CD2H gitForager

nextcloud/passman

Name: passman

Owner: Nextcloud

Description: ? Passman is a password manager for Nextcloud. Demo: https://demo.passman.cc Twitter: @passmancc

Created: 2016-09-07 11:30:00.0

Updated: 2018-05-23 15:30:55.0

Pushed: 2018-05-23 00:38:08.0

Homepage: https://passman.cc

Size: 6666

Language: JavaScript

GitHub Committers

User	Most Recent Commit	# Commits

Other Committers

User	Email	Most Recent Commit	# Commits

README

Passman

Passman is a full featured password manager.

Screenshots

Logged in to vault

Credential selected

Edit credential

Password tool

For more screenshots: Click here

Features:

Vaults
Vault key is never sent to the server
Credentials are stored with 256 bit AES (see security)
Ability to add custom fields to credentials
Built-in OTP(One Time Password) generator
Password analyzer
Share passwords internally and via link in a secure manner.
Import from various password managers:
KeePass
LastPass
DashLane
ZOHO
Clipperz.is
EnPass
ocPasswords

For a demo of this app visit https://demo.passman.cc

Tested on

NextCloud 10 / 11
ownCloud 9.1+

External apps

Supported databases

SQL Lite*
MySQL / MariaDB*

*Tested on travis

Untested databases:

pgsql

Security

Password generation

Passman features a build in password generator. Not it only generates passwords, but it also measures their strength using zxcvbn.

Generate passwords as you like

Passwords are generated using the random functions from sjcl.

Storing credentials

All passwords are encrypted client side using sjcl which uses AES-256 bit. Users supply a vault key which is feed into sjcl as encryption key. After the credentials are encrypted they are send to the server, there they will be encrypted again. This time using the following routine:

A key is generated using passwordsalt and secret from config.php so back those up
Then the key is stretched using Password-Based Key Derivation Function 2 (PBKDF2).
Encrypt-then-MAC (EtM) is used for ensuring the authenticity of the encrypted data.
Uses openssl with the aes-256-cbc ciper.
Initialization vector (IV) is hidden
Double Hash-based Message Authentication Code (HMAC) is applied for verification of the source data.

Sharing credentials.

Passman allows users to share passwords (this can be turned off by an administrator).

API

For developers Passman offers an api.

Support Passman

Passman is open source, and we would gladly accept a beer (or pizza!)
Please consider donating

PayPal
Patreon
Flattr
bitcoin: 1H2c5tkGX54n48yEtM4Wm4UrAGTW85jQpe

Code reviews

If you have any improvements regarding our code. Please do the following

Clone us
Make your edits
Add your name to the contributors
Send a PR

Or if you're feeling lazy, create an issue, and we'll think about it.

Docker

To run Passman with Docker you can use our test docker image. You have to supply your own SSL certs, self signed or Let's encrypt it doesn't matter.
Please note that the docker is only for testing purposes, as database user / password are hardcoded.

If you like to spiece up our docker image and make it a full fledged secure, production ready install, you're welcome to do so.
Please note that:

Port 80 and 443 are used
SSL is enabled (or disabled if certs not found)
Startup time of container must be less than 15 seconds

Example:

er run -p 8080:80 -p 8443:443 -v /directory/cert.pem:/data/ssl/cert.pem -v /directory/cert.key:/data/ssl/cert.key brantje/passman

If you want a production ready container you can use the Nextcloud docker, and install passman as an app.

Development

Passman uses a single .js file for the templates. This gives the benefit that we don't need to request every template with XHR.
For CSS we use SASS so you need ruby and sass installed.
templates.js and the CSS are built with grunt. To watch for changes use grunt watch To run the unit tests install phpunit globally, and setup the environment variables on the launch_phpunit.sh script then just run that script, any arguments passed to this script will be forwarded to phpunit.

Main developers

Brantje
Animalillo

Contributors

Add yours when creating a pull request!

None

FAQ

Are you adding something to check if malicious code is executing on the browser?
No, because malicious code could edit the functions that check for malicious code.

This work is supported by the National Institutes of Health's National Center for Advancing Translational Sciences, Grant Number U24TR002306. This work is solely the responsibility of the creators and does not necessarily represent the official views of the National Institutes of Health.