2017-06-27 08:31:35 +08:00
# Passman
2017-02-18 04:25:18 +08:00
Passman is a full featured password manager.
2016-10-08 04:08:00 +08:00
2016-10-08 06:41:35 +08:00
[![Build Status ](https://travis-ci.org/nextcloud/passman.svg?branch=master )](https://travis-ci.org/nextcloud/passman)
2017-11-08 03:34:34 +08:00
[![Docker Automated buid ](https://img.shields.io/docker/build/brantje/passman.svg )](hub.docker.com/r/brantje/passman/)
2017-01-12 04:39:10 +08:00
[![Codacy Badge ](https://api.codacy.com/project/badge/Grade/749bb288c9fd4592a73056549d44a85e )](https://www.codacy.com/app/brantje/passman?utm_source=github.com& utm_medium=referral& utm_content=nextcloud/passman& utm_campaign=Badge_Grade)
[![Codacy Badge ](https://api.codacy.com/project/badge/Coverage/749bb288c9fd4592a73056549d44a85e )](https://www.codacy.com/app/brantje/passman?utm_source=github.com& utm_medium=referral& utm_content=nextcloud/passman& utm_campaign=Badge_Coverage)
2016-10-08 06:41:35 +08:00
[![Scrutinizer Code Quality ](https://scrutinizer-ci.com/g/nextcloud/passman/badges/quality-score.png?b=master )](https://scrutinizer-ci.com/g/nextcloud/passman/?branch=master)
2016-10-08 04:08:00 +08:00
2017-02-18 04:25:18 +08:00
## Contents
* [Screenshots ](https://github.com/nextcloud/passman#Screenshots )
* [Features ](https://github.com/nextcloud/passman#features )
* [External apps ](https://github.com/nextcloud/passman#external-apps )
* [Security ](https://github.com/nextcloud/passman#security )
* [Password generation ](https://github.com/nextcloud/passman#password-generation )
* [Storing credentials ](https://github.com/nextcloud/passman#storing-credentials )
2017-11-08 03:34:34 +08:00
* [Support passman ](https://github.com/nextcloud/passman#support-passman )
2017-02-18 04:25:18 +08:00
* [API ](https://github.com/nextcloud/passman#api )
* [Docker ](https://github.com/nextcloud/passman#docker )
* [Maintainers ](https://github.com/nextcloud/passman#main-developers )
* [Contributors ](https://github.com/nextcloud/passman#contributors )
2017-06-27 08:31:35 +08:00
## Screenshots
2017-02-18 04:25:18 +08:00
![Logged in to vault ](http://i.imgur.com/ciShQZg.png )
![Credential selected ](http://i.imgur.com/3tENldT.png )
![Edit credential ](http://i.imgur.com/Iwm3hUe.png )
![Password tool ](http://i.imgur.com/ZYkN70r.png )
For more screenshots: [Click here ](http://imgur.com/a/giKVt )
## Features:
2016-09-26 21:53:12 +08:00
- Vaults
2016-10-17 01:35:22 +08:00
- Vault key is never sent to the server
2017-02-18 04:25:18 +08:00
- Credentials are stored with 256 bit AES (see [security ](https://github.com/nextcloud/passman#security ))
2016-09-26 21:53:12 +08:00
- Ability to add custom fields to credentials
2016-10-17 01:35:22 +08:00
- Built-in OTP(One Time Password) generator
2016-09-26 21:53:12 +08:00
- Password analyzer
2016-10-17 01:35:22 +08:00
- Share passwords internally and via link in a secure manner.
2016-10-13 04:24:08 +08:00
- Import from various password managers:
- KeePass
- LastPass
- DashLane
- ZOHO
2016-10-17 01:35:22 +08:00
- Clipperz.is
2017-02-18 04:25:18 +08:00
- EnPass
- [ocPasswords ](https://github.com/fcturner/passwords )
2016-10-13 05:06:11 +08:00
2017-01-06 19:21:54 +08:00
For a demo of this app visit [https://demo.passman.cc ](https://demo.passman.cc )
2016-12-22 21:12:02 +08:00
2016-10-10 00:35:34 +08:00
## Tested on
2016-12-22 00:47:04 +08:00
- NextCloud 10 / 11
2016-10-10 00:35:34 +08:00
- ownCloud 9.1+
2017-02-18 04:25:18 +08:00
## External apps
- [Firefox / chrome extension ](https://github.com/nextcloud/passman-webextension )
- [Android app ](https://github.com/nextcloud/passman-android )
2017-01-12 18:03:55 +08:00
2016-10-10 00:35:34 +08:00
2016-10-14 21:49:08 +08:00
## Supported databases
2016-10-17 01:35:22 +08:00
- SQL Lite*
- MySQL / MariaDB*
2016-10-14 21:49:08 +08:00
*Tested on travis
2016-10-17 01:35:22 +08:00
Untested databases:
2016-10-14 21:49:08 +08:00
- pgsql
2017-02-18 04:25:18 +08:00
## Security
2016-10-14 21:49:08 +08:00
2017-02-18 04:25:18 +08:00
### Password generation
Passman features a build in password generator.
Not it only generates passwords, but it also measures their strength using [zxcvbn ](https://github.com/dropbox/zxcvbn ).
![](http://i.imgur.com/2qVBUfM.png)
2016-09-09 23:36:35 +08:00
2017-02-18 04:25:18 +08:00
Generate passwords as you like
![](http://i.imgur.com/jcRicOV.png)
Passwords are generated using the random functions from `sjcl` .
2016-09-09 23:36:35 +08:00
2016-09-26 21:53:12 +08:00
2017-02-18 04:25:18 +08:00
### Storing credentials
All passwords are encrypted client side using [sjcl ](https://github.com/bitwiseshiftleft/sjcl ) which uses AES-256 bit.
Users supply a vault key which is feed into sjcl as encryption key.
After the credentials are encrypted they are send to the server, there they will be encrypted again.
This time using the following routine:
- A key is generated using `passwordsalt` and `secret` from config.php *so back those up*
- Then the key is [stretched ](http://en.wikipedia.org/wiki/Key_stretching ) using [Password-Based Key Derivation Function 2 ](http://en.wikipedia.org/wiki/PBKDF2 ) (PBKDF2).
- [Encrypt-then-MAC ](http://en.wikipedia.org/wiki/Authenticated_encryption#Approaches_to_Authenticated_Encryption ) (EtM) is used for ensuring the authenticity of the encrypted data.
- Uses openssl with the `aes-256-cbc` ciper.
- [Initialization vector ](http://en.wikipedia.org/wiki/Initialization_vector ) (IV) is hidden
- [Double Hash-based Message Authentication Code ](http://en.wikipedia.org/wiki/Hash-based_message_authentication_code ) (HMAC) is applied for verification of the source data.
2016-09-26 21:53:12 +08:00
2017-02-18 04:25:18 +08:00
### Sharing credentials.
Passman allows users to share passwords (this can be turned off by an administrator).
2017-01-12 01:09:10 +08:00
2017-02-18 04:25:18 +08:00
## API
2017-07-13 01:50:33 +08:00
For developers Passman offers an [api ](https://github.com/nextcloud/passman/wiki/API ).
2017-02-18 04:25:18 +08:00
## Support Passman
2017-07-13 01:50:33 +08:00
Passman is open source, and we would gladly accept a beer (or pizza!)
Please consider donating
- [PayPal ](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=6YS8F97PETVU2 )
2017-02-18 04:25:18 +08:00
- [Patreon ](https://www.patreon.com/user?u=4833592 )
2017-10-28 21:16:43 +08:00
- [Flattr ](https://flattr.com/@passman )
2017-07-13 01:50:33 +08:00
- bitcoin: 1H2c5tkGX54n48yEtM4Wm4UrAGTW85jQpe
2017-02-18 04:25:18 +08:00
2016-10-01 03:58:26 +08:00
## Code reviews
If you have any improvements regarding our code.
Please do the following
- Clone us
- Make your edits
- Add your name to the contributors
2017-07-13 01:50:33 +08:00
- Send a [PR ](https://github.com/nextcloud/passman/pulls )
2016-10-01 03:58:26 +08:00
Or if you're feeling lazy, create an issue, and we'll think about it.
2016-10-20 16:34:01 +08:00
## Docker
2017-11-08 03:34:34 +08:00
To run Passman with [Docker ](https://www.docker.com/ ) you can use our test docker image.
You have to supply your own SSL certs, self signed or Let's encrypt it doesn't matter.
Please note that the docker is only for testing purposes, as database user / password are hardcoded.
2017-11-08 06:03:59 +08:00
If you like to spiece up our docker image and make it a full fledged secure, production ready install, you're welcome to do so.
2017-11-08 03:34:34 +08:00
Please note that:
- Port 80 and 443 are used
- SSL is enabled (or disabled if certs not found)
- Startup time of container must be less than 15 seconds
2016-10-20 16:34:01 +08:00
Example:
2017-11-08 03:34:34 +08:00
```
docker run -p 8080:80 -p 8443:443 -v /directory/cert.pem:/data/ssl/cert.pem -v /directory/cert.key:/data/ssl/cert.key brantje/passman
```
If you want a production ready container you can use the [Nextcloud docker ](https://hub.docker.com/_/nextcloud/ ), and install passman as an app.
2016-10-01 03:58:26 +08:00
2016-09-26 21:53:12 +08:00
## Development
2016-10-20 00:08:27 +08:00
Passman uses a single `.js` file for the templates. This gives the benefit that we don't need to request every template with XHR.
For CSS we use SASS so you need ruby and sass installed.
2017-01-06 19:21:54 +08:00
`templates.js` and the CSS are built with `grunt` .
2016-09-26 21:53:12 +08:00
To watch for changes use `grunt watch`
2017-01-06 19:21:54 +08:00
To run the unit tests install phpunit globally, and setup the environment variables on the `launch_phpunit.sh` script then just run that script, any arguments passed to this script will be forwarded to phpunit.
2016-09-26 21:53:12 +08:00
## Main developers
- Brantje
- Animalillo
## Contributors
2017-07-13 01:50:33 +08:00
Add yours when creating a [pull request ](https://help.github.com/articles/creating-a-pull-request/ )!
2016-09-26 21:53:12 +08:00
- None
2016-10-01 01:12:00 +08:00
## FAQ
2016-10-01 01:12:13 +08:00
**Are you adding something to check if malicious code is executing on the browser?**
2017-07-13 01:50:33 +08:00
No, because malicious code could edit the functions that check for malicious code.