The README talks a lot about crypto. But the interesting bit is how you can access the passwords. Is there an API? If yes, how does it protect your passwords from malicious software? If not -- are you sure? (Have you checked for example accessibility APIs by the platform?)
PassForgePro does not have any API for accessing passwords. It’s a local-only, offline-first project. There is no remote service, no API endpoint, no cloud sync, and no server communication at all.
All passwords are stored in an encrypted local SQLite vault with AES-256-GCM, and the key is derived using PBKDF2. Decryption happens only in memory after the vault is unlocked by the user.
There is no interface that exposes secrets outside the app. When I talk about cryptography and design in the README and FAQ, the focus is on local protection, not on a remote API.
As I mention in the FAQ, PassForgePro is an experimental learning project, not a production-grade password manager. It does not claim to defend against a fully compromised OS or malicious local software — that’s outside its threat model.
So if someone assumes there must be an API or external access, that assumption doesn’t match the actual architecture.
The README talks a lot about crypto. But the interesting bit is how you can access the passwords. Is there an API? If yes, how does it protect your passwords from malicious software? If not -- are you sure? (Have you checked for example accessibility APIs by the platform?)
PassForgePro does not have any API for accessing passwords. It’s a local-only, offline-first project. There is no remote service, no API endpoint, no cloud sync, and no server communication at all.
All passwords are stored in an encrypted local SQLite vault with AES-256-GCM, and the key is derived using PBKDF2. Decryption happens only in memory after the vault is unlocked by the user.
You can find more information about how the project works and its security model in the FAQ: https://can-deliktas.github.io/PassForgePro/faq.html
There is no interface that exposes secrets outside the app. When I talk about cryptography and design in the README and FAQ, the focus is on local protection, not on a remote API.
As I mention in the FAQ, PassForgePro is an experimental learning project, not a production-grade password manager. It does not claim to defend against a fully compromised OS or malicious local software — that’s outside its threat model.
So if someone assumes there must be an API or external access, that assumption doesn’t match the actual architecture.
OPEN SOURCE Code: https://github.com/can-deliktas/PassForgePro/blob/main/PassF...
[dead]