/passwords

:key: Password manager for ownCloud 8 and later and NextCloud 9 and later

Primary LanguageJavaScriptGNU Affero General Public License v3.0AGPL-3.0

Passwords

for ownCloud 8 and later and NextCloud 9 and later

2015-2016, Fallon Turner fcturner@users.noreply.github.com

Available in 25 languages:

This app cannot be installed from within ownCloud, since this system demands repackaging of releases and kills the possibility to freely use GitHub master versions. (read more below under Installation)

View this app on apps.owncloud.org.

Contents

Overview

📷 More pictures in the gallery. Overview of ownCloud Passwords

📷 More pictures in the gallery.

Summary

This is the safest Password Manager for generating, sharing, editing, and categorizing passwords in ownCloud 8 and later and NextCloud 9 and later (see 'img'-folder for screenshots or here for the gallery). It has full LDAP support and features both client side and server side encryption (using combined EtM [Encrypt-then-MAC] and MCRYPT_BLOWFISH encryption with user-specific, ownCloud/NextCloud-specific, and database entry-specific data), where only the user who creates the password is able to decrypt and view it. So passwords are stored heavily encrypted into the ownCloud/NextCloud database (read Security part for details). You can insert or import your own passwords or randomly generate new ones. Some characters are excluded upon password generation for readability purposes (1, I, l and B, 8 and o, O, 0).

This app is primarily intended as a password MANAGER, e.g. for a local ownCloud/NextCloud instance on your own WPA2 protected LAN. If you trust yourself enough as security expert, you can use this app behind an SSL secured server for a neat cloud solution. The app will be blocked (with message) if not accessed thru https, which will result in your passwords not being loaded (decrypted) and shown. To prevent this, use ownCloud/NextClouds own 'Force SSL'-function on the admin page, or use HSTS (HTTP Strict Transport Security) on your server. Also, make sure your server hasn't any kind of vulnerabilities (POODLE, CSRF, XSS, SQL Injection, Privilege Escalation, Remote Code Execution, to name a few).

The script for creating passwords can be found in these lines of /js/passwords.js.

Security

+ Password generation

Generated passwords are in fact pseudo-generated (i.e. not using atmospheric noise), since only the Javascript Math.random-function is used, of which I think is randomly 'enough'. After generation of different types of characters (your choice to include lowercase, uppercase, numbers and/or reading marks, strength will be calculated), scrambling of these characters is done using the Fisher-Yates shuffle (also known as Knuth, a de-facto unbiased shuffle algorithm).

+ Encryption (for storage in database)

This app features both server-side encryption (since encryption takes place on the server, before the data is placed in the database table) and client-side encryption (since encryption is performed with a key that is not known to the server). All passwords (generated or your own) are stored into your own ownCloud/NextCloud database, using these high-end cryptological functions:

+ Decryption (for pulling from database)

All passwords are encrypted with user-specific, ownCloud/NextCloud-specific and server-specific keys. This means passwords can be decrypted:

  • only by the user who created the password (so this user must be logged in),
  • only on the same ownCloud/NextCloud instance where the password was created in (meaning: same password salt in config.php).

Other users or administrators are never able to decrypt passwords, since they cannot login as the user (assuming the user's password isn't known). If the password salt is lost, all passwords of all users are lost and irretrievable.

+ Sharing

For sharing, an ad hoc share key is created everytime a share is initiated. This is a 256-bit strong hash, with no retrievable information. The share key is stored encrypted as above for the user who shares a password and copied to another table where this key matches the password ID and the ownCloud/NextCloud ID of the user to whom the password is shared with. If the share keys match, the password will be decrypted at the receiving user's side too. If they don't, the receiving user will see an 'Invalid share key' notice and the password will not be decrypted at all.

Remote control

This app allows full remote control by using a RESTful API. Read here about how to use it: https://github.com/fcturner/passwords/wiki.

Browser plugins are available for Firefox here (thanks to @eglia) and for Chrome here (thanks to @thefirstofthe300).

Website icons

There is a built in option to view website icons in the password table. This can be set by the administrator on the settings page of ownCloud/NextCloud. The admin has two services to choose from: DuckDuckGo (default) and Google. Icons are downloaded from their secured server when a user loads the page. Nothing fancy or unsafe (even using Google... although they track you), it's just about icons. The icons for the websites of ownCloud and NextCloud for example (replace owncloud.org with your own domain to try):

Translations

ownCloud/NextCloud Passwords is available in:

English

German

Spanish

French

Italian

Dutch

Danish

Czech

Norwegian Bokmål

Russian

Japanese

Polish

Portuguese (Brazil)

Portuguese (Portugal)

Spanish (Mexico)

Turkish

Swedish

Catalan

Thai

Hebrew

Romanian

Albanian

Slovenian

Icelandic

Galician

Installation

Updating from previous version

From v19 on: Login as admin on ownCloud/NextCloud and go to the passwords section on the admin page. It will notify you whether there's an update, or you're already up to date. When there's an update, buttons will appear to download the latest version and all command lines with adapted file owner names (www-data in below example) and right app location (/var/www/owncloud_prod/apps/passwords in below example) to run the update very fast on your CLI.

Note: on versions lower than v19, these commands still work.

Updating the app

Initial installation

Use one of the following options, login as admin on ownCloud/NextCloud and enable the app. The database tables oc_passwords, oc_passwords_categories and oc_passwords_share will be created automatically (assuming _oc as prefix).

  • Git clone (fastest)
  • Use these commands (assuming /var/www/owncloud as your ownCloud/NextCloud root location). The first one is optional to remove an existing folder with contents.
rm -rf /var/www/owncloud/apps/passwords
git clone --branch 19 https://github.com/fcturner/passwords.git /var/www/owncloud/apps/passwords
  • Manual download and installation
  • Click here to view the latest official release or, for the very last master version, click here to download the zip or here to download the tar.gz.
  • Copy, unzip or untar the folder 'passwords' to /owncloud/apps/ (remember that the folder must be called 'passwords').
  • ownCloud App store
  • I refuse to support this. This system demands repackaging of releases and kills the possibility to freely use GitHub master versions. Repackaging of releases is prone to human error and, more importantly, adds invisible system files to a release when doing this on Mac (like .DS_Store) and Windows (like Thumbs.db). This means local user properties and file system info (privacy sensitive possibly) are sent to a server, which should be avoided at all costs. Did you know forensic scientists can use these files against you? You surely don't want them on any server, any cloud, or anywhere on the internet! Dr Sarah Morris and Dr Howard Chivers wrote an article about this. The ownCloud team should really alter the behaviour of ownCloud pulling apps from their app store, instead of letting app developers interfere with a decent, solid and closed GitHub workflow (as I've been telling them for months). This app is all about privacy and security, the ownCloud app store apparently isn't.

Credits

A big thanks to all participants in this project. I thank Anthony Ferrara (ircmaxell), for teaching the world how to properly set up security in PHP.