Retreat
AboutLogin

Retreat locks you out of Instagram, Facebook, Twitter, or whatever you need a break from.

Think of it as a timed safe: you replace your password with a secure new one, and lock it away for a predetermined period of time. I built this so I could take a break from Instagram, and reconnect with myself, and I hope you might too!

How it works

You pick how long you want to go on retreat, and replace your existing password with a secure new password. Then you go do something nice with all the time you have back.

And when the timer is up, you can get your dear websites back. I hope you’ll be happy to return, maybe with a sense of appreciation for how they connect you to friends and loved ones. Or maybe you discover you have had enough! Whatever happens, when the break is over I hope you’re more you. ʕ •ᴥ•ʔ

Security

Your Retreat password is stored as a salted hash on our server. We don’t store your plaintext password. Your vault usernames and passwords are stored in an AES-GCM-encrypted vault. This vault is encrypted by you, locally, in your browser, and then the encrypted vault is sent to our server. When the time lock expires, you can unlock the vault locally in your browser. At no point can we look inside of it, or decrypt it without your password, as we only store a derived hash.

All Retreat account passwords are hashed using Argon2id, the winner of the Password Hashing Competition, configured exceeding OWASP’s recommended settings for the algorithm. The stored hash is hashed twice using this algorithm, allowing us to use the first hash to derive the Data Encryption Key for the vault. The double hash is stored to authenticate you when logging in and locking vaults.