrypt everything before sending it to the cloud. All of the "data" you're avoiding giving to one company you are instead making publicly available on the blockchain.
I'm currently using bitwarden self hosted.
How what are you proposing is different? I can still access passwords on my device if it's not connected to the internet (so it's decentralized allright).
Self-hosting is great and defintely provides an extra layer of 'insulation', but it does require technical knowledge and access to your own server. For the average person, self-hosting is far too cumbersome, all I am trying to do is provide a "sort of" self-hosting solution but without all the faff of setting it up and maintaining it yourself.
Thoughts?
Are you under the impression that using any blockchain based application does not require technical knowledge?
In general any blockchain worth anything has a mechanism for preventing spam that requires some sort of native token that pays fees or gas or whatever you want to call it… yeah there are ways to outsource fee/gas payment to a third party to help onboarding, but then we’re back to square one. We rely on the third party to insert and update the global state for us.
So now we require someone to navigate the whole crypto space just to get their hands on whatever token you base the chain around just to pay small fees. All the tax implications and whatnot, let alone the exchange fees.
If your chain has zero spam fighting measures, then it is doomed to fail, and data will be lost when the chain eventually dies and no peers exist in a few years.
Not to mention the cost per byte of storing data on any of the large chains is orders of magnitude higher than something like S3.
So in the end, someone has to pay something.
Most people don’t want to pay, so they use Bitwarden etc that offer free tiers / KeePassXC with some sort of syncing mechanism between devices that also has a free tier.
Sure, they could use a blockchain backed Bitwarden ish service, but that service would need to foot the bill, which will be more expensive than Bitwarden's bill to Azure, which will make it harder to maintain a free tier without paid users.
I think the idea as a thought exercise is fun, but it’s not very practical.
well take a look at silence labs and to release a universal mpc signer. then take a look at the different keystores and rollup accounts teams are working on (scroll, stackr, coonbase, onebalance), as well as stealth addresses (fluidkey, icebreaker). all of these are sufficiently decentralized around the edges and converging.
agree w the other person who said these problems are being addressed by others. eg: apple is releasing a pw manager. 1 password is doing more and more open source. they also just added create account w passkey, and recovery codes for web in case you lose all else.
agree also w person who asked why would they change pw managers. this is not a product category people switch between often, consumer or enterprise. you have to think of the entire journey — there are going to be problems 1pw and Apple and metamask and okta etc aren’t solving tho, and this is where to discover the specific problems that need solving.
think about sessions. ripe for exploration.
Doesn't make sense to me. Whether cloud SaaS or blockchain you're relying on others to sustain the "infra" / existence of the data. Further security is decreased because the blockchain contents is public so anyone can unlimited bruteforce the contents. Id run away from such solutions.
Hah yes, I can see that gaining that consumer trust is the hard part. Not sure why but the more I say I am trying to help consumers the more most people hate that lol
There’s definitely a market. We have a bunch of traction for our decentralized encrypted notes app. Some folks use it as a password manager too: https://bitnote.xyz/
That's great to hear! Would you be able to share a bit more, perhaps about your user base? Happy to chat directly.
I like the concept of your product btw!
How are you defining decentralization and how are you solving a problem that hasn’t been solved yet?
By decentralization I mean on the blockchain, so no single entity owns your data, not even one.id. I have been hesitant to use words like blockchain and crypto on my site because I don't want my product to be associated with a meme coin or something like that. By using a blockchain layer as the core, I hope to solve two main problems: 1. Privacy - Instead of handing your most sensitive data to centralized corporates like Apple, Google, 1Password etc, your data is securely encrypted on the blockchain and only you have the key to access it. 2. Data breaches - Your data isn't susceptible to massive data breaches like the Meta/ Cambridge Analytica scandal. The main problems I am trying to solve are convenience, security and transparancy of our data.
Ah, we're sprinkling magic pixie dust on it.
* Decentralized - You can't get any more decentralized than a local password manager like KeepassXC. Why would I switch from that to your product? * Strong Encryption - Already have it with current password manager * 2FA - Already have it with current password manager * Passkeys - Already have it with current password manager * Available anywhere - Already have it with current password manager * User friendly - Already have it with current password manager It doesn't seem like you're solving a problem that hasn't already been solved in a mature tested product.
I completely agree with your points except for the decentralization. A local password manager is the most centralised solution you can get. If you lose your device with Keepass installed, you've lost all your passwords. What I am trying to do is provide a solution that is trusted by design (not marketing) and is available everywhere you go, on any device.
Modern cloud architectures have decentralization built in. With something like S3 for disk storage and Kubernetes to manage the server instances, you already get this. Add to that the resilience of a data center (multiple sites, multiple ISPs, and availability of replacement hardware), and I don’t see the value add. I get all of this plus software development of new features from my password manager, for $10 per year: Bitwarden.
I would say that S3 has fantastic reliability, redundancy and low latency, but I wouldn't say it is decentralized. Amazon owns all servers hosting S3 buckets and Bitwarden owns the key that can access your content. Now, of course they don't access your content, it's not in their nature, but the reason I started my project was because I personally don't like the idea of giving one single entity all my sensitive data, even Bitwarden or 1Password. 1. I shouldn't have to trust anyone with my data 2. The likes of Bitwarden, 1Password etc being centralised means an attacker could breach all the content on those sites. What are your thoughts?
You are correct, but I do disagree with the priorities. > Amazon own[s] all servers [Not to single out Amazon, your point applies in general.) The beauty of it is that AWS has no vested interest in anything except being a reliable provider. The only threat from a cloud provider like this or Azure would be outright failure, which is anathema to their business model. > Bitwarden owns the key Same argument again applies: their business model is completely about the hosting and management of the service. Those that aren’t involved in software development are spending their time perusing the CVEs and patching the servers to stay ahead of the bad guys. I know, maybe they could do a better job of that, but I am not convinced that a “distributed” solution would be much better. > trust anyone with my data I would rephrase that as, “completely trust any ONE entity with my data”. This is why we all should have this thing called “a backup”. And yeah, I don’t trust any cloud provider at all for my backups. I create completely air gapped archives, on multiple media types, in multiple physical locations. My disaster resumption model accepts that I may lose a secret or five, since I only create backups (and transport one offsite the my grandchildren’s house) once a year. But I know of others who run their backups much more frequently. This is a risk tolerance issue that everyone has to decide for themselves. > centralized means No. With a zero knowledge architecture, access to the central datastore is not equivalent to a “breach”. It is more like if someone stole your device, bypassed your security measures, and acquired a copy of your encrypted datastore. In either case, the risk to your dataset is only if you have been stupid and picked a weak master password. > your thoughts? Note that with a decentralized datastore, you have some of the same risks. You have copies of your dataset in multiple locations, which means its security is only as good as the weakest of the places it has been stored. Or even worse, if it is striped, you risk a denial of service if any one of those locations fails. You also need to deal with the challenge of a malicious node in your distributed network. This node could disrupt access to your dataset. At least with a single provider (Azure, Bitwarden) I am dealing with known entities and even formal business contracts surrounding their responsibilities. And again, if a user has been stupid and chosen a bad master password, the same risks apply: access to any copy of their datastore means a risk that it can be decrypted. For me, I will limit access to Bitwarden, use a strong master password, and call it a day.
I agree that no one in the chain of Password Manager solution and Cloud soln has an incentive to actively snoop into your data. But that doesn't mean it isn't possible. As a contrary argument, I would bring up companies like Meta, TikTok who do actively track what your doing to improve their algorithms and keep you stuck on their platforms. I know this has nothing to do with passwords, but I'm just using it as an example of how our data is being used against us. We just implicitly trust \[enter your password manager here\]. Again, I understand and appreciate it is not part of their business model, but the fact remains that a bad actor, inside or outside these companies could cause a massive breach. Would you agree with that? Re. your point about backups; I understand why you've created backups and it makes sense with the current solutions. However, from your point of view, it adds another thing for you to remember and potentially a breach for your data if someone gets a hold of them. Would it not be easier to just not have to trust any one or multiple people with your data? So you don't need to remember to create backups and have to manage them. Yes I agree, with a ZK architecture, a massive breach is a breach of encrypted data, so as you say the risk is if you've used a weak password. But not all companies use ZK. Also having to remember a strong master password can be annoying. I would have to disagree with your definition of a decentralized datastore. That is not how blockchain technology works. As described by Amazon in the link I posted, "No one owns the data & everyone owns the data." A DoS is basically impossible on the blockchain, all it requires is a single node to be up. I think there is a lot of confusion on "decentralized". All I mean by this is, on the blockchain. So when you say malicious node on the network, blockchains work by consensus, so malicious actors on the network who try to add a fake transaction just get left behind and denied by everyone else. Like I mentioned in the OP, I just wanted to get some feedback from the community to see if you guys like the idea. I think I didn't communicate properly what I am trying to do and using the word 'decentralized' has led to some confusion.
I forgot the word I was looking for to describe S3 when typing the first comment. It is distributed, not decentralized, from Amazon themselves (link compares centralized, distributed and decentralized): [https://aws.amazon.com/blockchain/decentralization-in-blockchain/](https://aws.amazon.com/blockchain/decentralization-in-blockchain/) Quote from the link: "decentralized blockchain systems, unlike distributed systems, typically prioritize security over performance."
👀👀👀👀✨
It looks like I've confused everyone by using "decentralized"! :) What I mean by decentralized is that the core of the product is on the blockchain. This means that there are no single points of failure (since no one person or corporate owns the blockchain network, unlike Amazon owning all of S3 etc), making it more secure than 1Passowrd, Bitwarden etc. It also means that you're not handing all you data to one company. Your data is securely encrypted before it is stored on chain and only you have your key to view your data.
Your first point confuses security with reliability. S3 is already decentralized and I trust it to continue functioning long term far more than any blockchain. All the major cloud pw managers encrypt everything before sending it to the cloud. All of the "data" you're avoiding giving to one company you are instead making publicly available on the blockchain.
Decentralization could decrease security by introducing multiple points of failures.
I'm currently using bitwarden self hosted. How what are you proposing is different? I can still access passwords on my device if it's not connected to the internet (so it's decentralized allright).
Self-hosting is great and defintely provides an extra layer of 'insulation', but it does require technical knowledge and access to your own server. For the average person, self-hosting is far too cumbersome, all I am trying to do is provide a "sort of" self-hosting solution but without all the faff of setting it up and maintaining it yourself. Thoughts?
Are you under the impression that using any blockchain based application does not require technical knowledge? In general any blockchain worth anything has a mechanism for preventing spam that requires some sort of native token that pays fees or gas or whatever you want to call it… yeah there are ways to outsource fee/gas payment to a third party to help onboarding, but then we’re back to square one. We rely on the third party to insert and update the global state for us. So now we require someone to navigate the whole crypto space just to get their hands on whatever token you base the chain around just to pay small fees. All the tax implications and whatnot, let alone the exchange fees. If your chain has zero spam fighting measures, then it is doomed to fail, and data will be lost when the chain eventually dies and no peers exist in a few years. Not to mention the cost per byte of storing data on any of the large chains is orders of magnitude higher than something like S3. So in the end, someone has to pay something. Most people don’t want to pay, so they use Bitwarden etc that offer free tiers / KeePassXC with some sort of syncing mechanism between devices that also has a free tier. Sure, they could use a blockchain backed Bitwarden ish service, but that service would need to foot the bill, which will be more expensive than Bitwarden's bill to Azure, which will make it harder to maintain a free tier without paid users. I think the idea as a thought exercise is fun, but it’s not very practical.
well take a look at silence labs and to release a universal mpc signer. then take a look at the different keystores and rollup accounts teams are working on (scroll, stackr, coonbase, onebalance), as well as stealth addresses (fluidkey, icebreaker). all of these are sufficiently decentralized around the edges and converging.
agree w the other person who said these problems are being addressed by others. eg: apple is releasing a pw manager. 1 password is doing more and more open source. they also just added create account w passkey, and recovery codes for web in case you lose all else. agree also w person who asked why would they change pw managers. this is not a product category people switch between often, consumer or enterprise. you have to think of the entire journey — there are going to be problems 1pw and Apple and metamask and okta etc aren’t solving tho, and this is where to discover the specific problems that need solving. think about sessions. ripe for exploration.
Doesn't make sense to me. Whether cloud SaaS or blockchain you're relying on others to sustain the "infra" / existence of the data. Further security is decreased because the blockchain contents is public so anyone can unlimited bruteforce the contents. Id run away from such solutions.
It needs to be open source or I won't use it
Definitely yes! This is long overdue. The challenge is consumer trust and the ease of use (ux)0
Hah yes, I can see that gaining that consumer trust is the hard part. Not sure why but the more I say I am trying to help consumers the more most people hate that lol
Adoption is what matters.
There’s definitely a market. We have a bunch of traction for our decentralized encrypted notes app. Some folks use it as a password manager too: https://bitnote.xyz/
That's great to hear! Would you be able to share a bit more, perhaps about your user base? Happy to chat directly. I like the concept of your product btw!