Update documentation and fix javascript bug (substr not allowed)
This commit is contained in:
parent
5e7073fbdd
commit
aad001bb25
|
@ -5,20 +5,21 @@ Introduction
|
||||||
------------
|
------------
|
||||||
|
|
||||||
Everyday we have a lot of passwords to manage corresponding to a lot of accounts we use. It's hard to remain all of these, moreover if we don't use it often. So, what we most people do is to generate only a subset of passwords easy to remain. This implies two common errors :
|
Everyday we have a lot of passwords to manage corresponding to a lot of accounts we use. It's hard to remain all of these, moreover if we don't use it often. So, what we most people do is to generate only a subset of passwords easy to remain. This implies two common errors :
|
||||||
|
|
||||||
* Password are not very strong
|
* Password are not very strong
|
||||||
* We use them for multiple accounts
|
* We use them for multiple accounts
|
||||||
|
|
||||||
The best way to avoid these errors is to have a unique strong password for each account. gPass helps to reach this goal : you keep a subset of passwords and for each login/password tuple you chose, gPass returns the real password by querying a password server.
|
The best way to avoid these errors is to have a unique strong password for each account. gPass helps to reach this goal : you keep a subset of passwords and for each login/password tuple you chose, gPass returns the real password by querying a password server.
|
||||||
|
|
||||||
To have a high level of security, all information is stored encrypted. The decryption is done on the fly when it's needed and only with user input. So, a hacker can get your password database, it will not be able to see any information !
|
To have a high level of security, all information is stored encrypted. The decryption is done on the fly when it's needed and only with user input. So, a hacker can get your password database, it will not be able to see any information (except if it bruteforce your masterkey) !
|
||||||
|
|
||||||
This addon is like [last pass](https://lastpass.com/) one, but I wanted it to be open source and home hostable. Moreover, with gPass, you can have multiple master key !
|
This addon is like [last pass](https://lastpass.com/) one, but I wanted it to be open source and home hostable (be careful on server down !). Moreover, with gPass, you can have multiple master key !
|
||||||
|
|
||||||
|
|
||||||
Usage
|
Usage
|
||||||
-----
|
-----
|
||||||
|
|
||||||
The first thing to do is to populate your database (from your/a password server) with login/password/master key values. If you want to make strong password, there is a password generator. After that, configure your addon in addons -> gPass -> preferences to point to your password server.
|
The first thing to do is to populate your database (from your/a password server) with login/password/master key values. If you want to make strong password, there is a password generator. After that, configure your addon in addons -> gPass -> preferences to point to your password server (+ username).
|
||||||
|
|
||||||
When you're in a login form and you want to use gPass. Type your login and fill "@@masterkey" in password field. Then, submit and password willll automatically be replaced by the one in the database (after decryption).
|
When you're in a login form and you want to use gPass. Type your login and fill "@@masterkey" in password field. Then, submit and password willll automatically be replaced by the one in the database (after decryption).
|
||||||
|
|
||||||
|
@ -26,12 +27,30 @@ When you're in a login form and you want to use gPass. Type your login and fill
|
||||||
Technique
|
Technique
|
||||||
---------
|
---------
|
||||||
|
|
||||||
The only two columns in database are "login" and "password".
|
The two columns in database are "login" and "password".
|
||||||
login is compounded by "@@domain;login" encrypted with AES 256
|
login is compounded by "@@domain;login" encrypted with AES 256
|
||||||
password encrypted with AES 256
|
password is salted and encrypted with AES 256
|
||||||
|
|
||||||
The key that encrypt these fields is sha256(masterkey)
|
The key that encrypt these fields is sha256(masterkey)
|
||||||
|
|
||||||
|
For now the only addons is done for firefox. Server side is written in PHP (with SQLite3 for database component).
|
||||||
|
|
||||||
|
|
||||||
|
Server
|
||||||
|
------
|
||||||
|
|
||||||
|
You just have to copy server files in a directory read/write for www-data. A sample apache2 configuration file is available in ressources.
|
||||||
|
|
||||||
|
You can activate/deactivate view of ciphered passwords by setting $VIEW_CIPHERED_PASSWORDS in index.php
|
||||||
|
|
||||||
|
A demonstration server is available [here](http://gpass-demo.soutade.fr). It's the default server of XPI package.
|
||||||
|
|
||||||
|
|
||||||
|
Client
|
||||||
|
------
|
||||||
|
|
||||||
|
Just install xpi package. You can have debug information by setting DEBUG in main.js.
|
||||||
|
|
||||||
|
|
||||||
Licence
|
Licence
|
||||||
-------
|
-------
|
||||||
|
|
|
@ -124,9 +124,11 @@ function on_sumbit()
|
||||||
// gPassRequest.addEventListener("progress", function(evt) { ; }, false);
|
// gPassRequest.addEventListener("progress", function(evt) { ; }, false);
|
||||||
gPassRequest.addEventListener("load", function(evt) {
|
gPassRequest.addEventListener("load", function(evt) {
|
||||||
r = this.responseText.split("\n");
|
r = this.responseText.split("\n");
|
||||||
|
debug("resp " + r);
|
||||||
if (r[0] != "<end>" && r[0].startsWith("pass="))
|
if (r[0] != "<end>" && r[0].startsWith("pass="))
|
||||||
{
|
{
|
||||||
ciphered_password = r[0].susbtr(5);
|
ciphered_password = r[0].split("=");
|
||||||
|
ciphered_password = ciphered_password[1];
|
||||||
debug("Ciphered password : " + ciphered_password);
|
debug("Ciphered password : " + ciphered_password);
|
||||||
clear_password = aes.decryptLongString(hex2a(ciphered_password), aes.init(hex2a(mkey)));
|
clear_password = aes.decryptLongString(hex2a(ciphered_password), aes.init(hex2a(mkey)));
|
||||||
aes.finish();
|
aes.finish();
|
||||||
|
@ -159,7 +161,8 @@ function on_sumbit()
|
||||||
});
|
});
|
||||||
|
|
||||||
}, false);
|
}, false);
|
||||||
gPassRequest.open("POST", prefSet.prefs["account_url"], true);
|
debug("connect to " + prefSet.prefs["account_url"]);
|
||||||
|
gPassRequest.open("POST", prefSet.prefs["account_url"], false);
|
||||||
gPassRequest.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=UTF-8');
|
gPassRequest.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=UTF-8');
|
||||||
gPassRequest.send(keys);
|
gPassRequest.send(keys);
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user