2015, Fallon Turner fcturner@users.noreply.github.com
This is a Password Manager for viewing, editing and generating passwords (see 'img'-folder for screenshots) in ownCloud. You can insert and manage your own passwords or randomly generate new ones. Some characters are excluded upon password generation for readability purposes (1, I, l and B, 8 and o, O, 0). Passwords are stored heavily encrypted into the ownCloud database (read Security part for details).
This app is primarily intended as a password MANAGER, e.g. for a local ownCloud instance on your own WPA2 protected LAN. If you trust yourself enough as security expert, you can use this app behind an SSL secured server for a neat cloud solution. The app will be blocked (with message) if not accessed thru https, which will result in your passwords not being loaded (decrypted) and shown. To prevent this, use ownClouds own 'Force SSL'-function on the admin page, or use HSTS (HTTP Strict Transport Security) on your server. Also, make sure your server hasn't any kind of vulnerabilities (POODLE, CSRF, XSS, SQL Injection, Privilege Escalation, Remote Code Execution, to name a few).
- Not happy with the encryption or the fact that this app exists? You're welcome to create your own :)
- Happily want to contribute to improve this app? You're welcome to contact me or create pull requests :)
The script for creating passwords can be found in 'js/script.js'.
Generated passwords are in fact pseudo-generated (i.e. not using atmospheric noise), since only the Javascript Math.random-function is used, of which I think is randomly 'enough'. After generation of different types of characters (your choice to include lowercase, uppercase, numbers and/or reading marks, strength will be calculated), scrambling of these characters is done using the Fisher-Yates shuffle (also known as Knuth, a de-facto unbiased shuffle algorithm).
All passwords (generated or your own) are stored encrypted in your ownCloud database.
- Encryption is done using a key built from user-specific, ownCloud-specific, and database entry-specific data so it is unique for every encrypted block of text (i.e. every password). It therefore provides key rotation for cipher and authentication keys
- The keys are not used directly. Instead, it uses key stretching which relies on Password-Based Key Derivation Function 2 (PBKDF2)
- It uses Encrypt-then-MAC (EtM), which is a very good method for ensuring the authenticity of the encrypted data
- It uses mcrypt to perform the encryption using MCRYPT_BLOWFISH cyphers and MCRYPT_MODE_CBC for the mode. It's strong enough, and still fairly fast
- It hides the Initialization vector (IV)
- It uses a timing-safe comparison function using double Hash-based Message Authentication Code (HMAC) verification of the source data
All passwords are encrypted with user-specific, ownCloud-specific and server-specific keys. This means passwords can be decrypted:
- only by the user who created the password (so this user must be logged in),
- only on the same ownCloud instance where the password was created in (meaning: same password salt in config.php).
Other users or administrators are never able to decrypt passwords, since they cannot login as the user (assuming the user's password isn't known). If the password salt is lost, all passwords of all users are lost and unretrievable.
All website icons in the password table are downloaded from a secured Google server when you load the page. Nothing fancy or unsafe (even using Google), it's just about icons. The icon for The White House's website for example (replace whitehouse.gov with your own domain to try): https://www.google.com/s2/favicons?domain=www.whitehouse.gov.
Download the latest release and copy the folder 'passwords' to /owncloud/apps/. Login as admin and enable the app. The database table will be created automatically. View this app on apps.owncloud.org
I would like to thank Anthony Ferrara (ircmaxell), for teaching the world how to properly set up security in PHP.