Show HN: Solyto – a free, open-source all-in-one personal management app(solyto.app)
13 pointsby Leomuck3 hours ago2 comments
  • d-cc3 hours ago
    I'd like to checkout the app, but when I tried to register, the password requirements seem a little bit strict.

    Why not just allow users to use lowercase a for their password? This would have helped me register for the website.

    • Leomuck3 hours ago
      Fair! I did think about this a lot. Initially, I also thought "8 characters of any kind" are fair enough. Then read a lot and decided a bit more security would be good. But honestly, given what you wrote, I did find myself happy that I had an account before this security measurement. So I guess, I'm of your opinion.

      However, the app does not enforce lowercase/uppercase. It uses Laravels uncompromised() function which I think makes sense. It checks against https://haveibeenpwned.com/Passwords.

      I'm happy to discuss length! But I think the uncompromised makes sense. But happy to hear any arguments!

      If it makes it harder to register, that is still an argument and must be discussed against the argument of security. I'd love to hear other peoples thoughts here since security vs usability is always a complicated thing.

      • linsomniac2 hours ago
        This opinion is worth what you paid for it:

        Don't make your password requirements less strict. Don't encourage people to use weak passwords that are likely shared across sites. That leads to pain and suffering over the long term.

        If you want to reduce friction for people who don't/won't use a password manager, provide a passwordless option like a login link that is e-mailed to them. Yes, people will likely complain about "your service is supposed to be my email, why are you requiring an e-mail to login", in which case they should be using a strong password.

        To the person requesting weak passwords: Just set up google or firefox password password manager, it will auto suggest a strong password on the registration page and save it for use across devices. There is zero reason to be using the same password across accounts, and a lot of reason not to.

        Attackers do actively try passwords you have used on other sites to try to compromise your accounts elsewhere. This happens when services leak passwords or password hashes. If your password is short and lowercase, it really doesn't matter if only your password hash has been leaked, it might as well have just been the password itself. This is the lowest-hanging fruit for attackers.

        • Leomuck2 hours ago
          Thanks for your opinion. I appreciate it. I think that makes a lot of sense. I also like the idea of passwordless, I'll definitely have a look at that!
      • turblety3 hours ago
        There really are only two dials you can turn to increase the security of a password, and that's length of the character set (the characters that the user can use in their password) and length of the password itself.

        People should be using a password manager, then they can set that to 100/200 characters. Even if all lower case, it will be unbreakable (assuming a modern/secure one way hashing algorithm, and the password manager is truly random.).

        If they are not using a password manager and use something like `waterfall!X` (because you enforce a special character and capital letter) you haven't actually increased entropy by that much, compared to a longer password. Them making up a 100 character password will almost guarantee more entropy than a short password they make up like `waterfall!X`

        Also, because it's the internet [1]:

        1. https://xkcd.com/936/

        • Leomuck2 hours ago
          Yes, I did read up a lot about password security the last few years. But still, I'm worried a very secure policy restricts people from registering at all, see case above. What would you say is a good compromise?

          Another thought I have discussed a lot is, this app is not something critical. It's not online banking, it saves very little about you (as little as possible), etc. - so what does this say about the compromise? If an account was to be compromised, an attacker would only have access to the todos, music, notes of a user. Now, todos and notes could be very telling, but I'm unsure about how much of a responsiblity I have as an admin to save users from this? Do you know what I mean?

          • turblety10 minutes ago
            Yeah I understand. I think my point is don’t add any other friction to the password strength other than length. If you want more security increase the min length, if you’re happy with less, lower it.

            I’d personally have a 12 length password enforcement, a password strength meter and nothing else. Possibly less if you introduce 2fa.

            • Leomuck5 minutes ago
              Yea, that's what I gathered as well. So what do you think about checking against compromised passwords?
  • Leomuck3 hours ago
    I’ve been building something over the last year, with probably 1000 hours going into it. A personal management app that does almost everything while being privacy-focused, no-bullshit, open-source and selfhostable. It’s called solyto.

    I've been frustrated for a while with what's out there. I'm a data hoarder and love to organize things, but I kept jumping from app to app - started with Notion, but was frustrated with speed and then privacy issues. Switched to Obsidian, tried to do everything there, but figured Obsidian is great at notes, but wasn’t meant for writing custom JavaScript code to build libraries. Tried AnyType, found it confusing. Tried lots of other apps and was annoyed by pricy subscriptions, useless AI features and lots of “you should do this” things. There are great open-source options for most everything, but being a software developer at work, I really didn’t feel like stitching together 6 apps to do what I want and also, I found that’s not accessible to everybody.

    I just wanted an app that does what I need in my daily life, that is easy-to-use and no-bullshit. So I built solyto. It’s completely free, open-source, self-hostable and community-focused. I’ve been using it with a couple of my friends for half a year and have replaced pretty much every other app I’ve been using. I’d love for this to be useful to others as well and to be some kind of community project - people suggest or wish for things, I (or other contributors) build it and that’s that. No company shit, no money incentives, no other motives.

    Solyto is available at https://solyto.app.

    It does todos, notes, calendars & contacts (with DAV sync to your phone), music library, book library, games library, news, daily trackers, finance tracking, time tracking, well basically almost everything I could think of. And if a thing you’d like is missing, I’d love to build it!

    If any of you would like to try it out, you can do so via the website or via GitHub for selfhosting. We have pre-built images, compose files, etc. If anything is missing, let me know!

    Anyway, I'd love feedback on this. Any kind of feedback! And of course any questions are also welcome.

    Cheers, Leo

    Links: - App: https://solyto.app - GitHub: https://github.com/solyto/solyto - Self-hosting instructions: https://github.com/solyto/selfhosted - Discord: https://discord.gg/JbNPJHG6

    • goobatrooba2 hours ago
      Hi Leo, using a valid email and password I get a "There was an error with your registration" error.

      Also I wonder... How sustainable is this? Free is great, but what is your income/maintenance model? E.g. you offer calendar which even many paid email providers don't offer.. :-)

      Thanks for what looks at the surface like a very sleek tool.. i haven't been able to see it on substance.

      • Leomuck2 hours ago
        Hey gooba! Thanks for wanting to try it out. And sorry, you ran into this issue.

        It appears Laravels throttling function doesn't work well with my reverse proxy setup. I have disabled it for now. I have just tried it out and registering works again.

        Again, sorry for this. This is my first publication attempt and I fear some issue will only show this way.. however, I'm here and happy to fix everything on the fly :)

      • Leomuck2 hours ago
        Oh, and I missed the middle part of your post. Fair question! I do think it is quite sustainable. For that to make sense you might have to know me better, but my perspective is I have a good paying job, I have money and especially time to spare and I want to make things better. So I'm honestly happy to spend money AND time on this to be sustainable. I have a very capable root server to run this on and I have money already reserved to get another one. I'm getting by just fine and I'm more than happy to spend some hundreds of euros a month to make the world a little easier/better for people. I'm also happy to spend my time for this.

        I did think a lot about monetizing it, but really I feel like that would skew the whole idea of the app. I want this to be for the community. We struggle enough with enshittification anywhere. I'm in a privileged position where I can build and maintain this. And it's available for self-hosting, so anybody can do so as well.

        Now, if we were to hit an insane amount of users, the question might have to be tackled again, but that's far away and I think with the infrastructure I have and can get with my allocated "solidary" budget, It'd really have to get to insane amounts to actually be an issue.

        So I'd like to think it is indeed sustainable. I'm doing this to be sustainable. I want to build something people appreciate and use. I'm happy to spend lots on it!