{"id":17920957,"url":"https://github.com/davidanson/passweb","last_synced_at":"2025-03-24T00:32:39.639Z","repository":{"id":18486320,"uuid":"21681887","full_name":"DavidAnson/PassWeb","owner":"DavidAnson","description":"A simple, secure, cloud-based password manager.","archived":false,"fork":false,"pushed_at":"2017-07-24T05:24:20.000Z","size":372,"stargazers_count":26,"open_issues_count":1,"forks_count":9,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-03-19T02:29:16.846Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/DavidAnson.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2014-07-10T06:08:05.000Z","updated_at":"2024-01-08T14:46:02.000Z","dependencies_parsed_at":"2022-08-20T16:40:34.985Z","dependency_job_id":null,"html_url":"https://github.com/DavidAnson/PassWeb","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DavidAnson%2FPassWeb","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DavidAnson%2FPassWeb/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DavidAnson%2FPassWeb/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DavidAnson%2FPassWeb/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/DavidAnson","download_url":"https://codeload.github.com/DavidAnson/PassWeb/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245191486,"owners_count":20575246,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-28T20:29:47.558Z","updated_at":"2025-03-24T00:32:39.368Z","avatar_url":"https://github.com/DavidAnson.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# PassWeb\n\nIf you use the Internet much, you have a hundred different passwords for things like email accounts, subscriptions, banking, social media, and the like.\nThe best passwords are long and complex (combining letters, numbers, symbols, and punctuation) and never reused across different accounts.\nWith so many to remember, some people use a [password manager](https://en.wikipedia.org/wiki/Password_manager) to securely store everything behind a single, memorable master password of suitable complexity.\nPassword managers make it easy to use strong passwords for every account - but they also introduce a single point of failure.\nMuch has been said on both sides of the argument and the decision to use a password manager should be made carefully.\n\nIf you decide a password manager is right for you, there are different kinds and many options to choose from.\nFor my purposes, a [cloud-based](https://en.wikipedia.org/wiki/Password_manager#Advantages) password manager seemed best.\nThinking about what's important to me, I wanted something:\n\n* Trustworthy\n* Open source\n* Cross-platform\n* Cross-device\n* Offline-enabled\n* Simple\n\nI couldn't find a perfect match, so I wrote my own cloud-based password manager: **PassWeb**.\nFrom time to time, someone asks to try it out, so I've open-sourced the implementation for anyone to evaluate, use, and improve.\n\n\n## Disclaimer\n\nI've tried to ensure PassWeb is safe and secure for normal use in low-risk environments, but **do not trust me**.\nBefore using PassWeb, you should evaluate it against your unique needs, priorities, threats, and comfort level.\nIf you find a problem or a weakness, please let me know so I can address it - but ultimately you use PassWeb **as-is** and **at your own risk**.\n\n\n## FAQ\n\n**What is PassWeb?**\nPassWeb is a simple online/offline web application to securely manage passwords. Data is encrypted locally and stored in the cloud so it's available from anywhere. Unencrypted data never leaves the machine, so YOU are in total control.\n\n**How do I use PassWeb?**\nClick an entry's title to open its web site. Click the name/password field to copy (where supported) or select it for you to copy+paste. Click the padlock to generate a random, complex password for each site. Notes store additional info.\n\n**How do I create a login?**\nContact the administrator with the user name you want and he/she will create a new account with a temporary password. Log in, change the master password to something only you know (and won't ever forget!), then create entries for all your accounts.\n\n**What if I'm not online?**\nChecking the \"Cache encrypted passwords\" box makes your data available offline. Changes are synchronized with the server next time you use PassWeb online. Simple updates merge seamlessly; overlapping updates should be avoided.\n\n**What if I leave PassWeb open?**\nIt's okay: PassWeb logs you out after three minutes of inactivity to protect your data. Names and passwords unmasked for copy+paste are re-masked after ten seconds to prevent anyone nearby from reading them.\n\n**Why shouldn't I use untrusted devices?**\nUntrusted machines (like a library kiosk or a friend's laptop) may have malware installed that records keystrokes. Typing your master password on such a device would compromise it, allowing an attacker to use your PassWeb account.\n\n**What if I forget the master password?**\nSorry, your data is irretrievably lost! PassWeb's encryption algorithm is government-grade and there aren't any backdoors or secondary passwords. It's up to you to remember the master password - and keep it secure!\n\n**What browsers can I use?**\nBecause it's simple and standards-based, PassWeb works cross-platform on modern browsers like recent releases of Internet Explorer, Chrome, Firefox, and Safari. If you see a problem, please email me detailed steps to reproduce it.\n\n**Why is it important to use HTTPS?**\nHTTPS creates a secure connection that encrypts all data and makes it difficult for others to intercept. HTTPS helps verify the identity of web servers, prevents tampering with content, and will soon be supported by all major sites.\n\n**How was PassWeb developed?**\nThe client is built using HTML, CSS, and JavaScript on top of the [React](https://facebook.github.io/react/), [crypto-js](https://code.google.com/archive/p/crypto-js/), and [lz-string](http://pieroxy.net/blog/pages/lz-string/index.html) libraries. The server's REST API runs on either ASP.NET or Node.js. Encryption uses 256-bit AES in CBC mode. Hashing uses SHA-512.\n\n\n## Configuration\n\n* The client for PassWeb is a simple HTML application and can be hosted on any web server or file server.\n  * For [offline mode](https://en.wikipedia.org/wiki/Cache_manifest_in_HTML5) to work, the `offline.appcache` file must be served as type `text/cache-manifest` and should not be cached.\n* The server for PassWeb is a simple [REST API](https://en.wikipedia.org/wiki/Representational_state_transfer) that stores and retrieves blobs of data.\n  * Implementations are provided for both [ASP.NET](http://www.asp.net/) and [Node.js](https://nodejs.org/en/).\n  * If data is stored as files (under an `App_Data` directory), the account used by the web server needs `modify` permissions for that location.\n  * If data is stored as blobs (supported by the Node.js implementation for [Microsoft Azure](https://azure.microsoft.com/)), permissions to read/write/list/delete are needed.\n* Choose the ASP.NET or Node.js server based on your hosting options or background; the two implementations are (mostly) equivalent.\n  * The provided [`Web.config`](Web.config) file handles everything when hosted by [IIS on Windows](https://en.wikipedia.org/wiki/Internet_Information_Services).\n  * Setting up the Node.js server requires familiarity with package management and some manual configuration.\n  * A test suite helps ensure both implementations behave the same.\n* With default settings for the server, creation of new blobs is blocked to prevent unwanted users; the administrator should temporarily unblock when creating a login for a new user.\n  * In the ASP.NET implementation, this is done by commenting-out the following line in `App_Code\\RemoteStorage.cs`:\n\n    ```cs\n    // Remove to allow the creation of new files\n    #define BLOCK_NEW\n    ```\n\n  * In the Node.js implementation, this is done by changing the following variable to false in `NodeJs\\remotestorage.js`:\n\n    ```js\n    // Set to block the creation of new files (set environment variable to \"false\" to override)\n    BLOCK_NEW: process.env.BLOCK_NEW !== \"false\",\n    ```\n\n    Or by setting the `BLOCK_NEW` environment variable to `\"false\"` before starting the server.\n    This makes it easy to apply a temporary override without changing the code (such as when creating a new account).\n\n\n## Implementation\n\n**Offline use (optional)**\n* The encrypted data file is read from and written to both the server API and [HTML local storage](https://en.wikipedia.org/wiki/Web_storage) after every change.\n* When the server can't be reached (e.g., when offline), changes can be made locally.\n* When the server is reachable during login, local and remote changes are synchronized and both locations are updated.\n* Non-conflicting changes to different accounts merge seamlessly; conflicting edits to a single account are resolved by keeping the most recent entry.\n\n**Account data**\n* All account data is stored in a single, compressed, encrypted file.\n* That file is encrypted using the [Advanced Encryption Standard (AES)](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) in [Cipher-Block Chaining mode (CBC)](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation) mode.\n* The file name is derived from the master user name and password by hashing with [SHA-512](https://en.wikipedia.org/wiki/Secure_Hash_Algorithm).\n* The encryption key is derived from the master password, the domain name, and a random salt via the [PBKDF2](https://en.wikipedia.org/wiki/PBKDF2) algorithm configured for SHA-512 and 1000 iterations.\n* The data is only ever decrypted on the client; the server **never** sees the user name, password, or unencrypted data\n\n**Storage API**\n* The default configuration blocks creation of new files to prevent unwanted accounts.\n* The default configuration keeps a backup of every version of the encrypted data file as a safety measure.\n\n**Communication**\n* Because it is always encrypted, the account data file can be transmitted via the storage API over an unsecure HTTP connection.\n* Turning on [HTTPS](https://en.wikipedia.org/wiki/HTTPS) for the storage API is strongly recommended because it prevents tampering and hides the hash of the user name/password (this is enabled by default).\n* Enabling HTTPS for the PassWeb client files is also strongly recommended because it prevents tampering (this needs to be enabled on the web server).\n* Mixing HTTP/HTTPS requires the storage API support [Cross-Origin Resource Sharing (CORS)](https://en.wikipedia.org/wiki/Cross-origin_resource_sharing) and requires an update to `offline.appcache`.\n\n\n## Manifest\n\nFile | Purpose\n-----|--------\ndefault.htm \u003cbr/\u003e default.js \u003cbr/\u003e default.css \u003cbr/\u003e render.jsx \u003cbr/\u003e render.js | PassWeb implementation\noffline.appcache | Offline cache manifest\nreact.min.js \u003cbr/\u003e react-dom.min.js \u003cbr/\u003e lz-string.min.js \u003cbr/\u003e aes.js \u003cbr/\u003e pbkdf2.js \u003cbr/\u003e sha512.js \u003cbr/\u003e math-random-polyfill.js | External libraries\nfavicon.ico \u003cbr/\u003e Resources\\\\\\*.png \u003cbr/\u003e Resources\\\\\\*.svg | Image resources\nApp_Code\\\\RemoteStorage.cs \u003cbr/\u003e Web.config | ASP.NET server\nNodeJs\\\\server.js \u003cbr/\u003e NodeJs\\\\remotestorage.js \u003cbr/\u003e NodeJs\\\\storage-file.js \u003cbr/\u003e NodeJs\\\\storage-blob-azure.js \u003cbr/\u003e NodeJs\\\\package.json | Node.js server\nReadme.md | This file\nLICENSE | License\n\n\n## Ideas\n\n* Add ability to import data from other password managers\n* Convert to the [Web Cryptography API](https://www.w3.org/TR/WebCryptoAPI/) (once widely available)\n\n\n## References\n\n* [Google Safety Center](https://www.google.com/safetycenter/)\n* [Microsoft Safety \u0026 Security Center](https://www.microsoft.com/en-us/security/)\n\n\n## License\n\n[MIT](LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdavidanson%2Fpassweb","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdavidanson%2Fpassweb","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdavidanson%2Fpassweb/lists"}