Hi HN,
I built PassForgePro as a learning project to better understand password manager design, local-first security, and common cryptographic pitfalls.
The goal was not to replace mature tools like Bitwarden or KeePass, but to explore:
* how a local-only, zero-knowledge style design can work * key derivation with PBKDF2 and encrypted SQLite vaults (AES-256-GCM) * handling sensitive data in memory and clipboard cleanup * defining a realistic threat model and its limitations
This project is experimental and unaudited. I’m sharing it mainly to get feedback on the architecture, crypto choices, and overall approach, and to discuss what I got wrong or could improve (audits, reproducible builds, testing, etc.).
I’d really appreciate feedback, especially from people with security or cryptography experience.
Repo: https://github.com/can-deliktas/PassForgePro Docs / demo: https://can-deliktas.github.io/PassForgePro
All passwords are stored in an encrypted local SQLite vault with AES-256-GCM, and the key is derived using PBKDF2. Decryption happens only in memory after the vault is unlocked by the user.
You can find more information about how the project works and its security model in the FAQ: https://can-deliktas.github.io/PassForgePro/faq.html
There is no interface that exposes secrets outside the app. When I talk about cryptography and design in the README and FAQ, the focus is on local protection, not on a remote API.
As I mention in the FAQ, PassForgePro is an experimental learning project, not a production-grade password manager. It does not claim to defend against a fully compromised OS or malicious local software — that’s outside its threat model.
So if someone assumes there must be an API or external access, that assumption doesn’t match the actual architecture.
OPEN SOURCE Code: https://github.com/can-deliktas/PassForgePro/blob/main/PassF...