I Wrote My Own Password Manager and I Regret Nothing

January 10, 2024

Last New Year’s resolution I decided I was going to get serious about security. So I did what any reasonable person would do: I wrote my own password manager in Rust.

Not because existing ones don’t work. They work great. I just didn’t trust them. And also I wanted an excuse to use Rust for something that absolutely should not be written in Rust.

The Architecture

It’s 2,847 lines of pure, unadulterated hubris. It stores passwords in an encrypted SQLite database that I sync via a custom protocol I designed myself. The encryption scheme is AES-256-GCM with key derivation using Argon2id.

I have no formal cryptography training. I learned everything from blog posts and a vague memory of a Stack Overflow answer I read at 3 AM.

You know who else designed their own crypto system? People who went to jail. I’m not saying I’ll go to jail. But I’m also not saying my password manager won’t be the reason.

The User Experience

Getting started is simple:

  1. Clone the repo
  2. Install the dependencies (there are 47, good luck)
  3. Compile it (pray)
  4. Initialize the database
  5. Remember the 47-character master password that I generated using a method I also invented (don’t ask)
  6. Forget the password immediately
  7. Spend three days trying to brute-force your own master password before realizing you stored a hint in a comment in the source code
  8. Never make that mistake again (you will)

The Verdict

Does it work? Mostly.

Is it more secure than Bitwarden? Definitely not.

Do I use it? I have a sticky note on my monitor.

Progress.

Moral of the story: Sometimes the best way to learn is to build something that, if it fails, will ruin your digital life.