Are you planning to create support for an emergency contact? In Bitwarden, you can nominate another account (e.g. your partner) to be your emergency contact. In case you lose access to your vault (forgotten password, lost 2FA token) they can request access to your vault and then you get an email notification and unless you say “no” they will get access after x days (you can set the time). This still works despite E2EE.
Thanks for responding and sharing what the updates and what you think. I appreciate it.
I see. I didn’t know this was the case. So, if this is how it is - sure, I can try doing this but don’t you think the problem will still continue to exist for a long time? There are so many websites with so many text boxes that are not for authentication. And because ALiasVault icon/suggested entry box is showing on every drop down option or text box on the web, wouldn’t you have to fix a “million” websites where this could occur such that it only shows when it needs to? Proton Pass really fixed this issue quickly and I don’t know how they did it. Your approach could be different and I’m willing to help but there’s only so much I can let you know about.
If you still want me to - I will but I’ll want to do this privately since I don’t want to name websites publicly in this thread. I am DM you here if you’re okay with it. Please let me know.
Hmm. In this case with the options you have, there are several ways you can go about it.
When I say “turn off” - I normally mean I don’t want that alias to receive emails until I enable it again, like how Proton Pass and others do it. But if you can provide multiple options for what “turn off alias” means, that would be a new and unique functionality/feature set for AliasVault that others are not providing thereby differentiating AliasVault more.
Option1: not receiving emails until turned back on
Option2: auto archiving any emails being received (in a new archived emails list/folder
Option3: hard reject with ALiasVault itself auto clicking the unsubscribe option that the email may have or sending a bounce back message about unsubscribing. I’m not sure what the best option is here from a privacy perspective so please ensure you use and develop the best private way to go about it. I’m guessing the emails received are also E2EE? Can you confirm/clarify?
Option4: any other option you may think about or come up with in order to provide the user with all options along with others
–
Thanks for the getting back with the updates. I have an Android too - I use GrapheneOS. It would be fantastic if your Github or website has a direct Obtainium link for people using GOS to directly add it and install it via Obtainium so we get the fastest updates as soon as you publish it.
I will keep using AliasVault (as imperfect as it is for everyday use, practically speaking) and will keep updating you on my experience with perhaps some specifics as and when I encounter “issues” or issues with my usage.
Thanks again. Please let me know.
@Regime6045 Yes that’s a good point. I do want to implement some kind of fallback access to the vault, in case the primary master password has been forgotten and/or not accessible anymore. An emergency contact feature could fit well in to this. I’m not sure what this will look like but certainly is something I’d like to have for v1.0. I’ve added it to the roadmap as a to-do just now. Thanks for raising this point!
-
The way the autofill detection for AliasVault should work is that it only activates and shows the icon/suggested entry box for fields where it thinks they’re part of a registration/login form. The issue that you’re describing sounds like the algorithm is a bit too broad and is activating in places where it should not.
So yes, if you can, please share the (list) of websites that you’re having issues with privately via DM. Then I’ll investigate which part of the algorithm is triggering on that certain website and see if I can improve it and make it more robust. These kind of changes to the algorithm are very high-level, so if it works for one website it’ll work for all similar websites too. If I had to guess I think having +/- 50 different website variations in the test suite will make it work on 99.9% of all websites. So we’re already halfway there. The current challenge is more about finding those website variations, so all user feedback is very welcome.
-
Gotcha, thanks for your insights. Leaving the option to the user how they want to handle disabled aliases is interesting. I’ll give this some thoughts on how this could work. And to answer your question on E2EE: yes the contents (from, body, headers, etc.) of all received emails on AliasVault aliases are fully end-to-end encrypted as soon as they’re received by the server. So they’re never stored in plain-text and no one can read the contents except you. The private key for decrypting email contents is automatically stored in your personal (encrypted) vault.
I’ll also look into Obtainium. I myself am a iOS user primarily, so I’m not super familiar with the full Android ecosystem. But I’ve had suggestions by other users for publishing the app to alternative app stores too such as Accrescent and F-Droid, so I’ll add this one to that list for further research as well. Thank you!
4 Likes
Does iOS app save encrypted db to phone for self hosted vault? Or is it only accessible when logging in (with internet). Not sure if I’m wording this right.
Yes, once you log into the app for the first time, the encrypted database is saved locally on your iOS device in the app’s secure filesystem. The app also supports a basic offline mode where if you open the app while not having internet connectivity, it will still allow you to open the (cached) encrypted vault on your phone.
Also for security reasons, when the app is active, the vault is decrypted in memory only. Once you close the app or it goes into the background for longer than your configured auto-lock timeout (default is 1 hour, but you can change it to something shorter like 5 seconds), the decrypted data is automatically wiped from memory for security. When opening the app afterwards, it will ask you again for your biometrics or your password to decrypt your vault again.
So if I understand your question correctly: yes you can securely access your vault offline without internet after the first login.
1 Like
Hey
Sorry for the late response here. I did not forget but I wanted to think on this more and continue testing ALiasVault in some other ways before I gave you more of my opinions and share my experience.
So, following up from your comment.
- I’m torn here. It’s literally every website field with a text box I am coming across is what the extension is prompting on. I started making a list but it became too much to keep adding. So, I’ll soon share (privately) what I can and make of it what you want to but I assure you, it is every website and field/text box where I am seeing this. My suggestion here is to make the changes on your code end such that it doesn’t auto pop up on any text field or drop down but only activates if you mouse click on the field. I think this would mitigate and bypass the issue instead of you altering the algorithm and we manually try to make it work as well as we want it to. What do you think? I am not technical so I don’t know if this is possible but I am hoping. Please met me know.
–
More feedback and FYIs:
- The autofill works wonderfully! And every time. Its not instant but its quick enough. For a beta product, this is nice to see and is what makes it actually usable.
- The generate new/add new alias on a new account creation page and the auto fill for all options available works really well too. Its actually faster for me to make aliases and accounts with AliasVault than it is with Proton Pass. This adds to my satisfaction of using the tool thus far.
- As mentioned in another comment in another thread, I do want you to improve the email part of the product as well. I reiterate what I said earlier and feel compelled to say it again because I have noticed in new ways why and how this will be useful. Being able to better view and filter emails on the website atleast (but within the extension itself would also be a nice to have improvement) such that the email text/other elements renders well and fully so its easy to read and follow the email content. The viewing box of the email should not be small and tight is what I mean. The way I see using AliasVault is - for many of the accounts I have, I do want their emails but I don’t want them to clutter my main personal/Proton inbox. So this means, I can always open AliasVault and view the emails I want for the accounts I want whenever I want or whenever I need to see any of the key emails I get with codes or confirmation emails/etc. Hope this makes sense.
- The extension stopped working today for an hour for some reason. I had to disable it and re-enable it after trouble shooting because it logged me out and would refuse to accept my master password. It did open on the web which was odd. This freaked me out a bit and made me worried. I have since made an export but please see to the reliability on your end if there’s an issue.
- The inability to edit anything and everything that one should ideally be able to in the extension pop up in the browser is still killing me. I know its on the way after the Android release (hopefully next week or so?) and I am impatiently waiting for it. Being able to make the same extension pop up larger in size (by dragging and extending the pop up window while still connected to the extension icon that appears on the top right is also a much needed UI/UX improvement. I only reiterate to drive in the importance of this to me (and I’m sure others too when they begin to use it).
–
That’s it for now. Will write back with more as and when I have more to say. And please let me know if there’s anything unclear with my exposition above. Thanks! I look forward to trying out the Android app when you release it soon.
1 Like
Hey, a couple more things I noticed yesterday after I posted my last comment I think you ought to know:
- The iOS app is not recognizing email for account pages on websites that has email and password or username and password. In other words, if an account page has “email” and “password” - ALiasVault will only fill out “email” and “password” even if I have “username” as a separate name or don’t. What would work I feel is, if a website has “username”, AliasVault should accurately identity “username” and fill in username from the account details. If username is not present, then it should default to “email” directly and automatically as for the username on the website. For example: you can test this out on letterboxd.com (if you want to text out and see what I mean).
- I’m starting to feel the pain of not being able to autofill credit card credentials and other details when online shopping. I hope this is already on your rador for improvements? (TBH, I am not following your GitHub yet so I mention this explicitly here)
Thanks again!
I don’t think I’ll have more notes for you until some more updates and improvements are released for me to try. I’ll be in touch. And as always, please let me know if of any follow up questions.
1 Like
AliasVault 0.18.0 and Android app available!
Hey everyone, I’m super happy to share that after continued crunch time during the last 2,5 weeks, release 0.18.0 is now also available, and with it AliasVault for Android!
Also proud to share: yesterday (31st of May 2025) when 0.18.0 was released, it was exactly 1 year, 365 days, since I made the first commit for AliasVault. I’m proud on everything that was accomplished in the last 12 months, and very positive towards the next.
Download link to Google Play: AliasVault for Android.
The APK is also available for download in the GitHub release assets for manual installation: Release 0.18.0 · lanedirt/AliasVault · GitHub
I’ll look into publishing the AliasVault app on alternative Android app stores too such as F-droid and Accrescent in the coming days.
Here are the full release notes for this new release:
AliasVault 0.18.0:
- Native Android App Launch!: release 0.18.0 launches the official AliasVault native Android app, now available on the Google Play Store!
This release marks a major milestone, as AliasVault is now available on all major platforms: web, browser extension and mobile (iOS + Android). This new app enables native autofill features for Android and protects your vault contents with on-device biometrics.
- Quality-of-life improvements: various smaller improvements to e.g. the browser extension which should make the autofill popup now trigger only on login related fields and get less in the way. Also fixes across all platforms to prevent UI overflow for credential details, and extra admin panel options.
Read more about this release on the AliasVault blog: AliasVault 0.18.0 Released | AliasVault
@JG I’ve also looked into your feedback and did some testing on my end for (quick) improvements for the browser extension on e.g. the OnlyOffice website which you mentioned. I have now updated the browser extension logic so it should trigger the autofill popup only on login related (username/email/password) fields. I tested it on various websites and I think this makes for a more correct default setting. I plan to be able to include your other suggestions regarding editing in the browser extension, improving email features etc. in the next release.
–
Now that AliasVault is finally available on all major platforms, the focus for the coming months will be shifted towards improving general usability and password management features across the board, as I’m going to work towards the v1.0 stable release.
I would appreciate it if Android users here could give the new AliasVault app a test drive and let me know what you think . There might be a few issues that I’ve missed as there are a lot of Android devices and different biometric feature sets across the board between brands. But any issues that might pop-up, I’ll look into and try get them fixed asap.
9 Likes
Yay!!
Will keep testing and trying in the coming weeks and will get back as and when I have substantial feedback on the same.
Thank you for taking my advice/suggestions/improvement requests seriously and delivering on it. I continue to look forward to extension improvements as it is likely the most used version of AliasVault even compared to mobile apps.
1 Like
Quick question: would there be anything that would prevent AliasVault from theoretically using the AGPLv3 in a quasi-proprietary way, as stated below?
Thanks for the question! The primary reason I switched AliasVault from MIT to AGPLv3 is to prevent commercial entities from profiting off it without giving anything back. To prevent for example what happened with Elasticsearch and Amazon.
As far as I’ve seen, AGPLv3 has also become somewhat of a standard among similar tools. I’m not a lawyer, but after reading about how permissive licenses like MIT can be abused, it felt like the right thing to do at this point.
My goal is to keep AliasVault as open as possible. As long as people share their improvements, even if they build a business around it, everyone benefits. The AGPLv3, as far as I’m aware, helps keep it fair for everyone.
2 Likes
The quote I previously linked highlights how the AGPLv3 with a CLA specifically, is frequently used in an unfair way. It also mentions how AliasVault has both of these, and could potentially easily turn unfair.
Yes I did add a Contributor License Agreement (CLA) template to the AliasVault GitHub after switching to AGPLv3, but I don’t believe it’s the type being criticized in that article (?).
The CLA is there to ensure outside contributors have the rights to the code they submit. For example, that it’s original work and not copied from another project with a different license which could get AliasVault in trouble. So by agreeing to the CLA they state that their contributions can be included under AliasVault’s AGPLv3 license. It also explicitly states that all contributions remain under AGPLv3 (or any later version of the same license family).
Having said this, it’s mostly theoretical at this point. There haven’t been any significant outside community contributions yet in terms of code, aside from small fixes like typos. I’m open to reviewing or adjusting the CLA if there’s a better approach. But for now, it’s just a standard placeholder I copied from an existing template.
The CLA goes as follows:
You grant the Project maintainers a perpetual, worldwide, non-exclusive, royalty-free license to use, modify, distribute, and sublicense your contribution as part of the Project and any derivative works.
Maybe you could change the CLA to limit the sublicensing to somehow only be AGPL and other copyleft licenses?
When I try to access Log in to your vault, it takes quite a while for the login page to appear. Specifically, after I open the website, it takes about 3 minutes in Firefox and Chrome before the credentials login section is finally displayed. This delay happens every time I try to log in, and it feels unusually slow compared to most other websites.
I’m not sure if this issue is unique to me or if other people are experiencing the same slow loading times on this site. If anyone else has faced similar problems, I’d be interested to hear about your experience.
@anonymous261 Thanks for your input. I’m going to read up more on this to better understand the implications and what the best approach would be. I do think it would be great for AliasVault to set a strong example of openness. From quick research into large competitors, I can see that Bitwarden follows the same AGPLv3+CLA model (with additional custom Bitwarden license), while Proton Pass has actually closed-sourced it’s server side, and 1Password is entirely closed-source so there are different strategies (while all of these are recommended by PrivacyGuides). I’m going to read up on this some more, review the current license and CLA and update them if needed so it matches with AliasVault’s vision. If you or anyone else have thoughts about what you think would be a good model for AliasVault when compared to other password manager solutions out there, please feel free to share!
–
@suvubi Thanks for your comment! Yes a delay can be expected when opening the web app (for the first time), however 3 minutes is quite drastic.
The AliasVault web app is built using somewhat new/exotic .NET WebAssembly technology, making it run .NET code entirely in your browser. This is required for making E2E encryption work. WebAssembly comes with upsides, but also comes with some downsides, where one of them is that it requires a kinda hefty download (in the order of multiple megabytes) for the first load.
Load speed is therefore dependent on your internet connection and also your device’s CPU for compilation. E.g. on my Macbook Pro M4 it loads within 2 seconds, but on a slower Android phone it can take around 6-10 seconds. Could you perhaps share your device specs and/or avg. internet speed?
Honestly, if I could go back in time and create the web client from scratch, I probably wouldn’t choose WebAssembly again because of the slow load times. Improvements to download sizes and load speeds are promised though by Microsoft in upcoming versions of .NET, so hopefully it will get better as-is too.
I’ve tried the Android app for a bit, and I’m impressed! I have a couple suggestions:
- I would appreciate the option to group emails received per alias, like one email folder per alias.
- The default (and unchangable) user icon appears to be the old AliasVault logo, and I like the new AliasVault logo much better. I would prefer it if you could change the user icon to different colors of the new AliasVault logo.
@suvubi Thanks for the screenshots. That indeed is very slow. How fast is your local internet connection? Also, normally, the loading of 33MB of files should only happen on the very first load. Refreshing the page afterwards should use the locally cached files.
For reference below screenshots when loading it via my Macbook Pro M4 and a 1-gigabit internet connection. Both with and without cache it loads within 1 sec for me, but of course that won’t be for all users with slower connections.
–
@StraddleCarat, thanks for trying out the Android app and sharing your feedback! I do hope to improve the email view across all clients in one of the next releases. I’ll look into how folders per alias could be integrated in this. Also good point around the user icon, it’s indeed a static one right now that I added as a placeholder. I’ll look into making this more dynamic too and making it part of the login flow as a better indication of what account you’re accessing.
Perhaps because my network connection is slower (100Mbps) and my location is distant from your server. However, at 100Mbps, 33 MB only takes roughly 3 seconds, or at most 60 seconds for numerous tiny files.
I really don’t understand why