Passman & Nextcloud : a good alternative for your passwords
Introduction
For this first post on my blog, I wanted to talk about the angular stone in information security nowadays: your passwords. Back in the days you only had a few websites where you would connect with a similar if not the same password. These days, I have probably a hundred websites or applications for which I need credentials and it is really insecure to use the same password everywhere. One of the most covered event in the news was the LinkedIn hack in 2014 where millions of email/unsalted hashes became available to the internet. From these hashes it was easy for malicious people to recover the plain-text passwords with dictionary attacks because most people use very simple passwords one can find in a dictionary.
When you sign up on a new application or website, you need to think about it this way:
If this platform is compromised and some people can get access to my password, what is the worst that can happen ?
By thinking this way, you will avoid putting the same password as your email address. Indeed that's probably the first thing a hacker will try if he can find your email and your password on an application's database: check if you use the same password to access your mailbox (gmail, hotmail...). You can also identify a few other critical passwords (web banking, work login...) that must be different from all your other passwords.
Sometimes it's not easy to remember them all, especially if you have a lot of critical passwords protecting your Bitcoin/altcoin wallets for instance. That is where password managers can become handy.
Passwords managers
The idea behind a password manager is very simple: you choose a very long and complex passphrase that is the only thing you need to remember. This passphrase is used to decipher all your other passwords. Then you can just copy-paste them in the field that requires your password. It means that you don't need to remember those passwords and they can be as complex as you want, most of the time the password manager can generate a random one for you.
How to choose the right one ?
There are plenty of products, some of them free, to act as password managers. I will not go through each of them and present their pros and cons but for me, here are the essential ingredients to have a good password manager:
- The cryptography part must be top notch This can be hard to say for non-crypto experts but in general, for symmetric cryptography, I would recommend the use of AES-256 (or above) with integrity checks either through GCM mode or through separate HMAC (Encrypt then MAC).
- Password generator must be integrated Even if it is most the time the case, you might have different customization options depending on the product to tailor the generation rules to your needs.
- Availability on multiple devices This is often an issue with offline password managers: your passwords are stored encrypted within a file in your hard drive. This means that you can't have access to your passwords from another device without copying yourself the file. Even if you do so, you won't have sync between your devices. It means that whenever you update or create a new password on one of your device, you will need to take care of coping your new passwords database manually on your other devices. This can be cumbersome and that's why a cloud solution is usually much better in terms of usability.
- Two-Factor Authentication Cryptographically speaking, it is hard to integrate a second factor within the decryption process. However products can enforce this check before releasing the encrypted database. This is a nice to have, especially for cloud solutions.
My current choice
You have probably been spoiled by the title of this article, but I'm currently evaluating an application available within Nextcloud. For those of you who are not familiar with Nextcloud, it is an open source product which offers similar services as Dropbox, Google Drive or One Drive. The main difference being that you need to install it on a server that you own. It means that you are always in control of your data and you don't need to trust any 3rd party. The philosophy of Nextcloud is the server on which the data are stored is not trusted either and that's why you can choose to encrypt all your data at rest. To make Nextcloud run, you don't need a very powerful server, it could probably run fine on a Raspberry Pi. However if you are concerned about availability, it's probably better to run it on a VPS (virtual private server) that will have a public IP and that you can rent for a couple of euros per month.
I have used Nextcloud (and Owncloud before that) for a while and they are taking security very seriously so it could be a logical place to put a password manager. I have tried multiple applications but one is clearly above the rest Passman. I have reviewed their source code available here and it seems to be done the right way.
How does it work
To access your passwords with this solution, the following steps are needed:
- Access to your Nextcloud instance and login (in my case I have enabled 2FA for my account)
This will unlock the first layer of encryption of your passwords database (server-side encryption). Now your browser will receive a blob of data which is again encrypted but this time the decryption will take place within your browser using JavaScript
- Access the Passman app and select your password vault (you can decide to split passwords in multiple vaults to better organize them)
There you will need to type your master key (long and complex passphrase :) ) This key is not sent to the server and the decryption is done client-side. You can then see your passwords, generate new ones and assess their strength. You can also put tags on them so that you can easily find the ones related to a particular topic. Here is an example of what you will see:
Since your passwords can be retrieved from a webserver, you can get them from any device which has an internet connection. To further secure your setup, I strongly recommend the usage of the Two-Factor authentication module on your Nextcloud instance.
The developers of Passman are also developing a mobile application for Android to have a better usability on mobile. I haven't tested this one as it is still in Beta but could be good addition to this piece of software.
Conclusion
I have presented a nice setup to have a password manager which is both secure and available while keeping the user in charge of the data so you don't rely on any 3rd party service, everything is hosted on your own server. Of course you need to have some technical knowledge to correctly configure and secure your server. If you don't feel like you can do it, there are commercial services that do a good job with passwords managers in the cloud such as 1Password but you have to trust them :)
Let me know if you have experience with password managers and which one you would recommend.