Built In Password Manager

IMHO would be really nice to have built in password manager like LastPass, on Nextcloud. I do not code but KeepassX may be a good place to look for some backend ideas.

https://www.keepassx.org

3 Likes

I believe I am in the minority here, but I don’t think Nextcloud should do this. There are many good solutions to do this already (Lastpass, Secret Server, Vault). The existing paradigm is to store your keepassx file on the server and download/upload it as needed.

What are some other arguments for or against this functionality?

6 Likes

Well, the other web solutions you mention are provided by private companies, controlling our data on their servers. This is the state of affairs for which Nextcloud was created as an alternative.

Clearly, Nextcloud can’t provide dedicated modules for every use case, but I would say that password management is an extremely important area of user data, and would be a good candidate.

3 Likes

Expanding a bit the @Ripper reply, there are no alternatives for those private companies which provide an option to have the server side of the password management service living in our own server.

KeePassX is very OK, but do not offer some kind of plugin or anything, not to say for several OSs/devices, to facilitate the login process.

I am not saying it is easy to archive, but Nextcloud will have the sync clients (Linux, Windows, OSX, Android, iOS) what eventually could be used for that purpose too, and users whom know how to proper make plugins, eventually, can make some for browsers if needed.

Still, IMHO, a plus service that can be offered by service providers.

Thanks!

1 Like

@xandcg keepass has auto-type, which is similar to Lastpass’s autofill feature. AFAIK it’s available on most operating systems. Probably not iOS, but I don’t know for certain.

2 Likes

I stand corrected. It looks like someone implemented a password app.

https://github.com/fcturner/passwords

2 Likes

@jyaworski

Thanks, I was not aware of it. I do not have a ownCloud server right now to give a try, but I will find a way next week. :grinning:

A password manager on the Nextcloud side is one thing. And by storing KeePass on an instance you get close. The app (never looked into it before) is definitely better if designed right. But the caveat for a password manager is to get full functionality in the browser and device.

KeePass works for this with the hassle of figuring out how to sync it for most devices.

The best thing would be to take a password manager hosted on Nextcloud and create all the browser plugins to connect with it and then also create an app that will connect to it.

For KeePass, one of the best apps for iOS is MiniKeePass. It has worked really well, but sync is a pain.

Then you get into the whole sharing thing.

This works well with LastPass since you can share a folder. But with things like KeePass you have to share the entire database and let it be copied locally. Of course you can have multiple databases, but that again is a hassle to manage and sync.

Coming full circle, a password management app that worked with browser plugins and apps like MiniKeePass would be a great use of Nextcloud.

I fully agree with @JaredBusch and @xandcg : the nextcloud definitely need a password program. A program for keeping passwords is a very basic thing and everyone is using it. If there is a opportunity to centralize this within nextcloud many people will use it, i’m pretty sure.

1 Like

Support for Firefox Sync would bring a password manager with it. The firefox password manager is a quite robust implementation (provided that one uses a master password) with support on most platforms (not sure about iOS). Browser integration is good, but one needs a separate browser addon for managing passwords on Android.

1 Like

For reference, there is also a thread on Firefox Sync: Bring Firefox Sync back

2 Likes

Does Firefox Sync provide in storing attachments, cuz this is important when you are storing passwords.

@erikkn Sorry, no idea what the attachments have got to do with password storage. Firefox has a built-in password manager which stores username/passwords combinations (together with attributes such as the website url, the username/password fieldnames, and timestamps).

I’ve used the third-party password addon, and it works fine. But, the trouble with third-party modules is that they have a tendency to fade away and become unsupported. There was another password manager before this one, and that was abandoned.

I just think that password management is such a fundamental part of life on the web, that it would be justified to add it as a supported feature of Nextcloud.

1 Like

as far as I know in iOS firefox is just a safari with firefox UI.

exactly that is the problem. Passwords are really critical data and I think we should ensure that the development of this part is protected by Nextcloud itself.

1 Like

@jknockaert In my opinion people want to save physical letters with credentials, just for there archive. Imagine you receive a letter from your bank with your new CVC code etc. When you insert your credit card number with your CVC code into the password program, it would be nice to have an attachment with extra information (the physical letter) like the name of your banker.

I use Keepass Password Safe (KPS) and sync the file using ownCloud across all my devices.
Since it’s only 1 MB this is fast and efficient.
I don’t think a web-based password manager could ever come close to the features KPS has.

Even for other password manager with less features, it would still be less secure, since passwords are exposed as soon as the server is compromised.
Especially since the server then becomes a very, very juicy target. Getting all the passwords of dozens, hundreds of users all in one single hack ? Yummy !

What value would there be in it ? I don’t mean this in an aggressive way, I’m honestly curious.

4 Likes

As with anything NC, as soon as you want a GUI on the server to view the data, then your data is not safe. Confidential information has to be encrypted on the client and that’s one thing that’s been missing from the official clients and from password keeper apps.

The older Passman app used to have client-side encryption of passwords, but it hasn’t been updated since 2014. It could certainly be implemented again.