gPass/firefox_addon/README.md

59 lines
2.6 KiB
Markdown
Raw Normal View History

gPass : global Password
2013-10-09 20:47:43 +02:00
=======================
Introduction
------------
Everyday we have a lot of passwords to manage corresponding to a lot of accounts we use. It's hard to remain all of these, moreover if we don't use it often. So, what we most people do is to generate only a subset of passwords easy to remain. This implies two common errors :
2013-10-09 20:47:43 +02:00
* Password are not very strong
* We use them for multiple accounts
The best way to avoid these errors is to have a unique strong password for each account. gPass helps to reach this goal : you keep a subset of passwords and for each login/password tuple you chose, gPass returns the real password by querying a password server.
To have a high level of security, all information is stored encrypted. The decryption is done on the fly when it's needed and only with user input. So, a hacker can get your password database, it will not be able to see any information (except if it bruteforce your masterkey) !
2013-10-09 20:47:43 +02:00
This addon is like [last pass](https://lastpass.com/) one, but I wanted it to be open source and home hostable (be careful on server down !). Moreover, with gPass, you can have multiple master key !
2013-10-09 20:47:43 +02:00
Usage
-----
The first thing to do is to populate your database (from your/a password server) with login/password/master key values. If you want to make strong password, there is a password generator. After that, configure your addon in addons -> gPass -> preferences to point to your password server (+ username).
2013-10-09 20:47:43 +02:00
When you're in a login form and you want to use gPass. Type your login and fill "@@masterkey" in password field. Then, submit and password willll automatically be replaced by the one in the database (after decryption).
Technique
---------
The two columns in database are "login" and "password".
2013-10-09 20:47:43 +02:00
login is compounded by "@@domain;login" encrypted with AES 256
password is salted and encrypted with AES 256
2013-10-09 20:47:43 +02:00
The key that encrypt these fields is sha256(masterkey)
For now the only addons is done for firefox. Server side is written in PHP (with SQLite3 for database component).
Server
------
You just have to copy server files in a directory read/write for www-data. A sample apache2 configuration file is available in ressources.
You can activate/deactivate view of ciphered passwords by setting $VIEW_CIPHERED_PASSWORDS in index.php
A demonstration server is available [here](http://gpass-demo.soutade.fr). It's the default server of XPI package.
Client
------
Just install xpi package. You can have debug information by setting DEBUG in main.js.
2013-10-09 20:47:43 +02:00
Licence
-------
All the code is licenced under GPL v3. Source code is available [here](http://indefero.soutade.fr/p/gpass).