Tuesday, April 14, 2015

Hackweek 12: improving GNOME password management, day 1

This week is Hackweek 12 at SUSE

My hackweek project is improving GNOME password management, by investigating password manager integration in GNOME.

Currently, I'm using LastPass which is a cloud-based password management system.

It has a lot of very nice features, such as:

  • 2 factor authentication
  • Firefox and Chrome integration
  • Linux support
  • JS web client with no install required, when logging from a unknown system (I never needed it myself)
  • Android integration (including automatic password selection for applications)
  • cli open-source client (lastpass-cli), allowing to extract account specific information
  • encrypted data (nothing is stored unencrypted server side)
  • strong-password generator
  • support encrypted notes (not only password)
  • server based (clients sync) with offline operations supported
     
However, it also has several drawbacks:
  • closed-source
  • subscription based (required for Android support)
  • can't be hosted on my own server
  • doesn't integrate at all with GNOME desktop
I don't want to reinvent the wheel (unless it is really needed), which is why I spend my first day at searching the various password managers available on Linux and compare their features (and test them a bit).

So far, I found the following programs:
  • KeePass (GPL):
    • version 1.x written in Java, still supported, not actively developed
    • version 2.x written in C# (Windows oriented), works with Mono under Linux
    • UI feels really Windows-like
    • DB format change between v1 and v2
    • supports encrypted notes
    • password generator
    • supports plugins ( a lot are available)
    • support OTP (keeotp plugin, provide 2factor auth through TOTP, HTOP built-in)
    • shared db editing
    • support yubikey (static or hotp)
    • 2 Firefox extension available(keefox, passifox)
    • 3 android applications available (one application KeePass2Android supports alternative keyboard, KeepShare supports alternative keyboard + a11y framework to fill android application forms, like LastPass)
    • Chrome extension available
    • JS application available
    • CLI available
    • big ecosystem of plugins and other applications able to process file format

  • KeePassX (GPL)
    • Qt4 "port" of KeePass (feels more a Linux application than KeePass)
    • alpha version for DB v2 support
    • missing support for OTP
    • missing support for keypasshttp (required by firefox extensions to discuss with main application), support is being done in a separate branch by a contributor, not merged
    • release are very scarse (latest release is April 2014, despite commits on git, very few people are contributing, according to git)
    • libsecret dbus support is being started by a contributor

  • Mitro:
    • company developped it was bought by Twitter last year, project released under GPL, no development since January.

  • Password Safe (Artistic license):
    • initially written by Bruce Schneier 
    • beta version available on Linux
    • written in wxWidgets 3.0 / C++
    • yubikey supported
    • android application available, no keyboard nor a11y framework usage, only use copy/paste (but allows sync of db with owncloud and other cloud platforms)
    • CLI available
    • 3 different DB formats (pre-2.0, 2.0, 3.0)
    • password history
    • no firefox extension and the "auto-type" built-in function is all but intuitive
    • support merge of various db

  • Encrypt:
    • same 0 knowledge framework as SpiderOak
    • node-js based

  • Pass:
    • simple script on top of text files / gnupg and optionnally git (used for history and can also be used to manage hosting the file)
    • not easy learning curve (CLI mostly), need gnupg to be setup before usage
    • one file per password entry, should make 
    • very basic Qt GUI available
    • basic FF extension available
    • basic android application available
Unfortunately, none of those applications properly integrates (yet) in GNOME (master password prompt, locking keyring when desktop is locked, etc..).

I've also looked at gnome-keyring integration with the various browsers:
  • Several extensions already exist, one is fully written in Javascript and is working nicely (port to libsecret is being investigated)
  • Chrome has already gnome-keyring and libsecret integration
  • Epiphany already works nicely with gnome-keyring
  • No password generator is available in Firefox / Chrome / Epiphany (nor GTK+ on a more generic basis)
Unfortunately, each browser is storing metadata in gnome-keyring for password entries in a slightly different format (fields name), causing password entries duplication and not allowing sharing keyring data across browsers.

Conclusions for this first day of hackweek:
  • Keepass file format seems to be the format of choice for password manager (a lot of applications written around it)
  • Password manager which would fit my requirement is KeePass but is written in Mono (I don't want Mono stack to come back on my desktops) and too Windows oriented, so not an option.
  • KeePassX seems to be the way to go (even if it is Qt based) but it lacks a lot of features and I'm not sure if it worth spending effort in adding those missing features there.
  • Pass is extremely simple (which would make hacking around it pretty straightforward) but requires a lot of work around it (android, GUI) to make it nicely integrated in GNOME.
I haven't yet made up my mind which solution is the best, but I'll probably spend the following days hacking around KeePassX (or a new program to wrap KP db into libsecret) and Firefox gnome-keyring integration.

Comments welcome, of course.