Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/baobabkoodaa/baopass

A deterministic password generator with a small attack surface.
https://github.com/baobabkoodaa/baopass

Last synced: 11 days ago
JSON representation

A deterministic password generator with a small attack surface.

Host: GitHub
URL: https://github.com/baobabkoodaa/baopass
Owner: baobabKoodaa
Created: 2017-01-08T13:06:24.000Z (about 8 years ago)
Default Branch: master
Last Pushed: 2020-02-14T22:02:17.000Z (almost 5 years ago)
Last Synced: 2024-12-24T22:02:58.874Z (15 days ago)
Language: Java
Homepage:
Size: 691 KB
Stars: 1
Watchers: 3
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

# BaoPass

![Screenshot](screenshot.jpg)

BaoPass is a deterministic password generator with the novel addition of a keyfile.

**Should I use BaoPass to manage my passwords?**

No. It needs further testing. But please take a look and let me know if you find something I can improve upon.

**How does it work?**

- Something you have (a keyfile) + something you know (a master password) = access to all your passwords
- Your encrypted keyfile contains a randomly generated key. You will never see or type it, so you won't expose it accidentally. Your master password is needed to decrypt the keyfile.
- An individual site password is cryptographically generated from [site name] + [key]. Generated passwords allow syncless operation with multiple devices.

**What makes it secure?**
- Tiny attack surface (no networking, no browser integration)
- [Don't roll your own crypto](http://security.stackexchange.com/questions/18197/why-shouldnt-we-roll-our-own) (BaoPass uses trusted implementations of widely accepted cryptographic algorithms. BaoPass does not combine these algorithms in new ways or use them for unintended use cases.)
- 2-factor-auth (exposure of your master password alone will not leak all your passwords)

**Can you ramble on about something vaguely related?**

It turns out that I can. So, I'm basically fixing #4 of [4 fatal flaws in deterministic password managers.](https://tonyarcieri.com/4-fatal-flaws-in-deterministic-password-managers) Good read. Oh, and also, I'm going to implement notes in the future. Then it will be a full fledged password manager with emphasis on security. And it's going to keep state, but not sync it across devices. Yuck.

**Known issues and workarounds**

- The GUI might look tiny on a HiDPI monitor without scaling. You can scale the application on Ubuntu with `GDK_SCALE`, for example by launching the application from the terminal with `GDK_SCALE=2 java -jar baopass.jar`. You need Java version 9 or higher for scaling to work.