2017-06-27 08:31:35 +08:00
# Passman
2017-02-18 04:25:18 +08:00
Passman is a full featured password manager.
2016-10-08 04:08:00 +08:00
2016-10-08 06:41:35 +08:00
[![Build Status ](https://travis-ci.org/nextcloud/passman.svg?branch=master )](https://travis-ci.org/nextcloud/passman)
2017-11-08 03:34:34 +08:00
[![Docker Automated buid ](https://img.shields.io/docker/build/brantje/passman.svg )](hub.docker.com/r/brantje/passman/)
2017-01-12 04:39:10 +08:00
[![Codacy Badge ](https://api.codacy.com/project/badge/Grade/749bb288c9fd4592a73056549d44a85e )](https://www.codacy.com/app/brantje/passman?utm_source=github.com& utm_medium=referral& utm_content=nextcloud/passman& utm_campaign=Badge_Grade)
[![Codacy Badge ](https://api.codacy.com/project/badge/Coverage/749bb288c9fd4592a73056549d44a85e )](https://www.codacy.com/app/brantje/passman?utm_source=github.com& utm_medium=referral& utm_content=nextcloud/passman& utm_campaign=Badge_Coverage)
2016-10-08 06:41:35 +08:00
[![Scrutinizer Code Quality ](https://scrutinizer-ci.com/g/nextcloud/passman/badges/quality-score.png?b=master )](https://scrutinizer-ci.com/g/nextcloud/passman/?branch=master)
2018-10-13 21:33:49 +08:00
## Join us!
2019-03-24 13:08:46 +08:00
Visit the [āPassman General Talkā Telegram Group ](https://t.me/passman_general ) to participate in all sorts of topical discussions about Passman and its apps!
2018-10-13 21:33:49 +08:00
2017-02-18 04:25:18 +08:00
## Contents
2019-03-25 05:34:40 +08:00
* [Screenshots ](https://github.com/nextcloud/passman#Screenshots )
* [Features ](https://github.com/nextcloud/passman#features )
* [External apps ](https://github.com/nextcloud/passman#external-apps )
* [Security ](https://github.com/nextcloud/passman#security )
* [Password generation ](https://github.com/nextcloud/passman#password-generation )
* [Storing credentials ](https://github.com/nextcloud/passman#storing-credentials )
* [Support passman ](https://github.com/nextcloud/passman#support-passman )
* [Development ](https://github.com/nextcloud/passman#development )
* [API ](https://github.com/nextcloud/passman#api )
* [Docker ](https://github.com/nextcloud/passman#docker )
* [Maintainers ](https://github.com/nextcloud/passman#main-developers )
* [Contributors ](https://github.com/nextcloud/passman#contributors )
2017-02-18 04:25:18 +08:00
2017-06-27 08:31:35 +08:00
## Screenshots
2017-02-18 04:25:18 +08:00
![Logged in to vault ](http://i.imgur.com/ciShQZg.png )
![Credential selected ](http://i.imgur.com/3tENldT.png )
![Edit credential ](http://i.imgur.com/Iwm3hUe.png )
![Password tool ](http://i.imgur.com/ZYkN70r.png )
For more screenshots: [Click here ](http://imgur.com/a/giKVt )
## Features:
2019-03-25 05:34:40 +08:00
* Multiple vaults
* Vault keys are never sent to the server
* 256-bit AES-encrypted credentials (see [security ](https://github.com/nextcloud/passman#security ))
* User-defined custom credentials fields
* Built-in OTP (One Time Password) generator
* Password analyzer
* Securely share passwords internally and via link
* Import from various password managers:
- KeePass
- LastPass
- DashLane
- ZOHO
- Clipperz.is
- EnPass
- [ocPasswords ](https://github.com/fcturner/passwords )
2017-02-18 04:25:18 +08:00
2019-03-25 05:34:40 +08:00
Try a Passman demo [here ](https://demo.passman.cc ).
2016-12-22 21:12:02 +08:00
2016-10-10 00:35:34 +08:00
## Tested on
2018-11-22 00:21:42 +08:00
- Nextcloud 14
For older Versions see the [Releases Tab ](https://github.com/nextcloud/passman/releases )
2016-10-10 00:35:34 +08:00
2017-02-18 04:25:18 +08:00
## External apps
2019-03-25 05:34:40 +08:00
* [Firefox / chrome extension ](https://github.com/nextcloud/passman-webextension )
* [Android app ](https://github.com/nextcloud/passman-android )
2017-01-12 18:03:55 +08:00
2019-03-25 05:34:40 +08:00
## Database Compatibility
2016-10-14 21:49:08 +08:00
2019-03-25 07:18:21 +08:00
| | Supported | Tested | Untested |
2019-03-25 07:18:53 +08:00
| :--- | :---: | :---: | :---: |
2019-03-25 05:34:40 +08:00
| SQL Lite | ā¢ | | |
| MySQL / MariaDB | ā¢ | | |
| travis | | ā¢ | |
| pgsql | | | ā¢ |
2016-10-14 21:49:08 +08:00
2017-02-18 04:25:18 +08:00
## Security
2016-10-14 21:49:08 +08:00
2017-02-18 04:25:18 +08:00
### Password generation
2019-03-24 13:08:46 +08:00
Passman can generate passwords *and* measure their strength using [zxcvbn ](https://github.com/dropbox/zxcvbn ).
2017-02-18 04:25:18 +08:00
![](http://i.imgur.com/2qVBUfM.png)
2016-09-09 23:36:35 +08:00
2017-02-18 04:25:18 +08:00
Generate passwords as you like
![](http://i.imgur.com/jcRicOV.png)
2019-03-24 13:08:46 +08:00
Passwords are generated using `sjcl` randomization.
2016-09-09 23:36:35 +08:00
2017-02-18 04:25:18 +08:00
### Storing credentials
2019-03-24 13:08:46 +08:00
All passwords are encrypted client side with [sjcl ](https://github.com/bitwiseshiftleft/sjcl ) using 256-bit AES.
You supply a vault key which sjcl uses to encrypt your credentials. Your encrypted credentials are then sent to the server and encrypted yet again using the following routine:
2019-03-25 05:34:40 +08:00
* A key is generated using `passwordsalt` and `secret` from config.php *(so back those up)* .
* The key is [stretched ](http://en.wikipedia.org/wiki/Key_stretching ) using [Password-Based Key Derivation Function 2 ](http://en.wikipedia.org/wiki/PBKDF2 ) (PBKDF2).
* [Encrypt-then-MAC ](http://en.wikipedia.org/wiki/Authenticated_encryption#Approaches_to_Authenticated_Encryption ) (EtM) is used to ensure encrypted data authenticity.
* Uses openssl with the `aes-256-cbc` cipher.
* [Initialization vector ](http://en.wikipedia.org/wiki/Initialization_vector ) (IV) is hidden.
* [Double Hash-based Message Authentication Code ](http://en.wikipedia.org/wiki/Hash-based_message_authentication_code ) (HMAC) is applied for source data verification.
2016-09-26 21:53:12 +08:00
2019-03-24 13:08:46 +08:00
### Sharing credentials
Passman allows users to share passwords. *(Administrators may disable this feature.)*
2017-01-12 01:09:10 +08:00
2017-02-18 04:25:18 +08:00
## API
2019-03-25 05:34:40 +08:00
Passman offers a [developer API ](https://github.com/nextcloud/passman/wiki/API ).
2017-02-18 04:25:18 +08:00
## Support Passman
2019-03-24 13:08:46 +08:00
Passman is open source but weā ll gladly accept a beer *or pizza!* Please consider donating:
2019-03-25 05:34:40 +08:00
* [PayPal ](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=6YS8F97PETVU2 )
* [Patreon ](https://www.patreon.com/user?u=4833592 )
* [Flattr ](https://flattr.com/@passman )
* bitcoin: 1H2c5tkGX54n48yEtM4Wm4UrAGTW85jQpe
2017-02-18 04:25:18 +08:00
2016-10-01 03:58:26 +08:00
## Code reviews
2019-03-24 13:08:46 +08:00
If you have any code improvements:
2019-03-25 05:34:40 +08:00
* Clone us
* Make your edits
* Add your name to the contributors
* Send a [PR ](https://github.com/nextcloud/passman/pulls )
2016-10-01 03:58:26 +08:00
2019-03-24 13:08:46 +08:00
Or, if youā re feeling lazy, create an issue and weā ll think about it.
2016-10-01 03:58:26 +08:00
2016-10-20 16:34:01 +08:00
## Docker
2019-03-24 13:08:46 +08:00
To run Passman with [Docker ](https://www.docker.com/ ), use our test Docker image. Supply your own self-signed SSL certs or use [Letā s Encrypt ](https://letsencrypt.org/ ). Please note: The Docker image is for _testing *only*_ as database user / password are hardcoded.
2017-11-08 03:34:34 +08:00
2019-03-24 13:08:46 +08:00
If youā d like to *spice up* our Passman Docker image into a full-fledged, production-ready install, youā re welcome to do so. Please note:
2019-03-25 05:34:40 +08:00
* Port 80 and 443 are used
* SSL is enabled (or disabled if no certs are found)
* Container startup time must be less than 15 seconds
2017-11-08 03:34:34 +08:00
2016-10-20 16:34:01 +08:00
Example:
2017-11-08 03:34:34 +08:00
```
docker run -p 8080:80 -p 8443:443 -v /directory/cert.pem:/data/ssl/cert.pem -v /directory/cert.key:/data/ssl/cert.key brantje/passman
```
2019-03-24 13:08:46 +08:00
If you want a production-ready container, use the [Nextcloud Docker ](https://hub.docker.com/_/nextcloud/ ) and install Passman as an app.
2017-11-08 03:34:34 +08:00
2016-09-26 21:53:12 +08:00
## Development
2019-03-25 05:34:40 +08:00
* Passman uses a single `.js` file for templates which minimizes XHR template requests.
* CSS uses SASS, so Ruby and SASS must be installed.
* `templates.js` and the CSS are built with `grunt` .
* Watch for changes using `grunt watch` .
* Run unit tests ā Install phpunit globally, setup environment variables in the `launch_phpunit.sh` script, and run the script. All arguments passed to `launch_phpunit.sh` are forwarded to phpunit.
2016-09-26 21:53:12 +08:00
## Main developers
2019-03-25 05:34:40 +08:00
* Brantje
* Animalillo
2016-09-26 21:53:12 +08:00
## Contributors
2017-07-13 01:50:33 +08:00
Add yours when creating a [pull request ](https://help.github.com/articles/creating-a-pull-request/ )!
2019-03-25 05:34:40 +08:00
* Newhinton
2016-10-01 01:12:00 +08:00
## FAQ
2016-10-01 01:12:13 +08:00
**Are you adding something to check if malicious code is executing on the browser?**
2019-03-24 13:08:46 +08:00
No, because malicious code can edit functions that check for malicious code.