This week is Hackweek 12 at SUSE
My hackweek project is improving GNOME password management, by investigating password manager integration in GNOME.
Currently, I'm using LastPass which is a cloud-based password management system.
It has a lot of very nice features, such as:
- 2 factor authentication
- Firefox and Chrome integration
- Linux support
- JS web client with no install required, when logging from a unknown system (I never needed it myself)
- Android integration (including automatic password selection for applications)
- cli open-source client (lastpass-cli), allowing to extract account specific information
- encrypted data (nothing is stored unencrypted server side)
- strong-password generator
- support encrypted notes (not only password)
- server based (clients sync) with offline operations supported
- closed-source
- subscription based (required for Android support)
- can't be hosted on my own server
- doesn't integrate at all with GNOME desktop
So far, I found the following programs:
- KeePass (GPL):
- version 1.x written in Java, still supported, not actively developed
- version 2.x written in C# (Windows oriented), works with Mono under Linux
- UI feels really Windows-like
- DB format change between v1 and v2
- supports encrypted notes
- password generator
- supports plugins ( a lot are available)
- support OTP (keeotp plugin, provide 2factor auth through TOTP, HTOP built-in)
- shared db editing
- support yubikey (static or hotp)
- 2 Firefox extension available(keefox, passifox)
- 3 android applications available (one application KeePass2Android supports alternative keyboard, KeepShare supports alternative keyboard + a11y framework to fill android application forms, like LastPass)
- Chrome extension available
- JS application available
- CLI available
- big ecosystem of plugins and other applications able to process file format
- KeePassX (GPL)
- Qt4 "port" of KeePass (feels more a Linux application than KeePass)
- alpha version for DB v2 support
- missing support for OTP
- missing support for keypasshttp (required by firefox extensions to discuss with main application), support is being done in a separate branch by a contributor, not merged
- release are very scarse (latest release is April 2014, despite commits on git, very few people are contributing, according to git)
- libsecret dbus support is being started by a contributor
- Mitro:
- company developped it was bought by Twitter last year, project released under GPL, no development since January.
- Password Safe (Artistic license):
- initially written by Bruce Schneier
- beta version available on Linux
- written in wxWidgets 3.0 / C++
- yubikey supported
- android application available, no keyboard nor a11y framework usage, only use copy/paste (but allows sync of db with owncloud and other cloud platforms)
- CLI available
- 3 different DB formats (pre-2.0, 2.0, 3.0)
- password history
- no firefox extension and the "auto-type" built-in function is all but intuitive
- support merge of various db
- Encrypt:
- same 0 knowledge framework as SpiderOak
- node-js based
- Pass:
- simple script on top of text files / gnupg and optionnally git (used for history and can also be used to manage hosting the file)
- not easy learning curve (CLI mostly), need gnupg to be setup before usage
- one file per password entry, should make
- very basic Qt GUI available
- basic FF extension available
- basic android application available
I've also looked at gnome-keyring integration with the various browsers:
- Several extensions already exist, one is fully written in Javascript and is working nicely (port to libsecret is being investigated)
- Chrome has already gnome-keyring and libsecret integration
- Epiphany already works nicely with gnome-keyring
- No password generator is available in Firefox / Chrome / Epiphany (nor GTK+ on a more generic basis)
Conclusions for this first day of hackweek:
- Keepass file format seems to be the format of choice for password manager (a lot of applications written around it)
- Password manager which would fit my requirement is KeePass but is written in Mono (I don't want Mono stack to come back on my desktops) and too Windows oriented, so not an option.
- KeePassX seems to be the way to go (even if it is Qt based) but it lacks a lot of features and I'm not sure if it worth spending effort in adding those missing features there.
- Pass is extremely simple (which would make hacking around it pretty straightforward) but requires a lot of work around it (android, GUI) to make it nicely integrated in GNOME.
Comments welcome, of course.