Midas: a user owned password manager extension

[hozzjss]

We prefer clear, concrete, and concise applications. If an application is incomplete or unclear, we will request an update to the application.

Background

What problems do you aim to solve? How does it serve the mission of a user owned internet?

Right now I suppose most people use lastpass as their main password manager, and I have to assume that many use it to store some of the most sensitive passwords or even their seed phrases. I myself when I started getting into the stacks ecosystem way back the first thing that I thought about was a password manager that would replace lastpass so that I have peace of mind, and that the only thing that I need to save would be the seed phrase of my blockstack account, and that would be it, that would be a secure password manager powered by the secure encryption that blockstack encourages, and for once I would think for myself that I have moved on from decentralization in this extremely sensitive spot. Only save the seed phrase of your account and that's the only password you'd ever have to worry about. The solutions that exist at the moment are either not working or basically CRUD todo apps with no value to provide.

Project Overview

What solution are you providing? Who will it serve?

I am providing a native Chrome extension that would replace LastPass or any other password manager functionally, once and for all. it would serve everyone since you'd have peace of mind that no corporation has access to your passwords and that your passwords are finally truly yours, and it would encourage people to value their seed phrase more, so that serves the good of the community and the ecosystem as a whole.

Scope

What are the components or technical specs of the project? What will the final deliverable look like? How will you measure success?

The components are a chrome extension that uses gaia to save an encrypted block of information that has all the user passwords

The final deliverable will be a chrome extension that fully replaces LastPass and any other password manager

Success will be measured by the number of downloads on the chrome webstore and the user reviews thereof, and from the community.

Budget and Milestones

What grant amount are you seeking? How long will the project take in hours? If more than 20, please break down the project into milestones, with a clear output (e.g., low-fi mockup, MVP with two features) and include the estimated work hours for each milestone.

The requested amount is 5000$.

The project should take 120 hours and will have these milestones:

1. Proof of concept, that would take a user's csv export from lastpass and use it to input passwords into sites just as lastpass, this would take 40 hours.

2. Picking passwords from inputs dynamically and suggesting updates, better shape and design, password generator, manual password entry, passwords CRUD dashboard, this should take 40 hours.

3. Final product release, which should include note taking, better user experience and final touches, and after that iterative development through community feedback should take 40 hours.

Team

Who is building this? What relevant experience do you bring to this project? Are there skills sets you are missing that you are seeking from the community?

• I will be working on this project individually and will use some freelance work for UI/UX, I am Mohamed Huzayen, for those who don't know me I am a Front end engineer with 4 years of experience in the field, I believe in the mission of blockstack, and I think this is one step closer to the privacy we all strive towards, I have need for UI/UX work, but all the other work would be handled by myself.

Risks

What dependencies or obstacles do you anticipate? What contingency plans do you have in place?

• I don't think that any obstacles might come up since even the lack of design skills I have shouldn't hinder the development since there are examples of password manager experiences I can use.

Community and Supporting Materials

Do you have previous projects, code commits, or experiences that are relevant to this application? What community feedback or input have you received? How do you plan to share your plan to the community over time and as the final deliverable?

• I have worked on multiple front end projects and lead my team at the moment in Pravica, where we have delivered a high quality communication platform built with blocktsack as the identity management layer.

I have received feedback on the demand for this project from the community through chats and hangouts on discord.

I plan on sharing the plan through this issue and through a hangout on discord since it's much much easier to communicate ideas verbally.

[friedger]

To give value back to the community, this project could be also about specifying a data format for a password collection on blockstack and then pushing Connect to implement them. Then I can choose to use my preferred password manager.

[hozzjss]

I agree with that, since the choices might grow from what we have at the moment but as a baseline for future project and so that migrations isn't that difficult, I agree with that.

[RaffiSapire]

Hi there, we just wrapped up our committee meeting and had a few questions.

Milestone 2. Why crud dashboard? do you intend to have a server somewhere? A password generator is something you can get easily, why do you think this will take 40 hours? Milestone 3. what does notetaking mean?

[hozzjss]

A user CRUD dashboard which would only communicate with the user's gaia through the browser extension options page The password generator is one part of milestone 2, the biggest component is picking up passwords dynamically, comparing them with what the use has, and deciding whether to add or update, and the rest of a lastpass like experience Note taking would be a place to keep notes privately alongside the passwords

[sdsantos]

There are currently several Blockstack password managers available, or at least started. I could find at least 3 open source:

• https://github.com/sglocastic/blockstack-password-manager
• https://github.com/gauthamzz/safeguard
• https://github.com/Vaultilo/vaultilo-app

Could you explain a bit the main what could distinguish Midas from the existing solutions? Is there any chance you could build upon one of the existing projects?

Thank you 🙂

[hozzjss]

I'm glad you asked that question @sdsantos as I have reviewed them all Blockstack password manager is just a crud app that:

1. Isn't on the internet anywhere
2. When I pulled isn't even logging in to blockstack
3. I had to look at the code to know what it does and it's nothing more than a todo app but for passwords
4. Is not an extension and does not even have offline support So I assume it's just a passion project for the author

Safeguard was one of the apps that I thought had potential in serving this purpose but:

1. It has an extension, that loads their app through an iframe that is dependent upon that their app is still up so no offline support, no downtime resistance.

2. They have an integrated input interface like lastpass that looked promising at first but is not promising, the reason it's not working is that it's an iframe.

3. Since it is an iframe it has no native access to advanced chrome extension powers like capturing passwords when they're put in an app instead of having to put it by hand in their app.

4. it has no import from lastpass feature, that's essential for anyone who wants to move away from lastpass

Vaultilo is the one in the middle it has a small set of features and it's just safeguard but with fewer features.

All of these apps if successful would have replaced LastPass already, but they haven't because they haven't yet captured the convenience that lastpass provides while almost living entirely inside the user's browser, they have no export/import features, they don't capture passwords entered by the users and prompting the user to either add a new record or update an existing record, they don't have an integrated autofill profile for registration, they're not smart enough to put generated passwords in new password fields, they have no community input, all that is why we still have no suitable replacement to the most crucial part of our internet lives, our passwords.

I can easily assume that many members of the community would save their seed phrase in a password manager for its convenience but if you have a replacement you would encourage people against that and push them towards treating their seed phrase as their money and jewelry, that's the goal of this project, along with a community driven feedback loop as they are the stakeholders in this, if you could build and maintain this feedback loop, the possibilities are infinite.

And yes learning from past experiences is essential, but so far we're just reinventing a wheel, or maybe innovating over the bad wheel that is centralized password managers.

[blocks8]

Review Committee Feedback from 10/6/2020: We'd like more information on your proposal.

Thank you for your submission! We'd like to see the milestones and related funding broken down into smaller segments. Please scope the accordingly with a milestone, deliverable, and amount of funding for each. We can then fund portions of the grant based on those milestones.

Additionally, we've been debating internally on the best way to fund applications that fall into a competitive category to existing apps. Through comments here, we've recognize the concern of the community that password managers have done some of the proposed work. It also raises flags when others have shut down over time, so imaging how this will be sustained over time is a consideration too. We're excited to see a solution that will work with new features, but want to spend a little more time on thinking about the approach.

An additional step that may be beneficial to your project would be to write a blog post about the product and share it with the community for feedback. It could be a good way to get user ideas and input even before you build. Ryder did something similar here: https://medium.com/@marvinjanssen/ryder-introducing-the-first-functional-wearable-hardware-wallet-b4380c327a19

[hozzjss]

Thanks for your feedback @blocks8 I am going to address your points in an unordered way as some are shorter or more important than the others.

I am well aware of the debate about funding application and the shape of the grants, and I think the best way to address this is through milestones for deliverables since we aren't hacking a system like the old app mining, we're holding people to commitments, and also you tap into the need for such a thing not just if it's a blockstack app and that's another point that would constitute what is considered to be a grant favorable submission, and I think that demand and potential are deciding factors in determining that decision.

About sustainability, I am proposing a whole new way of thinking about grants for apps, since it's implied that the grant cover a project with some milestones and after the milestones are completed the project would no longer be maintained and that relates to your sustainability part, as you'd need to not only support initial development but encourage growth through an extended program that even follows the project after its presumed final release, since we don't have in the current "presumed" model room for feedback, iteration, or incremental development, I propose that half of the grant is paid in the time that follows finishing the milestones as you'd have community and user feedback on the project and that should be incentivized in a way that encourages incremental iterations over the projects, and that provides continuity to projects till it could stand on its own feet and generate its own revenue in some cases, and be a stable go to in another case, also since the Can't be evil clause is here and open source development is a must, this would encourage developers after the project stabilizes, fork it and make better additions to the community or make something of their own that might surpass the older stable starting point, but so far most of the blockstack apps starting points are missing a lot if not everything.

Now, about Midas...

For sustainability, since all the assets are gonna be inside of a chrome extensions -as opposed to all the semi working solutions at the moment- the app would always be available for end users not just developers who'd have to go through the hassle of hosting the dead app's assets and then compiling an extension with a different domain name which would change the key pair and the user would lose all their data, since it's encrypted with a different public key, and to restore it they'd have to go through a hell of a journey to restore it, and since the data is stored in gaia then no issues with DBs, that are shut down, or a storage server or anything of that sort.

Milestones

Since I started this project, I have had different thoughts on the organization, and since I am committed to my words about funding half of the project after the milestones are completed I am going to lower the budget to 2100$, with milestones as follows:

1. Design and deliver a PoC alternative to lastpass. or whichever password manager, with basic features that include import from csv, input passwords automatically into sites, all within blockstack, the technical feasibility research is already done for this feature, and is ready for implementation, I might need some help with design but if I couldn't find any through the time given I will deliver a basic design, that does the job. 30 hours 900$.

2. Design, and deliver an interactive password capture mechanism, better shape and design, password generator, manual password entry, passwords CRUD dashboard This milestone should have a more grown out shape and feel for the app, through a dashboard just like lastpass, this should be a sufficient replacement to lastpass. 30 hours 900$.

3. Final touches, bug fixes, and new optional features, like note taking and autofill for signup forms This milestone would conclude the releases of the app, thereafter app audits and iterations might start 10 hours 300$

   but since I believe in this project, if my idea doesn't pass the senate I might go for other resources of funding through democratization of the app. this path can be realized through some clarity linked services through nfts as contributions as an example, since I believe what's stopping people from switching from centralized password managers is not finding the RIGHT app.

And thanks for the recommendation I think a blog post would speak better than this and get more feedback also.

[RaffiSapire]

Hey there, let us know if you've been able to get feedback on this from the community? We're having trouble convincing ourselves the community would benefit from another password manager, given there are already others in existence. It would be helpful to see feedback from the community via blog or forum post or however else you see fit to demonstrate this is a strong pain point.

[hozzjss]

I get your point