MSC4114: Matrix as a password manager

[Johennes]

Rendered

Implementations:

• https://github.com/Johennes/vaultmeister (WIP)

---

In line with matrix-org/matrix-spec#1700, the following disclosure applies:

I am a Systems Architect at gematik, Software Engineer at Unomed, Matrix community member and former Element employee. This proposal was written and published with my community member hat on.

[MTRNord]

I see some very major flaws with this around the security of the secrets. This feels like a excel spreadsheet with metadata added :/ Thats against any modern security recommendation.

[HarHarLinks]

Maybe I'm just scarred from the last 7 or so years that we had regular UTDs, but I'm still scared to lose my passwords this way, even with SSSS. MSC4114-based password managers should really offer an offline encrypted backup feature, but I'm not certain the spec may see it in it's area of responsibility.

[Johennes]

Yeah, agreed. This sounds like a great point to add to the "Potential issues" section.

[HarHarLinks]

I like this proposition for the concept of sharing for passwords this might enable, which seems much nicer than what my experience has been with bitwarden and keepass2. However it is ironic that matrix with it's required secondary password which will even be needed to access the encrypted passwords here, basically requires another password manager. It's a bit of a hen-and-egg problem.

[HarHarLinks]

This will basically require clients to implement key sharing with other users on invite so you can invite them after having created a secret. I'm not sure this is a hard requirement in the Matrix Spec currently, but something to point out to clients for this use case.