and I can read this file with firefox password manager and serveral mobile password managers?
I agree here. Having the database stored in an encrypted format on the server and a decrypted (after password/keys) one on the client makes much more sense from a security perspective. However, Iām not opposed to integrating with Firefox Sync. That seems like a reasonable option.
I know itās missing, Iām working on a client-side encryption feature 
My point was that passwords are a very critical piece of information, because it basically unlocks everything else.
And, you would lose a lot of very, very handy features with a web-based tool.
You can use mobile apps to read your Keepass files yes.
I use MiniKeepass since Iām on IOS, but Iām certain it exists for Android.
For firefox I donāt know, but I would think not. But with Keepass auto-type feature this is hardly a problem.
Once properly set up, auto-type allows you to fill in user and password fields by just hitting a keyboard shortcut so you hardly lose time.
And contrary to firefox pass manager itās not limited to web pages. You can autologin in pretty much anything : SSH, RDP, FTPā¦
Personally, I would not use this feature, Iām with the KeePass crowd already. I think itās a huge effort to get this right (especially to get this reasonably secure) which could be spent on other things.
6 Likes
But for those of us that arnāt already using KeePass or similar, this would be a great platform. NextCloud are already working on client side encryption so this shouldnt be much of a stretch to handle keyfile/password management. Iām invisioning something with a feature set and ease of use, similar to LastPass but open source and self hosted. Just my 2 cents. 
Unfortunately, no : web-based password management and client-side encryption are two very different things. Doing one doesnāt help doing the other.
I didnt mention anything about it being web-based, but if so then yes you would be correct. I was thinking it would be handeled through the installed client on the device. Yes, anything web-based is going to have more security issues.
What do you mean by āhandled by the clientā exactly ?
i admit that i might be out of my league with this topic. I just thought it could send the keyfile to the client and decrypted on the end device and any changes or addtitions would be synced back to original file hosted on the NC server. Also maybe the client could handle autocomplete for browsers etc. When you said web based, i took that as web browser based. Sorry if i messed this up.
What youāre describing is basically KeePass. Itās already out there as an open source project and it works very well. A password database is encrypted and decrypted by the application, and the user is free to store their (encrypted) database wherever they choose. Many people do that in Dropbox/ownCloud/Google Drive etc, and there are browser extensions for things like autocomplete.
I donāt know what kind of developer overhead would be involved in creating a built-in password manager like KeePass for Nextcloud, but it seems a little unnecessary when polished solutions already exist. If there was enough demand for a built-in Nextcloud implementation, perhaps it would be better suited as a plugin than as part of Nextcloud Core?
this is not how a password manager should work. It does not make sense to open a file and copy paste the password because several apps could track the content of the clipboard. I donāt know whether it is possible yet but imho it is more secure to sync the browser itself with nextclouds server.
Imho for an end user it is difficult and not user friendly to use a password manager that way you described.
You donāt have to copy/paste ; Keepass autotypes it for you. Note that this autotype feature can be both keylogger- and clipboard tracker-resistant.
http://keepass.info/help/v2/autotype_obfuscation.html
Finally, if you donāt need it for anything else than your browser, there are plugins that do autocompletion.
1 Like
For me, the fact that good offline solutions like Keepass exist is not necessarily a good argument for not having a Nextcloud module. One could also say the same thing about online document editing, and other functionality provided by modules. But, the value of Nextcloud is in having these things provided as a privately-controlled web service.
To me, the argument for or against really comes down to user demand, balanced against the scarcity of resources. I could certainly accept a decision that says it is too much work to cater for a niche functionality. I think, for those of us who would value it, itās worth making that known, so Nextcloud can take it into consideration.
1 Like
KeePass for android also has a keyboard which types instead of the copy & paste thing. Then again: If someone compromised your device so that they can intercept copy&paste, then youāre pretty much out of luck regardless of what you do.
(edit: Iām talking about this app here: https://keepass2android.codeplex.com/ )
This is not true. Applications could track the content of your clipboard. If you transfer this functionality so you donāt need the clipboard, the compromisation does not affect all of your passwords. if your password manager is not affected by this, they can not read all of your passwords. An Android Application can not access the sandbox of another application.
Ok if keypass avoids this problem, it is ok but still end user unfriendly.
Exactly my thoughts.
Passwords are mostly used in browser, but as well on desktop like for network access, applications or encrypted files. In the long run, it makes sense to have a generous way of managing passwords. In the short, 80% of use cases (browser), could be takled by an addon.
The password manager could serve as a backend for vairous clients, providing an API to access passwords. Clients should consider using client-side-encryption e.g. master password in FF.
Another feature the password manager from fcturner has is that you can share passwords with other users without having to send them by mail or write them down on a piece of paper or whatever. This makes it more secure than leaving them lying around.
Somebody also forked fcturnerās password manager to make it a Keepass viewer from within Owncloud: https://github.com/jbateman3/KeePass-ownCloud
I think this will muddle what nc offers. something like lastpass provides local device encryption/decryption of the stored passwords, clients for mobile devices and a pretty good web interface. I feel that the effort required to replicate or integrate something like this will remove development focus from the other feature sets that are being considered.
My 2 cents worth!
2 Likes
I also think that a password manager well integrated into nextcloud could enhance the collaboration. A password manager is more than important in companies. ATM thereās a solution for passman (https://github.com/nextcloud/passman/issues/243), but itās client-side encrypted, so sharing is not well working. A strong password manager with integrated server-side encryption would be awesome (may also with an API).
It should be possible to add passwords to categories or tags and share the whole category or tag. So you can organize the passwords for teams. New added passwords are then automatically shared for that group (compare with folder sharing).
PS: Iām willing to donate something, if also small and big companies can use such password manager for the wole workers 