Built In Password Manager

and I can read this file with firefox password manager and serveral mobile password managers?

I agree here. Having the database stored in an encrypted format on the server and a decrypted (after password/keys) one on the client makes much more sense from a security perspective. However, I’m not opposed to integrating with Firefox Sync. That seems like a reasonable option.

I know it’s missing, I’m working on a client-side encryption feature :slight_smile:
My point was that passwords are a very critical piece of information, because it basically unlocks everything else.
And, you would lose a lot of very, very handy features with a web-based tool.

You can use mobile apps to read your Keepass files yes.
I use MiniKeepass since I’m on IOS, but I’m certain it exists for Android.

For firefox I don’t know, but I would think not. But with Keepass auto-type feature this is hardly a problem.
Once properly set up, auto-type allows you to fill in user and password fields by just hitting a keyboard shortcut so you hardly lose time.
And contrary to firefox pass manager it’s not limited to web pages. You can autologin in pretty much anything : SSH, RDP, FTP…

Personally, I would not use this feature, I’m with the KeePass crowd already. I think it’s a huge effort to get this right (especially to get this reasonably secure) which could be spent on other things.

6 Likes

But for those of us that arn’t already using KeePass or similar, this would be a great platform. NextCloud are already working on client side encryption so this shouldnt be much of a stretch to handle keyfile/password management. I’m invisioning something with a feature set and ease of use, similar to LastPass but open source and self hosted. Just my 2 cents. :stuck_out_tongue:

Unfortunately, no : web-based password management and client-side encryption are two very different things. Doing one doesn’t help doing the other.

I didnt mention anything about it being web-based, but if so then yes you would be correct. I was thinking it would be handeled through the installed client on the device. Yes, anything web-based is going to have more security issues.

What do you mean by “handled by the client” exactly ?

i admit that i might be out of my league with this topic. I just thought it could send the keyfile to the client and decrypted on the end device and any changes or addtitions would be synced back to original file hosted on the NC server. Also maybe the client could handle autocomplete for browsers etc. When you said web based, i took that as web browser based. Sorry if i messed this up.

What you’re describing is basically KeePass. It’s already out there as an open source project and it works very well. A password database is encrypted and decrypted by the application, and the user is free to store their (encrypted) database wherever they choose. Many people do that in Dropbox/ownCloud/Google Drive etc, and there are browser extensions for things like autocomplete.

I don’t know what kind of developer overhead would be involved in creating a built-in password manager like KeePass for Nextcloud, but it seems a little unnecessary when polished solutions already exist. If there was enough demand for a built-in Nextcloud implementation, perhaps it would be better suited as a plugin than as part of Nextcloud Core?

this is not how a password manager should work. It does not make sense to open a file and copy paste the password because several apps could track the content of the clipboard. I don’t know whether it is possible yet but imho it is more secure to sync the browser itself with nextclouds server.

Imho for an end user it is difficult and not user friendly to use a password manager that way you described.

You don’t have to copy/paste ; Keepass autotypes it for you. Note that this autotype feature can be both keylogger- and clipboard tracker-resistant.
http://keepass.info/help/v2/autotype_obfuscation.html
Finally, if you don’t need it for anything else than your browser, there are plugins that do autocompletion.

1 Like

For me, the fact that good offline solutions like Keepass exist is not necessarily a good argument for not having a Nextcloud module. One could also say the same thing about online document editing, and other functionality provided by modules. But, the value of Nextcloud is in having these things provided as a privately-controlled web service.

To me, the argument for or against really comes down to user demand, balanced against the scarcity of resources. I could certainly accept a decision that says it is too much work to cater for a niche functionality. I think, for those of us who would value it, it’s worth making that known, so Nextcloud can take it into consideration.

1 Like

KeePass for android also has a keyboard which types instead of the copy & paste thing. Then again: If someone compromised your device so that they can intercept copy&paste, then you’re pretty much out of luck regardless of what you do.

(edit: I’m talking about this app here: https://keepass2android.codeplex.com/ )

This is not true. Applications could track the content of your clipboard. If you transfer this functionality so you don’t need the clipboard, the compromisation does not affect all of your passwords. if your password manager is not affected by this, they can not read all of your passwords. An Android Application can not access the sandbox of another application.

Ok if keypass avoids this problem, it is ok but still end user unfriendly.

Exactly my thoughts.

Passwords are mostly used in browser, but as well on desktop like for network access, applications or encrypted files. In the long run, it makes sense to have a generous way of managing passwords. In the short, 80% of use cases (browser), could be takled by an addon.

The password manager could serve as a backend for vairous clients, providing an API to access passwords. Clients should consider using client-side-encryption e.g. master password in FF.

Another feature the password manager from fcturner has is that you can share passwords with other users without having to send them by mail or write them down on a piece of paper or whatever. This makes it more secure than leaving them lying around.

Somebody also forked fcturner’s password manager to make it a Keepass viewer from within Owncloud: https://github.com/jbateman3/KeePass-ownCloud

I think this will muddle what nc offers. something like lastpass provides local device encryption/decryption of the stored passwords, clients for mobile devices and a pretty good web interface. I feel that the effort required to replicate or integrate something like this will remove development focus from the other feature sets that are being considered.

My 2 cents worth!

2 Likes

I also think that a password manager well integrated into nextcloud could enhance the collaboration. A password manager is more than important in companies. ATM there’s a solution for passman (https://github.com/nextcloud/passman/issues/243), but it’s client-side encrypted, so sharing is not well working. A strong password manager with integrated server-side encryption would be awesome (may also with an API).
It should be possible to add passwords to categories or tags and share the whole category or tag. So you can organize the passwords for teams. New added passwords are then automatically shared for that group (compare with folder sharing).

PS: I’m willing to donate something, if also small and big companies can use such password manager for the wole workers :slight_smile: