{"id":13466009,"url":"https://github.com/nextcloud/passman","last_synced_at":"2026-07-05T01:00:54.642Z","repository":{"id":10951358,"uuid":"67600655","full_name":"nextcloud/passman","owner":"nextcloud","description":"🔐 Open source password manager with Nextcloud integration","archived":false,"fork":false,"pushed_at":"2026-07-02T01:40:57.000Z","size":15760,"stargazers_count":822,"open_issues_count":114,"forks_count":114,"subscribers_count":38,"default_branch":"master","last_synced_at":"2026-07-02T15:02:35.574Z","etag":null,"topics":["hacktoberfest","nextcloud","passman","password-manager"],"latest_commit_sha":null,"homepage":"https://passman.cc","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nextcloud.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":"AUTHORS.md","dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2016-09-07T11:30:00.000Z","updated_at":"2026-07-02T01:41:02.000Z","dependencies_parsed_at":"2023-10-03T07:13:06.988Z","dependency_job_id":"20ac5c46-55fc-497f-afcb-7702c07b3e79","html_url":"https://github.com/nextcloud/passman","commit_stats":{"total_commits":2295,"total_committers":42,"mean_commits":"54.642857142857146","dds":0.5729847494553377,"last_synced_commit":"bec3a1784c2d5f2ce9c726a1bdacb27d55b911fe"},"previous_names":[],"tags_count":49,"template":false,"template_full_name":null,"purl":"pkg:github/nextcloud/passman","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nextcloud%2Fpassman","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nextcloud%2Fpassman/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nextcloud%2Fpassman/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nextcloud%2Fpassman/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nextcloud","download_url":"https://codeload.github.com/nextcloud/passman/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nextcloud%2Fpassman/sbom","scorecard":{"id":614786,"data":{"date":"2025-08-11","repo":{"name":"github.com/nextcloud/passman","commit":"95f833b917208a828effd06e4a3cc64399c939ad"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":5.5,"checks":[{"name":"Maintained","score":10,"reason":"30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Code-Review","score":0,"reason":"Found 0/30 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"SAST","score":0,"reason":"no SAST tool detected","details":["Warn: no pull requests merged into dev branch"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"CII-Best-Practices","score":2,"reason":"badge detected: InProgress","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: GNU Affero General Public License v3.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: github.com/nextcloud/.github/SECURITY.md:1","Info: Found linked content: github.com/nextcloud/.github/SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/nextcloud/.github/SECURITY.md:1","Info: Found text in security policy: github.com/nextcloud/.github/SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: containerImage not pinned by hash: Dockerfile:3: pin your Docker image by updating ubuntu:20.04 to ubuntu:20.04@sha256:8feb4d8ca5354def3d8fce243717141ce31e2c428701f6682bd2fafe15388214","Warn: npmCommand not pinned by hash: Dockerfile:38-43","Warn: npmCommand not pinned by hash: Dockerfile:38-43","Info:   0 out of   1 containerImage dependencies pinned","Info:   0 out of   2 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-21T03:36:40.441Z","repository_id":10951358,"created_at":"2025-08-21T03:36:40.441Z","updated_at":"2025-08-21T03:36:40.441Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35140189,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-04T02:00:05.987Z","response_time":113,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["hacktoberfest","nextcloud","passman","password-manager"],"created_at":"2024-07-31T15:00:38.007Z","updated_at":"2026-07-05T01:00:54.619Z","avatar_url":"https://github.com/nextcloud.png","language":"JavaScript","funding_links":["https://ko-fi.com/passman"],"categories":["Apps","JavaScript","hacktoberfest","Password Manager"],"sub_categories":["Official","Uptime Monitoring"],"readme":"# Passman\nPassman is a full featured, open source password manager for Nextcloud.\n\n[![PHPUnit SQLite](https://github.com/nextcloud/passman/actions/workflows/phpunit-sqlite.yml/badge.svg)](https://github.com/nextcloud/passman/actions/workflows/phpunit-sqlite.yml)\n\n## Join us!\nVisit the [“Passman General Talk” Telegram Group](https://t.me/passman_general) to participate in all sorts of topical discussions about Passman and its apps!\n\n## Contents\n  * [Features](#features)\n  * [External apps](#external-apps)\n  * [Screenshots](#screenshots)\n  * [Database Compatibility](#database-compatibility)\n  * [Security](#security)\n    * [Password generation](#password-generation)\n    * [Storing credentials](#storing-credentials)\n  * [API](#api)\n  * [Docker](#docker)\n  * [Development](#development)\n  * [Support Passman](#support-passman)\n  * [Contributing](#contributing)\n\n## Features\n* Multiple vaults\n* Vault keys are never sent to the server\n* 256-bit AES-encrypted credentials (see [security](#security))\n* User-defined custom credentials fields\n* Built-in OTP (One Time Password) generator\n* Password analyzer\n* Securely share passwords internally and via link\n* Import from various password managers:\n\t- KeePass\n\t- LastPass\n\t- DashLane\n\t- ZOHO\n\t- Clipperz.is\n\t- EnPass\n\t- [ocPasswords](https://github.com/fcturner/passwords)\n\nTry a Passman demo [here](https://demo.passman.cc).\n\n## External apps\n### Android app\nOur native [Passman Android](https://github.com/nextcloud/passman-android) app is available for download from the [Google Play Store](https://play.google.com/store/apps/details?id=es.wolfi.app.passman.alpha), [IzzyOnDroid](https://apt.izzysoft.de/fdroid/index/apk/es.wolfi.app.passman) and [F-Droid](https://f-droid.org/app/es.wolfi.app.passman).\n\n### Browser extension\n[The legacy Firefox / Chrome extension](https://github.com/nextcloud/passman-webextension) is the \"old-stable\", but **not maintained** and no longer available in the Chrome Web Store since it's MV2 based.\n\nA [follow-up extension](https://github.com/nextcloud/passman-webextension-mv3) is in active development and **currently considered unstable**. It's available but in open beta / development phase.\n\n## Screenshots\n![Logged in to vault](http://i.imgur.com/ciShQZg.png)\n\n![Credential selected](http://i.imgur.com/3tENldT.png)\n\n![Edit credential](http://i.imgur.com/Iwm3hUe.png)\n\n![Password tool](http://i.imgur.com/ZYkN70r.png)\n\nMore screenshots are available on the [Nextcloud App Store](https://apps.nextcloud.com/apps/passman) and [imgur](http://imgur.com/a/giKVt).\n\n## Database Compatibility\n\n|                 | Supported |\n|:----------------|:---------:|\n| SQLite          |     •     |\n| MySQL / MariaDB |     •     |\n| PostgreSQL      |     •     |\n\nCI runs PHPUnit against SQLite on GitHub Actions.\n\n## Security\n\n### Password generation\nPassman can generate passwords *and* measure their strength using [zxcvbn](https://github.com/dropbox/zxcvbn).\n\n![](https://i.imgur.com/2qVBUfM.png)\n\nGenerate passwords as you like.\n\n![](https://i.imgur.com/jcRicOV.png)\n\nPasswords are generated using `sjcl` randomization.\n\n### Storing credentials\nAll passwords are encrypted client side with [sjcl](https://github.com/bitwiseshiftleft/sjcl) using 256-bit AES.\nYou supply a vault key which sjcl uses to encrypt your credentials. Your encrypted credentials are then sent to the server and encrypted yet again using the following routine:\n  * A key is generated using `passwordsalt` and `secret` from config.php *(so back those up)*.\n  * The key is [stretched](http://en.wikipedia.org/wiki/Key_stretching) using [Password-Based Key Derivation Function 2](http://en.wikipedia.org/wiki/PBKDF2) (PBKDF2).\n  * [Encrypt-then-MAC](http://en.wikipedia.org/wiki/Authenticated_encryption#Approaches_to_Authenticated_Encryption) (EtM) is used to ensure encrypted data authenticity.\n  * Uses openssl with the `aes-256-cbc` cipher.\n  * [Initialization vector](http://en.wikipedia.org/wiki/Initialization_vector) (IV) is hidden.\n  * [Double Hash-based Message Authentication Code](http://en.wikipedia.org/wiki/Hash-based_message_authentication_code) (HMAC) is applied for source data verification.\n\n### Sharing credentials\nPassman allows users to share passwords. *(Administrators may disable this feature.)*\n\n## API\nPassman offers a [developer API](https://github.com/nextcloud/passman/wiki/API).\nUnfortunately it is very outdated and not maintained. You're welcome to update it.\n\n## Docker\nPassman Docker images are currently maintained in [passman-dev-docker-build](https://github.com/binsky08/passman-dev-docker-build).\n\n| Image | Docker Hub | Use for |\n| :--- | :--- | :--- |\n| **Development** | [binsky/passman-dev](https://hub.docker.com/r/binsky/passman-dev) | Local hacking: bind-mount your checkout, run grunt, try different Nextcloud/PHP stacks |\n| **Demo** | [binsky/passman-demo](https://hub.docker.com/r/binsky/passman-demo) | Pre-baked instances (e.g. [demo.passman.cc](https://demo.passman.cc)) without dev tooling |\n\nDefault login for all images: `admin` / `admin`.\n\nQuick start (development):\n```\ndocker run -d -p 8080:80 -p 8443:443 \\\n  -v /path/to/passman:/var/www/html/apps/passman \\\n  --name passman-dev \\\n  binsky/passman-dev:latest\n```\n\nSee the [repository README](https://github.com/binsky08/passman-dev-docker-build#quick-start-development) for TLS setup, available tags, and SSH/sshfs mounting.\n\nFor production deployments, use the official [Nextcloud Docker](https://hub.docker.com/_/nextcloud/) image and install Passman as an app.\n\n## Development\nStart from a [passman-dev](https://github.com/binsky08/passman-dev-docker-build) container, then work inside `/var/www/html/apps/passman`:\n\n  * Passman uses a single `.js` file for templates which minimizes XHR template requests.\n  * Our CSS is written in SASS.\n  * `templates.js` and the CSS are built with `grunt` / `grunt build`.\n  * Watch for changes using `grunt watch`.\n  * To run PHP unit tests in the running dev container, ...\n    * run on your host: `make test` (full suite) or `make testNoDb` (without DB group). Generate a Clover coverage report with `make test-coverage` (requires pcov or xdebug in the container). Customize the container name with `DOCKER_CONTAINER=passman-dev-nc34-85-testing make test`.\n    * or run in the container: `cd /var/www/html/apps/passman \u0026\u0026 composer run test`\n    * after switching branches or on cache-issues, run `cd /var/www/html/apps/passman \u0026\u0026 composer run test:clear-cache`\n\n## Support Passman\nPassman is open source and lives from contributions like [pull request](https://github.com/nextcloud/passman/pulls),\nbut we’ll also gladly accept a Club Mate *or pizza!*\n\nPlease consider donating:\n* [Ko-Fi](https://ko-fi.com/passman)\n* ~~Patreon~~ (may come back soon)\n\n## Contributing\nPull requests and [issues](https://github.com/nextcloud/passman/issues) are welcome. Fork the repo, make your changes, and open a [pull request](https://github.com/nextcloud/passman/pulls). Add your name to the contributors list below when you do.\n\n**Maintainers:**\n- [Brantje](https://github.com/brantje)\n- [Animalillo](https://github.com/animalillo)\n- [binsky](https://github.com/binsky08)\n\n**Contributors:**\n- Newhinton\n- [HolgerHees](https://github.com/HolgerHees)\n\n## FAQ\n**Are you adding something to check if malicious code is executing on the browser?**\nNo, because malicious code can edit functions that check for malicious code.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnextcloud%2Fpassman","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnextcloud%2Fpassman","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnextcloud%2Fpassman/lists"}