I’ve been working on a small side project in my spare time and I’d love some honest security focused feedback from this community
The project is PassFX - a terminal based password manager designed to work entirely offline. No cloud sync, no accounts, no browser extensions. Everything is encrypted locally and unlocked with a single master passphrase that never leaves the machine.
The core idea is simple:
reduce attack surface by removing the cloud entirely.
I wanted something:
- I could use on an air-gapped or offline machine
- That didn’t rely on a browser extension or remote service
- Where I could reason clearly about the threat model
This isn’t meant to replace enterprise solutions or compete with hosted managers. It’s more of an exploration into how minimal and auditable a password manager can be while still being usable day to day for developers.
What I’m looking for feedback on
I’m especially interested in thoughts around:
- Cryptographic choices and key derivation approach
- Threat model assumptions (what I’m missing or underestimating)
- Secure storage practices on disk
- UX tradeoffs in terminal-only security tools
- Any obvious “don’t do this” red flags
If you’re curious, the repo is here:
GitHub: https://github.com/dinesh-git17/passfx
Top comments (0)