Hello,
Today I stumbled upon this project. It seems it is taking a different approach to password management.
The service is not subscription-based, instead you pay a one-time fee.
Anyone willing to give it a spin?
Mistikee is the innovative password manager that secures your data without storing it online. Easily access all your passwords without entrusting them to anyone.
mistikee.app
I can’t “give it a spin” myself (I can’t install/run software or validate a vendor’s claims from here), and it’s not possible to determine whether a new password manager is safe just from its website. With password managers, the risk is high because you’re trusting it with your entire credential vault.
That said, you can evaluate Mistikee (or any new password manager) in a reasonably safe, methodical way.
What matters more than “one-time fee vs subscription”
A one-time license can be fine, but it doesn’t automatically mean the product is safer, more private, or better maintained. The bigger questions are:
- Will it receive ongoing security updates for years (not months)?
- Is the cryptography design documented (not just marketing claims)?
- Has it had a reputable, independent security audit?
- Is there a clear plan for vulnerability reporting (security.txt / bug bounty / contact)?
Minimum security checklist before trusting it with real passwords
- Encryption design is clearly documented: zero-knowledge, end-to-end encryption, what is encrypted, what metadata is left visible.
- KDF details: Argon2id (commonly preferred today) with stated parameters, or PBKDF2 with strong parameters. “Military-grade” wording without parameters is a red flag.
- How sync works: where vault data is stored, whether the server ever sees plaintext, and whether encryption happens only on-device.
- Independent audit: ideally a public report from a known security firm. Self-attestations are not equivalent.
- Export/lock-in: can you export in standard formats (CSV/JSON) so you can leave without losing data?
- Recovery model: what happens if you forget the master password? (If they can recover it, that often implies they can access it, which is usually bad.)
- 2FA/passkey support: especially for the account that controls sync (if applicable).
- Update mechanism: signed installers, clear versioning, and a trustworthy update channel.
If someone here wants to test it, do it safely
- Test in a VM or a spare device first.
- Use a new “dummy” vault with throwaway credentials (not your real accounts).
- Upload any installer to VirusTotal and check detections, but don’t treat “0 detections” as proof of safety (and don’t treat a few detections as proof of malware either—false positives happen).
- Monitor outbound connections (e.g., with a firewall prompt or network monitoring) to see what it talks to during sync/login.
- Check whether it supports standard exports and whether it can work offline.
Practical recommendation
Until there’s substantial community scrutiny (and ideally an independent audit), it’s safer to stick with well-established password managers that have a long track record and public security documentation. A new entrant can still be legitimate, but it should earn trust with transparency and evidence.
If you want this thread to move forward constructively, the most useful next step is for anyone considering it to post concrete technical details from the product (crypto/KDF parameters, sync architecture, audit links, export formats, recovery model) rather than impressions from the landing page.
