Skip to content

simonfuhrmann/firepass

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

185 Commits
src
src
 
 
static
static
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
firebase.json
firebase.json
 
 
package.json
package.json
 
 
tsconfig.json
tsconfig.json
 
 

Repository files navigation

Firepass

Firepass is a password manager. Firepass stores your database in the cloud so you can access it from anywhere, anytime, from any device with a browser. It uses Google Firebase as storage and authentication backend. In contrast to popular online password managers you have to create your own Google Firebase instance and take control of your data. See "Installation" below for details.

Want to play with a demo?

Firepass uses username/password authentication to restrict access to your database. If your login credentials get compromised, your database is susceptible to vandalism (deletion, corruption), but all passwords are safely encrypted using your master password. Unencrypted data never leaves your client, and all cryptographic operations happen locally. See "Cryptographic Notes" below for more information.

Important Notes

  • Firepass currently does not support offline access to your database.
  • Firepass (intentionally) does not support auto-fill forms on websites.
  • Every software has bugs. Make regular backups of your (encrypted) database.

Cryptographic Notes

Firepass encrypts the database with AES-256 in GCM or CBC mode (GCM is the recommended default). The initialization vector (96 bits for GCM, 128 bits for CBC) is randomized every time the database is encrypted, and stored alongside the encrypted database. (Initialization vectors are mixed into the first AES block so that encrypting the same plaintext with the same key does not produce the same ciphertext.)

The symmetric AES key is derived from the master password using PBKDF2-HMAC-SHA-256 with 600k iterations and a 256-bit password salt which is randomized whenever the master password is changed. The salt is also stored alongside the encrypted database. (Password salts are mixed into the hashing and iteration process so that users have different encryption keys even if they chose the same password, and to prevent using pre-computed rainbow tables against the encrypted database.)

All cryptographic operations are implemented locally in the client using the Web Crypto API (SubtleCrypto). Your plaintext password is never stored. It is immediately used to derive the AES master key via PBKDF2, after which only a CryptoKey object is kept in memory, managed by the browser's cryptographic implementation, and never leaves the client.

For storage, the database is encrypted in its entirety into one opaque binary blob rather than as individually encrypted entries. No information about the database contents is revealed in storage or transit. However, the total size of the encrypted database may still correlate with the number of entries it contains.

After an idle period, the local database is automatically locked, and both the AES key and all decrypted data are cleared from the client.

Installation

  • Run npm install from the Firepass root to install all dependencies.
  • Run npm run bundle to create the final app in the static/ directory.
  • Setup a Google Firebase project (see "Firebase Setup" below for details).
  • Enter your Google Firebase config in src/config/firebase.ts.
  • Optional: Run npm run watch to run a local development server.
  • Optional: Host your Firepass instance on Google Firebase (read below).

Firebase Setup

Firepass uses Google Firebase as storage and authentication backend. Firepass supports authentication using the "Email/Password" sign-in method only. Once signed in, Firepass uses the "Cloud Firestore" database backend to host your (encrypted) password database.

Setup your Firebase instance

  • Add a new Firebase project using the Firebase Console.
  • Enable the "Email/Password" sign-in method in the "Authentication" menu.
  • Add "Email/Password" users in the "Authentication" menu.
  • Create a "Cloud Firestore" database in the "Database" menu.
  • Add the below security rules to your database.
  • Add a web-app in the project settings and obtain the Firebase config.

Add Database rules

Add the following database security rules under the "Rules" tab in the "Database" menu, which restricts users to accessing their own data only.

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{uid} {
      allow read, write: if request.auth.uid == uid;
    }
  }
}

Enable Firebase hosting

Google Firebase can also host your Firepass instance (optional).

  • Click on "Hosting" in the Google Firebase console.
  • Click "Get Started" and follow the instructions (install the Firebase tools)
  • Login from the command line (firebase login)
  • DO NOT run firebase init, a firebase.json is already provided
  • Create a production build (npm run clean && npm run bundle)
  • Deploy the build (firebase deploy)

Your website is now served from http://PROJECT-ID.web.app. Even though Google Firebase hosts your website, you can access the website from a domain of your choice. To do so, select "Add custom domain" from the "Hosting" menu in the Google Firebase console and follow the instructions.

About

A password manager

Resources

Readme
Activity

Stars

12 stars

Watchers

1 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages