Is this still active and mainteined? about password-manager HOT 6 CLOSED

I'm definitely interested. Please create a PR.
How are you encrypting the shared password?

I've always wanted to do something like that, but I was afraid of adding a lot of complexity...

from password-manager.

Well, i just realized that i have modified the version you have for download and not the latest (i did not fork it)
The password encryption is intact as you had it before, all i have done is created a new colum in the password table called "sharedWith" this column is not encrypted (varchar, expected to be: username , separated) so i can query passwords created by current user OR sharedWith LIKE % currentUser % on the password.php api endpoint.

For future features this free text field could be autocomplete from the users table so we can limit to fill it with existing only users.

Tomorrow i will try to merge your current branch with the one i have downloaded and create. a PR

from password-manager.

from password-manager.

Close due to inactivity. For new features, please submit MR to the new project. #248

from password-manager.

@ebalestrini @BenjaminHae Sorry I just took a detailed look at this.

From crypto point of view, what you need for "sharing password" is public-key cryptography: encryption and decryption uses two different keys (A for encryption and B for decryption). For each user, the database needs to store: AES encrypted key B and raw key A. When user X wants to share password with user Y, he will encrypt the password with user Y's key A (can be read from database) and send to server. Then user Y will pull encrypted password from server and decrypt message with its own key B.

If you are third-party (e.g. owner of database), you won't know user Y's key B because it's encrypted at user Y's browser with AES. And you will not know the password being shared to Y because it's encrypted using key A and to decrypt, you need to know user Y's key B.

A Javascript implementation of this crypto is here: https://github.com/mdn/dom-examples/blob/master/web-crypto/encrypt-decrypt/rsa-oaep.js

from password-manager.

@ebalestrini Since you mentioned PR, I don't know how you implement sharedWith because user A's information in database is garbage to user B if user B don't know A's login password. It sounds to me that once user A wants to share some password, you will post this piece of password in raw format to server so server can 'tell' user B the raw password. If so, PLEASE STOP DOING THAT. The design logic of this password manager is that client (web browser) will never provide raw password to server so server operator can't get user's password, the naive sharing will ruin everything.

from password-manager.