Swordfish is an experiment in builidng a group-optimized password management app. It is currently very alpha. Browse all the issues to see what features are planned.
Is it secure?
Storing passwords on a server might seem like filling a lake in Alaska with honey and expecting to keep bears out. I don't think it's like that. Why?
Even if an attacker gets access to your server or database, all secure items are encrypted client side. The server has no idea what it is storing and no way of decrypting it.
When you sign up, a RSA public/private keypair is generated in your browser. All sensitive data is encrypted with your private key, which is password-protected and never transferred to the server. No sensitive data is ever transmitted over the wire unless it is encrypted with secrets only available on the client.
If you find a security vulnerability:
- DO NOT POST ABOUT IT PUBLICLY
- Send an email to email@example.com with details about the security vulnerability.
- After a fix has been released, a public announcement will be made giving all glory and honor to you.
If you find what looks like a bug:
- Search the mailing list to see if anyone else had the same issue.
- Check the GitHub issue tracker to see if anyone else has reported issue.
- If you don't see anything, create an issue with information on how to reproduce the issue.
If you want to contribute an enhancement or a fix:
- Fork the project on GitHub.
- Make your changes with tests.
- Commit the changes without making changes to the Rakefile, Gemfile, gemspec, or any other files that aren't related to your enhancement or fix.
- Send a pull request.