Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I'm not that confident in my tool.

That said, I ask myself every day if having my public identity associated to my project, website, etc. Was a good idea.

It certainly helped with jobs in the past, but it's scary to hear stories of devs impersonated by others.



> Portable Secret is not a product and it is barely a project

You are such a humble person as you clearly stated why this thing was built. I am, in no way, claiming that you are too confident in your work, despite it being a cool project that can be used by privacy-aware techies. Your expression Crack me if you can just triggered LifeLock's story from the deepest part of my mind.


Your tool would be safer if you used CBC (with some MAC) rather than GCM as the cipher mode, so that key & IV reuse would not be as dangerous. That said, since you generate a different salt and IV every time, the likelihood of key & IV reuse is very low, and having to implement an AEAD cipher mode by generic construction would be somewhat annoying. So I think the choice of GCM is fine enough.


I started with CBC (without MAC) and upgraded with GCM since it was a more convenient way to provide integrity without adding the MAC step manually.

I should really make sure IV/Salt are regenerated automatically after use. (there is a small print warning in the creator about reuse)


> I should really make sure IV/Salt are regenerated automatically after use.

Good idea.

> I started with CBC (without MAC)

Oof, you really didn't want to do that :) Glad you upgraded to GCM.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: