gPass : Password manager for Firefox and Chrome
Everyday we have a lot of passwords to manage corresponding to a lot of accounts we use. It's hard to remain all of these, moreover if we don't use it often. So, what most people do is to generate only a subset of passwords easy to remain. This implies two common errors :
- Password are not very strong
- We use them for multiple accounts
The best way to avoid these errors is to have a unique strong password for each account. gPass helps to reach this goal : you keep a subset of passwords (called masterkey) and for each login/masterkey tuple you chose, gPass returns the real password by querying a password server.
To have a high level of security, all information is stored encrypted (server side). Nothing is stored on client. The decryption is done on the fly when it's needed and only with user input. So, a hacker can get your password database, it will not be able to see any information (except if it brute force or leak your masterkey) ! So it's important to choose a strong masterkey !
This addon is like last pass one, but I wanted it to be open source and self hostable (be careful on server down !). Moreover, with gPass, you can have multiple master keys !
The first thing to do is to populate your database (from your/a password server) with website address/login/password/master key values. You can use "*" character to access to all subdomains of a specific website (ie *.google.com). If you want to make a strong password, there is a password generator. After that, configure your addon in "tools -> addons -> gPass -> preferences" in Firefox or "More tools -> extensions -> gPass -> options" in Chrome to point to your password server (+ username). Don't forget to enable addon within private mode. Be careful, login and password are case sensitive !
When you're in a login form and you want to use gPass, type your login (case sensitive !) and fill "@@masterkey" in password field (only if gPass icon is green !). Then submit and password will automatically be replaced by the one in the database (after addon decrypt it).
You can also type "@_masterkey" to only replace your password without automatic submit. This allows to support more websites.
Another option is to enter your credentials in the new popup menu by clicking on gPass icon. If it's possible, gPass will auto fill password field, if not result password is stored into your clipboard. Popup path is a safest method as website page will never see your masterkey.
** Warning ** : Sometimes, addon could make some websites unusable, especially for login form. In this case, you can deactivate it for only one website by clicking right on gPass icon and "disable or enable gPass for this website" in addon menu. It's a local configuration, so it must be done for each browser. gPass can also be disabled for ALL websites thanks to addon menu "Disable or enable gPass for ALL websites". When gPass is disabled, you can still use popup feature.
The two main columns in database are "login" and "password". login is compounded by "domain;login", salted and encrypted with AES 256-CBC
The real key that encrypts these fields is PBKDF2 (hmac-sha256, masterkey, password_server_url, 1000, 256), IV is PBKDF2 (hmac-sha256, password_server_url, masterkey, 1000, 256)
PBKDF2 level can be changed by user.
Server side is written in PHP (with SQLite3 for database component).
To host a password server, you need a webserver. Just copy server files in a directory read/write for web server user (www-data). A sample apache2 configuration file is available in resources. Since v0.8 and the use of Crypto API, it's manadatory to have an HTTPS access (valid SSL/TLS certificate) to the server. Without that, the decryption will fails.
Configuration parameters are in conf.php
A demonstration server is available here. It's the default server configuration for fresh installed addon (user demo).
Warning The master key derivation is partially based on account URL. So it's linked to your current server information. You can't move databases from servers with different URLs, you need to export them and import it again.
Server side is available here
Version 0.6 introduces shadow logins. It's a protection again illegal database dump and purge but requires twice computation. Database update is transparent.
The principle is to generate a random value (shadow login) that must be encrypted with the masterkey to get an access token. This access token allows to get the true (but encrypted) login/password couple. It's a kind of challenge : if I can encrypt the shadow login, I know the masterkey ! For security reason, the derivation of masterkey for deciphering passwords is different than for encrypting shadow logins (it uses its own salt). It's enabled by default.
Just install the package. You can have debug information by setting DEBUG in main.js.
Command line interface
A command line interface is also available with the following usage :
Usage: ./gpass_cli [-f config_file] [-p server_port] [-c CA_certificate_path] [-l PBKDF2_level] [-s gpass_server] [-v] -d domain -u username
You can save recurrent parameters into a configuration file. Default config file is found at $HOME/.local/share/gpass/gpass.ini
The dependencies are libcurl and OpenSSL (-dev packages : ie libcurl4-openssl-dev and libssl-dev)
A sample configuration file is available gpass.ini.sample
Current version is 1.1.
All the code is licensed under GPL v3. Source code is available here.
Addon * Add always_disabled feature * Fix bug in gpass icon management * Set activated icon only when a username is filled * Add a checkbox to only copy password into clipboard from popup (and a default behaviour from options)
- Add clear form button for "Add new password" div
- If we have a current URL in add form and we have a password entry that match this URL, go to the last when all is deciphered
Addon * Remove old v1 crypto functions & compatibility * Remove old firefox addon code * Remove block_url feature to increase websites compatibility * Force copy password into clipboard for @_ request from popup even if we can fill it * Fix a bug: wait for promise before displaying message for clipboard pasted password
- Add support for user & url parameters from gPass popup
- Fix some minor bugs
- Scroll to page bottom when user adds a new password
- Run a simpler algorithm for wildcard domains
- Run a simpler algorithm for wildcard domains
- Clear master keys and reset passwords after 15 minutes of inactivity
- Set USE_SHADOW_LOGINS by default
- New crypto scheme (Use CBC chaining and fix a security problem with salt) and protocol v4. not backward compatible with v3
- Add QUnit tests
- New password form is now on top of the page
- Add a button to go to the top of the page when scrolling
- Add simple password button
- Rework password generation for most user friendly passwords (less special characters, more letters)
- New webextension for Firefox is provided. It shares most of code with Chrome extension and use native crypto API
- Block connection when masterkey is sent in clear (password replacement failed). Doesn't work with Firefox
- Add command line interface (CLI)
- Fix a bug for Chrome browser (doesn't support default parameters)
- Display an error message when a query fails
- You can now export clear password database (only unciphered passwords)
- New database version : 2
- Add two new protections : REQUESTS_MIN_DELAY and MAX_PASSWORDS_PER_REQUEST (see conf.php)
- Remove '\' character from password generation
- Addon is now compatible with more websites
- Use jpm building tool instead of cfx for Firefox Addon
**v0.6 : **
- Add support for "@_masterkey" input
gPass announce list : email@example.com