Big update:
* Move all core functions from mains.js to background.js
* Use message interface for IPCs between main.js, background.js and popup.js
* Add popup interface :
* safest method to compute masterkey
* Direct access to our own gPass server with auto URL and username fill
* Add some specific menus :
* Access to gPass settings
* Allow to disable extension
* Update gPass icon when a password field has focus and gPass is ready to work
This commit is contained in:
20
README.md
20
README.md
@@ -11,7 +11,7 @@ Everyday we have a lot of passwords to manage corresponding to a lot of accounts
|
||||
|
||||
The best way to avoid these errors is to have a unique strong password for each account. gPass helps to reach this goal : you keep a subset of passwords (called masterkey) and for each login/password tuple you chose, gPass returns the real password by querying a password server.
|
||||
|
||||
To have a high level of security, all information is stored encrypted (server side). Nothing is stored on client. The decryption is done on the fly when it's needed and only with user input. So, a hacker can get your password database, it will not be able to see any information (except if it brute force your masterkey) ! So it's important to choose to strong masterkey !
|
||||
To have a high level of security, all information is stored encrypted (server side). Nothing is stored on client. The decryption is done on the fly when it's needed and only with user input. So, a hacker can get your password database, it will not be able to see any information (except if it brute force or leak your masterkey) ! So it's important to choose to strong masterkey !
|
||||
|
||||
This addon is like [last pass](https://lastpass.com/) one, but I wanted it to be open source and self hostable (be careful on server down !). Moreover, with gPass, you can have multiple master keys !
|
||||
|
||||
@@ -19,17 +19,20 @@ This addon is like [last pass](https://lastpass.com/) one, but I wanted it to be
|
||||
Usage
|
||||
-----
|
||||
|
||||
The first thing to do is to populate your database (from your/a password server) with website/login/password/master key values. You can use "*" character to access to all sub domains of a specific website. If you want to make strong password, there is a password generator. After that, configure your addon in "tools -> addons -> gPass -> preferences" in Firefox or "addons -> gPass -> options" in Chrome to point to your password server (+ username). Be careful, login and password are case sensitive.
|
||||
The first thing to do is to populate your database (from your/a password server) with website/login/password/master key values. You can use "*" character to access to all sub domains of a specific website. If you want to make strong password, there is a password generator. After that, configure your addon in "tools -> addons -> gPass -> preferences" in Firefox or "addons -> gPass -> options" in Chrome to point to your password server (+ username). For firefox users, don't forget to enable addon within private mode. Be careful, login and password are case sensitive !
|
||||
|
||||
When you're in a login form and you want to use gPass, type your login (case sensitive !) and fill "@@masterkey" in password field. Then submit and password will automatically be replaced by the one in the database (after addon decrypt it).
|
||||
|
||||
**You can also type "@_masterkey" to only replace your password without submitting and manually submit. This allows to support more websites.**
|
||||
|
||||
Another option is to enter your credentials in the new popup menu. If found, password will be stored in your clipboard.
|
||||
|
||||
|
||||
Technical details
|
||||
-----------------
|
||||
|
||||
The two columns in database are "login" and "password".
|
||||
login is compounded by "domain;login" is salted and encrypted with AES 256-CBC
|
||||
login is compounded by "domain;login", salted and encrypted with AES 256-CBC
|
||||
|
||||
The key that encrypt these fields is PBKDF2 (hmac-sha256, masterkey, password_server_url, 1000, 256), IV is PBKDF2 (hmac-sha256, password_server_url, masterkey, 1000, 256)
|
||||
|
||||
@@ -41,11 +44,11 @@ Server side is written in PHP (with SQLite3 for database component).
|
||||
Server
|
||||
------
|
||||
|
||||
To host a password server, you need a webserver. Just copy server files in a directory read/write for web server user (www-data). A sample apache2 configuration file is available in resources. Since v0.8 and the use of Crypto API, it's manadatory to have an HTTPS access to the server. Without that, the decryption will fails.
|
||||
To host a password server, you need a webserver. Just copy server files in a directory read/write for web server user (www-data). A sample apache2 configuration file is available in resources. Since v0.8 and the use of Crypto API, **it's manadatory to have an HTTPS access to the server**. Without that, the decryption will fails.
|
||||
|
||||
Configuration parameters are in conf.php
|
||||
|
||||
A demonstration server is available [here](https://gpass-demo.soutade.fr). It may not works with HTTPS content because it uses a self-signed SSL certificate. If so, explicitly add the certificate to your browser. It's the default server of package (user demo).
|
||||
A demonstration server is available [here](https://gpass-demo.soutade.fr). It's the default server of package (user demo).
|
||||
|
||||
**Warning** The master key derivation is partially based on account URL. So it's linked to your current server information. You can't move databases from servers with different URLs, you need to export them and import again.
|
||||
|
||||
@@ -55,11 +58,13 @@ Version 0.6 introduces shadow logins. It's a protection again illegal database d
|
||||
|
||||
The principle is to generate a random value (shadow login) that must be encrypted with the masterkey to get an access token. This access token allows to get the true (but encrypted) login/password couple. It's a kind of challenge : if I can encrypt the shadow login, I know the masterkey ! For security reason, the derivation of masterkey for deciphering passwords is different than for encrypting shadow logins (it uses its own salt).
|
||||
|
||||
|
||||
Client
|
||||
------
|
||||
|
||||
Just install the package. You can have debug information by setting DEBUG in main.js.
|
||||
|
||||
|
||||
Command line interface
|
||||
----------------------
|
||||
|
||||
@@ -73,17 +78,16 @@ The dependencies are libcurl and OpenSSL (-dev packages : ie _libcurl4-openssl-d
|
||||
|
||||
A sample configuration file is available _gpass.ini.sample_
|
||||
|
||||
|
||||
Version Information
|
||||
-------------------
|
||||
|
||||
Current version is 0.8. **(not compatible with 0.7)**
|
||||
Current version is 0.9. **(not compatible with 0.7)**
|
||||
|
||||
Firefox will remove support for addons, so the gPass addon code is not supported since v0.8, please migrate to webextension.
|
||||
|
||||
Transition from v0.7 to v0.8 : **Please update your masterkey (even with the same one) to gain a security level of your passwords's wallet.**
|
||||
|
||||
**This version is incompatible from 0.1**. Please use [this script](http://soutade.fr/files/gpass_migrate_0_1.php) to migrate.
|
||||
|
||||
|
||||
License
|
||||
-------
|
||||
|
||||
Reference in New Issue
Block a user