Is this still active and mainteined?

[ebalestrini]

I have extended the code so i can share secrets/passwords between known usernames, is this something worth to you? If you want i can create a pull request. Let me know.

Basically:

• Added a field in the db table passwords (sharedWith) unencripted
• Modified the passwords.php to read my passwords and those shared with me.
• Modified insert.php and modifie.php files to include a new field (coma separated)
• change the main.js to include such changes on the table initializaiton.

[BenjaminHae]

I'm definitely interested. Please create a PR. How are you encrypting the shared password?

I've always wanted to do something like that, but I was afraid of adding a lot of complexity...

[ebalestrini]

Well, i just realized that i have modified the version you have for download and not the latest (i did not fork it) The password encryption is intact as you had it before, all i have done is created a new colum in the password table called "sharedWith" this column is not encrypted (varchar, expected to be: username , separated) so i can query passwords created by current user OR sharedWith LIKE % currentUser % on the password.php api endpoint.

For future features this free text field could be autocomplete from the users table so we can limit to fill it with existing only users.

Tomorrow i will try to merge your current branch with the one i have downloaded and create. a PR

[zeruniverse]

Yes, this project is still alive. Since now I have a full time job (I think same case for Benjamin), it’s not quite active. But we will review/accept PR

On Wed, May 27, 2020 at 12:51 PM Ernesto Balestrini < notifications@github.com> wrote:

Well, i just realized that i have modified the version you have for download and not the latest (i did not for it) The password encryption is intact as you had it before, all i have done is created a new colum in the password table called "sharedWith" this column is not encrypted (varchar, expected to be: username , separated) so iIcan query passwords created by current user OR sharedWith LIKE % currentUser %

For future features this free text field could be autocomplete from the users table so we can limit to fill it with existing only users.

Tomorrow i will try to merge your current branch with the one i have downloaded and create. a PR

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/zeruniverse/Password-Manager/issues/247#issuecomment-634903947, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABDO6NBSUAXDCZBGUPDQB2TRTVVKPANCNFSM4NMDD5TA .

[zeruniverse]

Close due to inactivity. For new features, please submit MR to the new project. #248

[zeruniverse]

@ebalestrini @BenjaminHae Sorry I just took a detailed look at this.

From crypto point of view, what you need for "sharing password" is public-key cryptography: encryption and decryption uses two different keys (A for encryption and B for decryption). For each user, the database needs to store: AES encrypted key B and raw key A. When user X wants to share password with user Y, he will encrypt the password with user Y's key A (can be read from database) and send to server. Then user Y will pull encrypted password from server and decrypt message with its own key B.

If you are third-party (e.g. owner of database), you won't know user Y's key B because it's encrypted at user Y's browser with AES. And you will not know the password being shared to Y because it's encrypted using key A and to decrypt, you need to know user Y's key B.

A Javascript implementation of this crypto is here: https://github.com/mdn/dom-examples/blob/master/web-crypto/encrypt-decrypt/rsa-oaep.js

[zeruniverse]

@ebalestrini Since you mentioned PR, I don't know how you implement sharedWith because user A's information in database is garbage to user B if user B don't know A's login password. It sounds to me that once user A wants to share some password, you will post this piece of password in raw format to server so server can 'tell' user B the raw password. If so, PLEASE STOP DOING THAT. The design logic of this password manager is that client (web browser) will never provide raw password to server so server operator can't get user's password, the naive sharing will ruin everything.