Thank you for the comprehensive and convincing answer.
I probably overlooked a bit that aliases are completely optional; and that there is some flexibility on the domain (now for self-hosting; later for the hosted version). Maybe I got pumped up by the statement “generating alternative identities, passwords and email addresses for every website you use” appearing about AliasVault on the website of SpamOK.
My grudge about “disposable/temporary adress” is actually a general/principle thing indeed. YOPmail or SpamOK are not my cup of tea. For those that are OK with them, AliasVault is built to offer better security and convenience than YOPmail or SpamOK anyway. And when I come to think of it, I do trust my own email provider anyway (Fastmail), and this is not so different from trusting the entity receiving the emails at the alias/disposable/temporary adress (like AliasVault.net).
FYI
When I look at my actual usage (not using AliasVault), I have like 400 aliases managed at my mail provider. Maybe 50 with my mail provider domain; and 350 with a domain I own. (Not to mention over 750 at spamgourmet.com (over almost 20 years) which I don’t use anymore.) I never pushed my kids or relatives in that direction, because it’s doable but can become cumbersome. Historically, my own preference was “less integration” for those matters. But an integrated solution like AliasVault might actually be/become a good fit for them.
BTW: Sometimes I like to remember how an account was created (Maybe I declared a different birthdate for instance.) I didn’t dig much in it, but it seemed like a cool feature already available in AliasVault.
Thanks again for the project, and the informative and convincing feedback
Hi, after reading this entire thread I decided to give AliasVault a spin. Even though I don’t tend to put all my eggs in one basket, this service seems like a great alternative to BitWarden, SimpleLogin and (in the near future?) SmsConfirmed. So color me impressed! I also love the agility of the project and the close ties with the community. Being a fellow developer, I appreciate the amount of time and energy put into it.
One question that arose so far: I’m using the Firefox addon ATM, and I’m wondering why the password length has been restricted to 64 characters (BitWarden allows for 128 chars).
Cheers, and keep up the good work! It’s much appreciated.
Hi, thanks for trying out AliasVault! Happy to hear!
The password field itself actually has no limit. However the password length slider was added in a recent release and indeed only goes up to 64 (was chosen as a sane default). But there’s no reason why this couldn’t be 128 or 256 instead.
So good point, thanks for addressing! I’ll create a todo for this to increase the max. length value with the next release, so users will have more freedom in configuring their password lengths.
After setting up 2FA, I noticed some small room for UX improvement. Using the Firefox addon, when I have to enter a 2FA code I’m switching focus to the Yubico Authenticator app (in order to copy the current code). However, when I switch back, the popup window belonging to the addon has closed. When opening it again, I have to enter my credentials, prior to getting the OTP prompt. I guess that wouldn’t have been much of an issue had I known my AliasVault password by heart, but when that one has been generated as well, it becomes quite cumbersome (though not impossible :)).
I just wanted to thank @lanedirt for this project, the effort he puts into it and that he actually listens to everyone’s input and tries to implement as many feature wishes and suggestions as possible
@autfernandez1987 Thank you for your suggestions! Adding a persist/restore for the login process in the browser extension when needing to enter your 2FA code would indeed make for a nice improvement. I’m looking into this to add in the next release as well.
I’ll also look into adding AliasVault to the simple-icons library, thanks for the tip!
Thank you, that really means a lot! I’m very happy with all of the testing, feedback and suggestions, together we make AliasVault better each day!
However as you can read in the issue comment by the maintainer, the simple-icons library has certain requirements regarding to the popularity of the website, which AliasVault does not meet (yet). So feel free to upvote the issue/PR in order to show interest. The work is already done in terms of preparing the icons, now it’s just a matter of time before AliasVault will have reached the numbers they want to see.
Thank you! I can confirm the improvements are working as expected.
I share your confidence that the site/service will become popular enough to get the icons in there (I didn’t realize that was a requirement). In fact, once AliasVault is out of beta I’m sure you’ll hit the ground running.
Thank you for sharing! Yes I also got a similar question on AliasVault’s subreddit regarding this published research. I commented on this yesterday, sharing it here as well for context:
We did review the ETH Zurich paper (which was published yesterday, 16th of February). AliasVault was not part of that research, however we did compare the findings against AliasVault’s architecture. One specific issue they found: “field swapping / ciphertext substitution” fortunately does not apply the same way to AliasVault.
In contrast to many other password managers, AliasVault stores the entire vault as a single encrypted blob, not as separately encrypted per-field entries. That means the server can’t swap URL/password fields or tamper with individual parts without breaking integrity checks, making the client reject it.
That said, we do take all security publications seriously. We actively review each one to see whether anything is applicable and apply hardening where needed. In fact, the latest AliasVault release 0.26.4 (released yesterday) already includes security improvements to the mobile login flow (public key verification) which was specifically mentioned by this research.
As security is an ongoing process, questions like this are always welcome. Also if anyone believes they’ve found a potential issue with how AliasVault works or is designed, we also have a responsible disclosure process in place: https://www.aliasvault.net/responsible-disclosure
I have just begun playing around with AliasVault and have a question - after entering and saving my 2FA secret key, I can’t seem to see the secret key when going back in to edit the item - it only lets me delete the existing key or add a new key.
If someone wanted to, for example, move away from AliasVault, how would they find the 2FA secret key?
When editing an item in Proton Pass it shows me the secret key and I can copy and paste it into a different password manager to generate the TOTP.
The 2FA secret key is indeed not shown currently in the interface after entering it. Other users have requested this feature as well (issue exists on GitHub), so being able to see the secret in the UI will be added in one of the next releases.
When you export credentials from AliasVault via Import / Export –> Export to CSV, all 2FA secret keys will also be included in the CSV file. So the data is there and accessible, just not shown currently in the UI.
Happy to share that the new AliasVault 0.27.0 release is now available!
This release focuses on improving the day-to-day usage: it adds various new features to the browser extension like automatically saving credentials while you browse and enabling autofill of 2FA TOTP tokens. This release also contains several bugfixes and misc. tweaks to the other AliasVault apps.
@Aflame-Blighted this release also includes your suggestion as a new feature: 2FA secrets can now be edited and re-shown (including QR code) from the web app / browser extension / mobile app interfaces.
Been using AliasVault in my secondary browser profile regularly now (on Helium Browser). And I have some feedback and requests for changes & improvements.
(I have not read this entire thread)
I’m still getting emails from accounts/aliases I deleted. I do not know why. It’s kinda annoying as I have to manually clean everything up.
I’d like the ability to mass delete emails. Better email management is sorely needed the more I use it full time.
Ability to create aliases not solely based on names. Incorporating random usernames like how https://strongphrase.net/ this website has the ability to would be added. It’s more neutral when no name is attached to it. I used AliasVault to create this account here to post this. So, please think about this.
I’d like to see the delete icon next to the edit icon itself. It’s not always clear where and how one can go to delete the account credential/alias in fill. Please make it more obvious.
Ability to disable alias such that you can’t receive email until you re-enable it would be a a massive plus too.
Bug: When I was creating an account here, I wanted to edit the name of the account but as soon as I started typing “PG Community” when it originally auto named it as “Guides Community”, the extension would just close and collapse. It doesn’t seem like the add on is able to handle the edit of the name while creating it. Please see to this as well.
Hope to see fixes soon. Thank you for making AliasVault. I’m loving this tool. It’s quicker to use than other alternatives. Snappy, is the better word.
Great to hear you’re using AliasVault, and thanks for your feedback and suggestions.
I’ll look into the alias disable and extension collapse issues you mentioned, and add the feature suggestions to the list as well.
At the moment work is being focused toward AliasVault v1.0, with a strong focus on stability and bug fixes, and on completing some remaining core features such as vault sharing / family sharing. Because of that, smaller improvements and UI tweaks may take a bit longer to get to, but feedback like this definitely helps to prioritize.
Also thanks for the kind words about the extension being fast, glad to hear it’s working well for you overall.
Feel free to keep sharing suggestions or possible bugs in case you come across more areas for improvement, I appreciate it a lot!
