[WIP] Passman

[brantje]

So i have passman at brantje/passman that's for ownCloud. Since passman for NextCloud will be complete rewrite, i decided to strart from scratch, with a new repo.

What is Passman

Passman is a password manager for ownCloud. It will keep your passwords safe (as long you keep your server safe ;) ). Features:

• Angular frontend
• Rollback (roll a entry back)
• Share password (with specific user / group)
  • Shared password can be viewed
  • Shared password can be edited (if you have access to it)
• Tag passwords
• Password strength check (Checks the strength of your passwords and checks for dupes)
• Custom fields (Add your own encrypted fields)
• OTP (One time password generator), so you can login when your phone battery is dead
• Integrations
  • Activity app
  • Notification app

    Todo

• [x] Create foundation for the app [Docs](This will be just an empty app)
• [x] Define API [WIP]
• [x] Build API
• [x] Create frontend
  • [x] Use sjcl for the encryption of passwords (aes 256 bit encryption)
  • [x] Create / edit / delete vault
  • [x] Add password
  • [x] Create / remove / edit custom fields
  • [x] Settings for (eg; google's) OTP
  • [x] Password strength indicator
  • [x] Password generator
  • [x] Edit password
  • [x] Delete password
  • [ ] Share password
  • [ ] Share read only
  • [ ] Share r/w
  • [ ] Share for xx views
  • [ ] Share until date / time
  • [ ] Share for xx minutes
  • [ ] Fix style issue's

    Help / idea's needed for

• [ ] Password sharing part, i have no clue how to approach this. cc @bes1002t , @BernhardPosselt

I wil keep this issue updated when i get new idea's

[oparoz]

I'd love to see OTP implemented to unlock all passwords instead of only relying on passwords

[brantje]

OTP is for eg; Google, when you login google asks for the One time password. Passman will have the ability to generate those.

A 2 factor auth would be nice for passman, but maybe let NC handle that?

[animalillo]

I don't think OTP is viable or useful for passman, as the user is already authenticated, and the passwords are encyphered using a master AES key (in the current passman version, i can't think on a way that OTP could make it more secure or to implement it in a way worth the effort that increases the app security

[oparoz]

Yeah, you're probably right, the user is already authenticated and as long as he doesn't store his password in localstorage, he should be OK.

[animalillo]

as of for the sharing part, documentation on how to gather users and groups data from NextCloud apis would be neat.

[nickvergessen]

Ha, just yesterday I thought "man this app would really deserve an update". Glad you have the same in mind.

[oparoz]

OCS Share API https://docs.nextcloud.com/server/10/developer_manual/core/ocs-share-api.html

[brantje]

Let's start a discussion, is password sharing really needed?

[BernhardPosselt]

Bikeshed incoming: no.

[BernhardPosselt]

IMHO its like asking if a gun should be able to shoot backwards.

[animalillo]

hahahaha, true, but it has applications when you need to share some kind of passwords of sites that only allows 1 account to be created between different company members, better than putting them on an excel on a shared network folder would be a good password manager with nice security

[BernhardPosselt]

@animalillo use a gpg encrypted excel

[BernhardPosselt]

No, really in general you dont want that situation. If you have that situation I don't think theres anything better than the excel

[animalillo]

sure, then nobody would use the password manager, cause they can keep all their passwords in the confortable excel they are allowed to use, copy, travel around and share with anyone anywhere in many ways

[BernhardPosselt]

Password managers exist because you dont want to use the same password on all services. Nothing more.

[BernhardPosselt]

The more features you pile on the less secure it becomes. As for sharing passwords with other colleagues: don't do it.

[animalillo]

forgot to say "i don't need that password manager thing your IT dep has set up for us, we already have excel and we are already using it for this $shared_passwords"

and yeah, password managers are for using diferent passwords everywhere. i don't think sharing passwords is something you should usually do, but some times it's needed, and it's better if it's centralized for a company, that's my opinion

[BernhardPosselt]

Good luck with that company then :)

[animalillo]

it's also more secure, because you know who has access to the passwords and who doesn't. Of course, users are users and users are gonna act in unpredictable ways.

[nickvergessen]

:-1: I dont need sharing as well

[oparoz]

Well, I would find it useful in a non-enterprise setting. Let's say you have a club, large family, etc.

• You're not going to install a password manager on every device owned by every member
• You don't want to maintain and send the XL sheet
• You don't want to send the password via email
• You don't want to be password tech support

So to be able to share amongst community members could be useful from my pov.

[brantje]

Updated todo list.

[oparoz]

Nice progress :)

[brantje]

Closing, created separate issues for the open tasks.