diff options
author | brantje <brantje@gmail.com> | 2017-02-17 23:25:18 +0300 |
---|---|---|
committer | brantje <brantje@gmail.com> | 2017-02-17 23:25:18 +0300 |
commit | 6767322a22bae9549b439fac40bbdbd2a2df8fee (patch) | |
tree | 2bfcd4ec82685f31b226168f4a76ad8f0ba15b0c /README.md | |
parent | 76852c0d77c81766fe706afb9293eff40187c7a4 (diff) |
Lock vault after 3 wrong attempts (Fixes #197)
Fix share button, fix shared_key not added to storedCredential after sharing (Fixes #249)
Add password app importer. Fixes #248
Fix version check via proxy. Fixes #237
Fix activity app not filtering. Fixes #246
Add EnPass txt importer. Fixes #159
Fix for disabled share button
Require vault key for export. Fixes #199
Indicate that sharing only works with users that have 1 or more vaults.
Fixes #242
Reset tags on logout. Fixes #245
Ability to enter OTP secret manually. Fixes #198
Create teampass importer. Fixes #244
Diffstat (limited to 'README.md')
-rw-r--r-- | README.md | 93 |
1 files changed, 70 insertions, 23 deletions
@@ -1,4 +1,5 @@ #Passman +Passman is a full featured password manager. [![Build Status](https://travis-ci.org/nextcloud/passman.svg?branch=master)](https://travis-ci.org/nextcloud/passman) [![Codacy Badge](https://api.codacy.com/project/badge/Grade/749bb288c9fd4592a73056549d44a85e)](https://www.codacy.com/app/brantje/passman?utm_source=github.com&utm_medium=referral&utm_content=nextcloud/passman&utm_campaign=Badge_Grade) @@ -6,11 +7,37 @@ [![Scrutinizer Code Quality](https://scrutinizer-ci.com/g/nextcloud/passman/badges/quality-score.png?b=master)](https://scrutinizer-ci.com/g/nextcloud/passman/?branch=master) -Passman is a full featured password manager. -Features: +## Contents +* [Screenshots](https://github.com/nextcloud/passman#Screenshots) +* [Features](https://github.com/nextcloud/passman#features) +* [External apps](https://github.com/nextcloud/passman#external-apps) +* [Security](https://github.com/nextcloud/passman#security) + * [Password generation](https://github.com/nextcloud/passman#password-generation) + * [Storing credentials](https://github.com/nextcloud/passman#storing-credentials) +* [API](https://github.com/nextcloud/passman#api) +* [Docker](https://github.com/nextcloud/passman#docker) +* [Maintainers](https://github.com/nextcloud/passman#main-developers) +* [Contributors](https://github.com/nextcloud/passman#contributors) + + + + +##Screenshots +![Logged in to vault](http://i.imgur.com/ciShQZg.png) + +![Credential selected](http://i.imgur.com/3tENldT.png) + +![Edit credential](http://i.imgur.com/Iwm3hUe.png) + +![Password tool](http://i.imgur.com/ZYkN70r.png) + +For more screenshots: [Click here](http://imgur.com/a/giKVt) + + +## Features: - Vaults - Vault key is never sent to the server -- Credentials are stored with 256 bit AES +- Credentials are stored with 256 bit AES (see [security](https://github.com/nextcloud/passman#security)) - Ability to add custom fields to credentials - Built-in OTP(One Time Password) generator - Password analyzer @@ -21,7 +48,9 @@ Features: - DashLane - ZOHO - Clipperz.is - + - EnPass + - [ocPasswords](https://github.com/fcturner/passwords) + For a demo of this app visit [https://demo.passman.cc](https://demo.passman.cc) @@ -29,10 +58,10 @@ For a demo of this app visit [https://demo.passman.cc](https://demo.passman.cc) - NextCloud 10 / 11 - ownCloud 9.1+ -## Browser extensions -At this moment we don't have any extensions available, sorry! -However, if you're interested in helping us (or you want to guide us while building) -Check out: https://github.com/nextcloud/passman-chrome-extension + +## External apps +- [Firefox / chrome extension](https://github.com/nextcloud/passman-webextension) +- [Android app](https://github.com/nextcloud/passman-android) ## Supported databases @@ -44,28 +73,46 @@ Check out: https://github.com/nextcloud/passman-chrome-extension Untested databases: - pgsql +## Security -##Screenshots -![Logged in to vault](http://i.imgur.com/ciShQZg.png) +### Password generation +Passman features a build in password generator. +Not it only generates passwords, but it also measures their strength using [zxcvbn](https://github.com/dropbox/zxcvbn). +![](http://i.imgur.com/2qVBUfM.png) -![Credential selected](http://i.imgur.com/3tENldT.png) +Generate passwords as you like +![](http://i.imgur.com/jcRicOV.png) +Passwords are generated using the random functions from `sjcl`. -![Edit credential](http://i.imgur.com/Iwm3hUe.png) -![Password tool](http://i.imgur.com/ZYkN70r.png) +### Storing credentials +All passwords are encrypted client side using [sjcl](https://github.com/bitwiseshiftleft/sjcl) which uses AES-256 bit. +Users supply a vault key which is feed into sjcl as encryption key. +After the credentials are encrypted they are send to the server, there they will be encrypted again. +This time using the following routine: +- A key is generated using `passwordsalt` and `secret` from config.php *so back those up* +- Then the key is [stretched](http://en.wikipedia.org/wiki/Key_stretching) using [Password-Based Key Derivation Function 2](http://en.wikipedia.org/wiki/PBKDF2) (PBKDF2). +- [Encrypt-then-MAC](http://en.wikipedia.org/wiki/Authenticated_encryption#Approaches_to_Authenticated_Encryption) (EtM) is used for ensuring the authenticity of the encrypted data. +- Uses openssl with the `aes-256-cbc` ciper. +- [Initialization vector](http://en.wikipedia.org/wiki/Initialization_vector) (IV) is hidden +- [Double Hash-based Message Authentication Code](http://en.wikipedia.org/wiki/Hash-based_message_authentication_code) (HMAC) is applied for verification of the source data. -For more screenshots: [Click here](http://imgur.com/a/giKVt) -## Encryption (server side) -All passwords are encrypted client side AND server side. -This means that if you move to another server you have to backup the following from config.php -- `passwordsalt` -- `secret` +### Sharing credentials. +Passman allows users to share passwords (this can be turned off by an administrator). -## Support Passman -If you like passman, support us via [patreon](https://www.patreon.com/user?u=4833592) or [paypal](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=6YS8F97PETVU2) +## API +For developers passman offers an [api](https://github.com/nextcloud/passman/wiki/API). + +## Support Passman +Passman is open source, but we would gladly accept a beer (or pizza!) +Please consider donating via +- [Paypal](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=6YS8F97PETVU2) +- [Patreon](https://www.patreon.com/user?u=4833592) +- Bitcoin: 1H2c5tkGX54n48yEtM4Wm4UrAGTW85jQpe + ## Code reviews If you have any improvements regarding our code. Please do the following @@ -77,8 +124,8 @@ Please do the following Or if you're feeling lazy, create an issue, and we'll think about it. ## Docker -To run passman with docker you can use `docker run -p 8080:80 -p 8443:443 brantje/passman` -To use your own SSL cert mount them as below +To run passman with docker you can use `docker run -p 8080:80 -p 8443:443 brantje/passman` +You have to supply your own ssl certs. Example: `docker run -p 8080:80 -p 8443:443 -v /directory/cert.pem:/data/ssl/cert.pem -v /directory/cert.key:/data/ssl/cert.key brantje/passman` |