https://github.com/nextcloud/passman
🔐 Open source password manager with Nextcloud integration
https://github.com/nextcloud/passman
hacktoberfest nextcloud passman password-manager
Last synced: 8 days ago
JSON representation
🔐 Open source password manager with Nextcloud integration
- Host: GitHub
- URL: https://github.com/nextcloud/passman
- Owner: nextcloud
- License: agpl-3.0
- Created: 2016-09-07T11:30:00.000Z (almost 10 years ago)
- Default Branch: master
- Last Pushed: 2026-07-02T01:40:57.000Z (11 days ago)
- Last Synced: 2026-07-02T15:02:35.574Z (10 days ago)
- Topics: hacktoberfest, nextcloud, passman, password-manager
- Language: JavaScript
- Homepage: https://passman.cc
- Size: 15 MB
- Stars: 822
- Watchers: 38
- Forks: 114
- Open Issues: 114
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- License: COPYING
- Authors: AUTHORS.md
Awesome Lists containing this project
- awesome-nextcloud - passman - Password Manager for NC (Apps / Official)
- awesome-starred - nextcloud/passman - 🔐 Open source password manager with Nextcloud integration (hacktoberfest)
- awesome-open-source-systems - Passman - Open source password manager with Nextcloud integration. (Password Manager / Uptime Monitoring)
README
# Passman
Passman is a full featured, open source password manager for Nextcloud.
[](https://github.com/nextcloud/passman/actions/workflows/phpunit-sqlite.yml)
## Join us!
Visit the [“Passman General Talk” Telegram Group](https://t.me/passman_general) to participate in all sorts of topical discussions about Passman and its apps!
## Contents
* [Features](#features)
* [External apps](#external-apps)
* [Screenshots](#screenshots)
* [Database Compatibility](#database-compatibility)
* [Security](#security)
* [Password generation](#password-generation)
* [Storing credentials](#storing-credentials)
* [API](#api)
* [Docker](#docker)
* [Development](#development)
* [Support Passman](#support-passman)
* [Contributing](#contributing)
## Features
* Multiple vaults
* Vault keys are never sent to the server
* 256-bit AES-encrypted credentials (see [security](#security))
* User-defined custom credentials fields
* Built-in OTP (One Time Password) generator
* Password analyzer
* Securely share passwords internally and via link
* Import from various password managers:
- KeePass
- LastPass
- DashLane
- ZOHO
- Clipperz.is
- EnPass
- [ocPasswords](https://github.com/fcturner/passwords)
Try a Passman demo [here](https://demo.passman.cc).
## External apps
### Android app
Our native [Passman Android](https://github.com/nextcloud/passman-android) app is available for download from the [Google Play Store](https://play.google.com/store/apps/details?id=es.wolfi.app.passman.alpha), [IzzyOnDroid](https://apt.izzysoft.de/fdroid/index/apk/es.wolfi.app.passman) and [F-Droid](https://f-droid.org/app/es.wolfi.app.passman).
### Browser extension
[The legacy Firefox / Chrome extension](https://github.com/nextcloud/passman-webextension) is the "old-stable", but **not maintained** and no longer available in the Chrome Web Store since it's MV2 based.
A [follow-up extension](https://github.com/nextcloud/passman-webextension-mv3) is in active development and **currently considered unstable**. It's available but in open beta / development phase.
## Screenshots




More screenshots are available on the [Nextcloud App Store](https://apps.nextcloud.com/apps/passman) and [imgur](http://imgur.com/a/giKVt).
## Database Compatibility
| | Supported |
|:----------------|:---------:|
| SQLite | • |
| MySQL / MariaDB | • |
| PostgreSQL | • |
CI runs PHPUnit against SQLite on GitHub Actions.
## Security
### Password generation
Passman can generate passwords *and* measure their strength using [zxcvbn](https://github.com/dropbox/zxcvbn).

Generate passwords as you like.

Passwords are generated using `sjcl` randomization.
### Storing credentials
All passwords are encrypted client side with [sjcl](https://github.com/bitwiseshiftleft/sjcl) using 256-bit AES.
You supply a vault key which sjcl uses to encrypt your credentials. Your encrypted credentials are then sent to the server and encrypted yet again using the following routine:
* A key is generated using `passwordsalt` and `secret` from config.php *(so back those up)*.
* The key is [stretched](http://en.wikipedia.org/wiki/Key_stretching) using [Password-Based Key Derivation Function 2](http://en.wikipedia.org/wiki/PBKDF2) (PBKDF2).
* [Encrypt-then-MAC](http://en.wikipedia.org/wiki/Authenticated_encryption#Approaches_to_Authenticated_Encryption) (EtM) is used to ensure encrypted data authenticity.
* Uses openssl with the `aes-256-cbc` cipher.
* [Initialization vector](http://en.wikipedia.org/wiki/Initialization_vector) (IV) is hidden.
* [Double Hash-based Message Authentication Code](http://en.wikipedia.org/wiki/Hash-based_message_authentication_code) (HMAC) is applied for source data verification.
### Sharing credentials
Passman allows users to share passwords. *(Administrators may disable this feature.)*
## API
Passman offers a [developer API](https://github.com/nextcloud/passman/wiki/API).
Unfortunately it is very outdated and not maintained. You're welcome to update it.
## Docker
Passman Docker images are currently maintained in [passman-dev-docker-build](https://github.com/binsky08/passman-dev-docker-build).
| Image | Docker Hub | Use for |
| :--- | :--- | :--- |
| **Development** | [binsky/passman-dev](https://hub.docker.com/r/binsky/passman-dev) | Local hacking: bind-mount your checkout, run grunt, try different Nextcloud/PHP stacks |
| **Demo** | [binsky/passman-demo](https://hub.docker.com/r/binsky/passman-demo) | Pre-baked instances (e.g. [demo.passman.cc](https://demo.passman.cc)) without dev tooling |
Default login for all images: `admin` / `admin`.
Quick start (development):
```
docker run -d -p 8080:80 -p 8443:443 \
-v /path/to/passman:/var/www/html/apps/passman \
--name passman-dev \
binsky/passman-dev:latest
```
See the [repository README](https://github.com/binsky08/passman-dev-docker-build#quick-start-development) for TLS setup, available tags, and SSH/sshfs mounting.
For production deployments, use the official [Nextcloud Docker](https://hub.docker.com/_/nextcloud/) image and install Passman as an app.
## Development
Start from a [passman-dev](https://github.com/binsky08/passman-dev-docker-build) container, then work inside `/var/www/html/apps/passman`:
* Passman uses a single `.js` file for templates which minimizes XHR template requests.
* Our CSS is written in SASS.
* `templates.js` and the CSS are built with `grunt` / `grunt build`.
* Watch for changes using `grunt watch`.
* To run PHP unit tests in the running dev container, ...
* run on your host: `make test` (full suite) or `make testNoDb` (without DB group). Generate a Clover coverage report with `make test-coverage` (requires pcov or xdebug in the container). Customize the container name with `DOCKER_CONTAINER=passman-dev-nc34-85-testing make test`.
* or run in the container: `cd /var/www/html/apps/passman && composer run test`
* after switching branches or on cache-issues, run `cd /var/www/html/apps/passman && composer run test:clear-cache`
## Support Passman
Passman is open source and lives from contributions like [pull request](https://github.com/nextcloud/passman/pulls),
but we’ll also gladly accept a Club Mate *or pizza!*
Please consider donating:
* [Ko-Fi](https://ko-fi.com/passman)
* ~~Patreon~~ (may come back soon)
## Contributing
Pull requests and [issues](https://github.com/nextcloud/passman/issues) are welcome. Fork the repo, make your changes, and open a [pull request](https://github.com/nextcloud/passman/pulls). Add your name to the contributors list below when you do.
**Maintainers:**
- [Brantje](https://github.com/brantje)
- [Animalillo](https://github.com/animalillo)
- [binsky](https://github.com/binsky08)
**Contributors:**
- Newhinton
- [HolgerHees](https://github.com/HolgerHees)
## FAQ
**Are you adding something to check if malicious code is executing on the browser?**
No, because malicious code can edit functions that check for malicious code.