logoalt Hacker News

Show HN: Bramble – Local-first password manager

106 pointsby MegagramEnjoyerlast Thursday at 7:29 PM25 commentsview on HN

I'm currently working on Bramble, an open source password manager with P2P cross-device sync. Initially I released the Chrome extension, but recently I also published the Android app and iOS is pending Apple's approval. Besides that, the latest version also includes passkey storage for all platforms!

About Bramble:

It aims to be as feature-rich as all popular and a replacement for cloud-based providers. I don't think we need to store our data in the cloud and be at the whims of companies raising their prices every year. There's always a breach and then we find out that some fields aren't encrypted, metadata is visible, and so on. I'm frustrated with this and the increasing lack of transparency during these breaches.

The P2P sync in Bramble uses a Nostr relay (which can be self-hosted) to keep your devices in sync. The relay just introduces the devices to each other; the data then flows directly over WebRTC, so there's no vault server and no cloud copy of your passwords anywhere. What leaves your device is end-to-end encrypted and your devices authenticate each other directly, so a snooping or MITM relay gets practically nothing.

Crypto is all done in Rust so I can control exactly how key material lives and dies in memory (secrets get zeroed out, no GB leaving copies lying around). In Chromium it's a wasm module, on mobile it's native builds bridged over via uniffi.

Android app:

I'm still deciding whether to publish the app on Play store or simply provide the signed APK which users can sideload. Reason for that is Google's plan to lock down Android and take away ownership from its users. Read more about it here: https://keepandroidopen.com/

The app uses no Play APIs whatsoever and runs perfectly on GrapheneOS, where I actually did all my testing.

Questions, feedback, feature requests - all welcome!

TL;DR: I dislike private-equity and venture funded companies messing with our security, so I created my own Password Manager which is local-first, free, open source and as transparent as it gets.


Comments

ZenoArrowyesterday at 10:47 PM

What does this offer over other local-first password managers? For example, there are a fair few Android/iOS apps based on KeePass (I currently use https://www.keepassdx.com on my Android phone).

kevinakyesterday at 10:23 PM

Very cool! I like it!

What about using Nostr relays to also back up your data passwords? I built a library called Tablinum around this idea. Local first but backed up to Nostr relays using NIP-59 gift wrapped events.

https://tablinum.dev

catapartyesterday at 7:58 PM

This looks like something I've been looking for! Excited to give it a try! I don't even use a password manager because of the things you've seemed to work around here. It's been painful.

Honestly, though, I'm most intrigued by your P2P solution. I've built a couple of web apps as custom html elements that use indexedDB for storage and I've been trying to figure out the sweet spot for syncing the data between apps. I think this nostr relay hits the mark as something people can feel comfortable not self hosting, while power users can host their own solution. Seems like a great solution, to me! Any advice as to some footguns with the approach? I'm very interested in giving it a try myself[0], so any notes you think would prevent some re-work would be really appreciated!

[0] as a public domain/oss-licensed module, if there's a reasonable method of packaging it as a standalone library

tmpfsyesterday at 3:28 AM

I think local-first password managers are the way forward. Big tech companies already have way too much power and having them mediate our most important data is a bad precedent to set.

I like that you made this P2P, I designed one that sits on top of sqlite and is 100% local first but is not P2P, take a look if you are interested in some prior art in this space:

https://saveoursecrets.com/

I decided to go with native apps all the way, Rust backend and Flutter front-end but kind of regret it now with how the Play/App stores are such a hassle to work with.

show 1 reply
commandersakiyesterday at 9:25 PM

How does it handle browser autofill. What if you have to fill in a box that has a non-standard label? These are things I rely on with 1Password.

bix6yesterday at 10:36 PM

The only crypto you accept is Monero?

tamimioyesterday at 11:07 PM

It’s nice to always have more options but I don’t want it to be local, I lose the centralized system and having multiple devices syncing the pass database, or a turned off device, or an attack/ransom that took all your files including your passowrds, or your lost your device while traveling.. It’s better to have them secured somewhere safe and only accessible remotely, and there are plenty of self hosting options out there.

banderbergyesterday at 4:30 PM

When I hear P2P I imagine my data going through other people's devices - but it sounds like this is a private P2P network.

show 1 reply
mune2gu-chanyesterday at 2:10 AM

Really clean concept. Keeping everything entirely on-disk instead of relying on a third-party cloud is something I've been wanting to see more of.

show 1 reply
hoistbypetardlast Thursday at 9:39 PM

> TL;DR: I dislike private-equity and venture funded companies messing with our security, so I created my own Password Manager which is local-first, free, open source and as transparent as it gets.

I do too! And I appreciate your transparency about the vibe coding. But nowhere in the repository that I've found so far do you say who is writing this. For something like a password manager, I kind of need to know who's responsible for it, and who's reviewing the LLM source code, what they've done before, what their business model is, etc.

Can you share?

show 1 reply
shaunkohyesterday at 3:29 AM

Congrats! How’s it compare vs self-hosted vaultwarden?

show 1 reply
keepupnowyesterday at 12:29 AM

What ai tools are you using if I may ask, genuinely interested.

show 1 reply
keepupnowyesterday at 12:31 AM

You built your own sync engine? Why?

show 2 replies
suhan07yesterday at 7:16 PM

[flagged]