If a legacy password is needed, hide the generated one and its parameters from the user. (Thanks for this proposal, Mr. Hinz!)

Define an encrypted export format which allows to share passwords between different password managers.

Flow:

1. Select passwords to export
2. Enter transport password / button to generate a complex password
3. Export to file

The new domain wizard should open automatically when the application is started for the first time, i.e. when no domain data is present (= combobox is empty).

… and move them to a separate repository. (See Qt-SESAM/deploy)

Reproduce:

• choose any domain
• lock app
• unlock app

The chosen domain name is not visible.

The user should be able to exit Qt SESAM when the master password dialog is open, either via the tray icon or by Alt+F4 or the like.

SecureErase() on QLineEdit seems to be a fake. To really keep the master password from being copied into memory further precautions must be taken:

• Encrypt password on the fly while typing.
• Do not allow any memory to be swapped onto disk.

In the case that you forgot the MP, there appears to be no clean (programmatic) way to reset it, because the change option requires the old password.

I suggest to add an additional option, with an additional prompt, to clear it.

When the master password is not entered correctly the main window opens and an error dialog pops up. It would be better to just show the error dialog and suppress the main window.

Build a portable version that can run from a USB stick.

That would increase usability by the million.

I see in my .ini file:

[mainwindow]
...
geometry=@Rect(612 115 866 671)

but these values are ignored when main window opens after restart, i.e. main window always pops up with the same default size.

OS: Fedora 22 x86_64, QT 5.5, KF5 5.13, Plasma 5.3

Try this

• start Qt-SESAM
• resize main window
• system tray icon menu "Quit" to exit program
• start Qt-SESAM

It will still show the old main window geometry.

If you CLOSE the main window and then exit the application, it works fine.

"Extras/Options/Check connectivity" doesn't do anything …

When compiling on openSUSE 13.2 I get these error messages:

make[1]: Entering directory '/daten/hendriks_dateien/projekte/ctsesam/Qt-SESAM-x86x64-dist/HashMaster'
g++ -c -pipe -O2 -w -std=c++0x -fPIC -DCRYPTOPP_DISABLE_X86ASM -DCRYPTOPP_DISABLE_SSSE3 -DQTSESAM_VERSION="2.0.3" -I. -I../cryptopp -I/usr/lib64/qt5/mkspecs/linux-g++ -o main.o main.cpp
main.cpp: In function ‘int main(int, char*)’:
main.cpp:147:3: error: ‘WIN32_FIND_DATAA’ was not declared in this scope
WIN32_FIND_DATAA findData;
^
main.cpp:147:20: error: expected ‘;’ before ‘findData’
WIN32_FIND_DATAA findData;
^
main.cpp:148:3: error: ‘HANDLE’ was not declared in this scope
HANDLE ff = FindFirstFileA(fname.c_str(), &findData);
^
main.cpp:148:10: error: expected ‘;’ before ‘ff’
HANDLE ff = FindFirstFileA(fname.c_str(), &findData);
^
main.cpp:149:7: error: ‘ff’ was not declared in this scope
if (ff != INVALID_HANDLE_VALUE) {
^
main.cpp:149:13: error: ‘INVALID_HANDLE_VALUE’ was not declared in this scope
if (ff != INVALID_HANDLE_VALUE) {
^
main.cpp:150:9: error: ‘findData’ was not declared in this scope
if (findData.cFileName != nullptr) {
^
main.cpp:153:31: error: ‘findData’ was not declared in this scope
while (FindNextFileA(ff, &findData)) {
^
main.cpp:153:39: error: ‘FindNextFileA’ was not declared in this scope
while (FindNextFileA(ff, &findData)) {
^
Makefile:377: recipe for target 'main.o' failed
make[1]: ** [main.o] Error 1

It happens with current master sources too.

The code generates the domain password like so:

const QByteArray &pwd =
  d->domainSettings.domainName.toUtf8() +
  d->domainSettings.userName.toUtf8() +
  masterPassword;

This is great from a security perspective but bad for usability: If I change my master password, I have to reset all passwords for all web sites.

Since the domain password already has a salt, my feeling is that including the master password doesn't add much to security.

Lots of missing references to cryptopp lib :-(

This might work on Windows by hooking the application into the hook chain with SetWindowsHookEx(WH_KEYBOARD_LL, ...) (see the actilog project):

• In hook function scan for all Ctrl+V events.
• On first event after pressing the Open URL button: copy user name to clipboard.
• On the next event copy password to clipboard.
• On the third event clear the clipboard.

I know this might be controversial, but it might be nicer for end users if the master password is stored and retrieved from default session secure storage. Under KDE this would be "kwallet5", under GNOME it would be "gnome-keyring".

AFAIU they both offer the same DBUS interface, so IMHO no separate implementation would be required.

qmake sucks …

Useful for storing certificates …

Implement an HTTP client to sync domain settings with a web app.

Some services do not allow to change your password. Thus it would be nice to have a user interface through which immutable passwords can be stored and retrieved.

The make fails with following error message:

make[1]: Verzeichnis „/usr/local/src/Qt-SESAM/libSESAM“ wird betreten
g++ -c -pipe -O2 -w -fPIC -D_REENTRANT -DQT_WEBKIT -DCRYPTOPP_DISABLE_X86ASM -DCRYPTOPP_DISABLE_SSSE3 -DQTSESAM_VERSION=\"2.0.3\" -DLIBSESAM_LIBRARY -DQT_NO_DEBUG -DQT_CORE_LIB -DQT_SHARED -I../../../../share/qt4/mkspecs/default -I. -I../../../../include/QtCore -I../../../../include -I../cryptopp -I../cryptopp -I. -o util.o util.cpp
In file included from util.cpp:21:0:
util.h: In function ‘void SafeRenew(T&, T)’:
util.h:35:12: error: ‘nullptr’ was not declared in this scope
   if (a != nullptr)
            ^
util.h: In function ‘void SafeDelete(T&)’:
util.h:44:19: error: ‘nullptr’ was not declared in this scope
   SafeRenew<T>(a, nullptr);
                   ^
Makefile:243: die Regel für Ziel „util.o“ scheiterte
make[1]: *** [util.o] Fehler 1
make[1]: Verzeichnis „/usr/local/src/Qt-SESAM/libSESAM“ wird verlassen
Makefile:78: die Regel für Ziel „sub-libSESAM-make_default-ordered“ scheiterte

Especially encrypt "sync/serverRootCertificates".

MainWindowPrivate::domains should be of type QMap<QString, DomainSettings>.

Reproduce this behaviour by:

• Delete serverRootCertificates from settings file.
• Start Qt SESAM
• Import server certificate via Extras/Options/Sync; the root certificate must be untrusted.
• Synchronize to a server.

The SSL handshake erroneously fails sometimes. After a couple of seconds or minutes the error vanishes without further ado. Timeout?

There seems to be a bad flow of code concerning MainWindow::nextChangeMasterPasswordStep().
Take a close look at MainWindow::writeToRemote().

Implement another method to enter the master password which is not prone to interception by key loggers.

Users reported cases in which changing the master password via "Extra/change master password" resulted in decryption errors.

On my Fedora 22 box with KDE Plasma 5 the system tray icon menu looks like this

As you can see there is a duplicate "Quit" entry at the end. This is not generated by Qt-SESAM, but automatically by the system (it's translation changes when I switch languages).

I'm not sure how to solve this. If this is the case for every Linux user, but not Windows user, then I would suggest to flag the generation of the "Quit" entry with #ifdef WIN32 in the code.

All instances of this app running on different desktop computer or mobile devices should be able to sync their common data by using their own master password.

This could be achieved by public-key cryptography.