Passwords and Managers – My Very Own Story

Back in 2010, when I started studying computer science, the very first thing that I have asked myself was: who is responsible for protecting my data? 

This was a start of a new journey for me. On the one hand, I was learning a lot of new things, such as OOP, databases, distributed systems (today known as SaaS and/or „The Cloud“). On the other hand, I realized that databases on servers stored physically anywhere is managed by someone else. I started to mistrust and stopped using services like cloud file hosting, food and sport trackers and even was skeptical about submitting personal data to „official“ services (such as Amazon, eBay, etc).

The Gate to the Digital Identity

In the meantime, I have lightened up a bit, to be honest. But there is one kind of very sensible data which I will never to a cloud service: passwords.

There is no need to talk about the importance of strong passwords. Further, to generate strong, custom and not brute-forceable passwords, there is no way around using password managers. And still today, I am using open source versions of password managers, have a painstaking process of synchronizing (manually) passwords over devices and would never trust a proprietiery service for storing my passwords.

The reason is very simple: I do not know who is protecting my data, who has access and what the code processing my passwords looks like. Even if the provider would be very reputable, the nature of the data is too sensitive to store it anywhere (encrypted) on any servers out there.

Password Managers and Open Source

Over the years I was looking for open source solutions to host at home. But no one of the existing providers fit my needs for 100%. Some of them require a browser extension to run, others do not have mobile applications and others lack in UI/UX.

That was the reason why I launched Keestash as a project. Keestash should be the answer to all of my worries in the context of passwords. Hosting on private servers and encrypting with AES-256-CBC should ensure that nobody except than me has access to the data. The password generator helps to generate passwords that are not to find in any dictionary. I have little collaboration features, such as (public) sharing for the case that I want to share a password without texting it with a messenger. And the code is open source (and written by me) so I (and everyone else) know what it does and further, everyone can inspect Keestash before starting to use it. And last but not least: engineering an application from scratch provides valueable experience and skills.

Keestash as an Enterprise Solution

First things first: I think Keestash has the potential to grow as an enterprise solution. Admittedly, Keestash is not yet fully equipped with enterprise features. But there is much potential and more in the pipeline. As a rough overview I can mention the following incomplete list of features:

  • Collaborating and Sharing

Basically, Keestash provides sharing to registered users as well as public sharing via links. But collaboration is not limited to this: users should have the option to work closer together, save time and make their passwords stronger and better protected.

  • Admin Tools

When talking about enterprise, there is no way around administrators and privileged users monitoring the application and intervening when necessary. To help admins, Keestash should provide Dashboards (about users, passwords, access, etc), audit logs for periodical audits (such as PCI-DSS) and a general activity log. Further, there should be „automated“ protection such as PBKDF (protecting against brute-forcing passwords), rule-based (access) blocking, etc.

  • Enterprise Integration

Existing IT infrastructures should not be a problem for Keestash. There should be an integration into existing infrastructure using common protocols like Active Directory (AD), LDAP, Azure AD, AWS Directory Services.

But Keestash does not necessarily depend on these protocols. There is a built in access control using „Role Based Access Control“ (RBAC) standard. RBAC allows easily to add and remove users or groups to existing roles to grant access to passwords.

  • Multi-Factor Authentication and Identity Management

The access to Keestash will get a Multi-Factor-Authentication (known as MFA or 2FA) which should protect the application. Further, MFA and 2FA can be optional or required by Admins (see Admin Tools).

In a not so distant future, Keestash should also provide Identity Management (IDM, SCIM). Users should be able to have a „log in with Keestash“ option. Further protocols like Time-based One Time Passwords (TOTP), Web Authentication (WebAuthn), Single Sign On (SSO) and even Mobile Device Management (MDM) can be a part of Keestash or a seperate Keestash service.


Keestash is now in active development since 2020 besides to my full time job. As stated above, I see much potential in the application. Further, I believe in open source and believe that the open source nature will create trust with customers. That is why Keestash is fully open source and free.

The interest of early customers also shows that Keestash has potential. In a very close future, we will roll out Keestash as a Beta at a medium-sized company in Germany.

If you are interested to learn more about Keestash, you can visit the official website. Please also feel free to drop me an email in case of any questions regarding to the product, development and/or integration into your existing infrastructure:

Error: Contact form not found.

I have also prepared whitepapers of the product to provide a better overview over Keestash. You can download it from the Keestash website:

I am also looking for contributors. If you are interested in contributing to a new open source project drop me an email or just open a PR on GitHub.