82 lines
2.6 KiB

Copyright (C) 2013-2017 Grégory Soutadé
This file is part of gPass.
gPass is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
gPass is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with gPass. If not, see <>.
User interface display or not ciphered passwords. Set to false avoid database leakage by user interface (but not by raw HTTP request).
Allows user creation
Number of iterations for PBKDF2 algorithm.
Minimum recommended level is 1000, but you can increase
this value to have a better security (need more computation
!! Warning !! This impact master keys. So if you change
this value with existings masterkeys, they will unusable !
This is a security feature : It protects from database dump
and database purge without authentication.
When get all entries, instead of returning logins/passwords,
it returns "shadow logins". These are random values.
Shadow logins must be encrypted using masterkey and salt
(to generate a unique PBKDF2 derivation) that result in an access tokens.
With this access token, user has the right to get
encrypted login/password values and remove them.
It's a kind of challenge but requires more cpu bandwidth
(one derivation + two decryption for each password !).
This option is backward compatible with old version < 0.6
Protection against DDoS.
Each request can contains multiple password combinations
(to support wildcards for example) and multiple names.
Currently only two passwords are sent from addon :
But, on future we may also consider 'www.example.*', '*.example.*' and lower case username.
For maximum security, you can set it to 2 or 4 if you want to be backward compatible
with addons/extions <= 0.7.
Protection against brute force.
Minimum delay (in milliseconds) between two requests.
Clear master keys and reset passwords after 15 minutes of inactivity