First of all, thanks a lot for this very nice application! I’m using it since Nextcloud 14 release and it seems pretty stable.
Unless I missed it, I did not see any Master Password feature, meaning that if my Nextcloud session is open, I could go see all my passwords in a few clicks without having to confirm my identity.
Personally I store almost all my passwords in the App, so if one day I go out 5 minutes leaving my session open by accident, anybody could read my passwords in a minute. I would feel way more comfortable with a master password feature (like in Passman for instance).
Let me know what you think!
Hmm… I don’t seem to get the point… if you leave your computer, lock it up! No master password can save you from any malicious software that someone might be able to sneak in, when you’re away from your computer.
Physical security is still the most important thing to consider - if you walk away, leaving your computer open, all remaining security doesn’t matter, or at least can not be relied on.
I am not talking about malicious software, but simply the fact that someone would just be one click away of reading all the passwords listed in the app if they wanted to, and that without installing any malicious software or any “hacking” skills.
For that reason, I feel it is not a useless feature to have a master password, as in Firefox for instance, just to improve a bit more the security. Besides, this app is actually the ONE app giving access to any other app, so an extra layer of security is in my opinion not a bad idea.
No, and I didn’t say that, but as we’re humans, you will likely get annoyed pretty soon, if you’d have to enter your master password all the time to access your passwords. Especially, if you take it really seriously and use a strong password.
So… this feature would have to be optional, of course, and probably be the least used one for that matter. Heck… I did that for my Passman vault…
But… as soon, as I walk away from my computer, I take my little Yubikey with me and as soon as that one gets unplugged, the screensaver kicks in… so unless I don’t forget to take it with me, my passwords are pretty safe.
Locking your computer when you walk away of course not only protects you from someone spying on your passwords…
I perfectly see your point, and absolutely agree on the fact that it would have to be optional.
I used to use Passman too and actually liked the password feature but I can see how it can be annoying for some users.
Thanks for taking the time to share on this! (and I’ll check the Yubikey, that sounds like being something for me! )
A master password and session limit will be implemented as part of the client side encryption (e2e) which is currently in development. I’m looking forward to finish it within the next three months.
You will be able to choose between regular server side encryption and client side encryption. But client side encryption will always require a master password. The session timeout will be optional.
According to the FAQ, this feature has been implemented:
How do i create a master password?
Open the Settings (More > Settings) and look for the “Encryption” section. If you don’t see this section, please ask your admin to enable client-side encryption. Enable the client-side encryption option and set a master password.
However, when I check in the admin settings, I can’t find the option where I can enable the client-side encryption… Am I missing something?
)