PassMan – Browser Based Password Manager Released

Today I am officially releasing PassMan, my browser based password manager. It is a free, open-source tool written in javascript that allows you to securely manage password data in your browser locally without interactions with a remote server.

I wrote it because I wanted something more secure than what is currently available. It is described in detail on this page. You can access it from your browser from this link.

Here is a screenshot of PassMan using example data.

Screen Shot 2013-12-01 at 12.20.14 PM

Although you can use the tool directly from this website, the source code is freely available under the terms of the MIT license and can be downloaded from http://projects.joelinoff.com/passman/passman-v0.7.tar.bz2. It is about 4MB. The version is 0.7, the check sum is 45452 and the number of blocks is 4138. The check sum was generated using the linux sum command.

There is a password generator named PassGen available. You can use it to generate long, pseudo-random passwords.

There is another a password generator named PassGenW available. You can use it to generate long, pseudo-random passwords that are composed of English words.

Enjoy!

3 thoughts on “PassMan – Browser Based Password Manager Released”

    1. The short answer to your question is “no”. I do not think that browser based password managers are ideal for everyone.

      Browsers have security vulnerabilities just like any other software but browser vendors seem to be very active about addressing security issues so a browser based, client side tool (like passman) can take advantage of the latest security updates without every sending private data to a 3rd party server which makes it reasonably secure. There are other alternatives that are more secure and there are other alternatives that are less secure but easier to use. Any of them might be a better individual choice for you.

      I chose a browser based solution because I want my password manager to be as secure as possible without giving up mobile access which means that I want to be able to access my data from any device: phone, tablet, computer, etc. Since I use a mixture of different devices from Mac to Linux to Windows to Android that means that a browser based solution is the best solution for me because I do not have to port it for each different platform.

      I chose to manage my own encrypted data because I am concerned about entrusting it to a 3rd party which means that everything runs in the browser on the client and further that the data is encrypted everywhere else. If the browser sandbox is hacked and the memory contents can be access then the data is compromised but that is true of every other solution.

      Solutions that communicate with a server to manage the private data are vulnerable on the client (same as my approach), they are vulnerable during the transmission of information and they are vulnerable at the server. That makes the attack surface much larger. When you consider that modern thefts of private data occur because the security infrastructure of many companies is poor then you can see why entrusting your private data to a company can be dangerous. That is not to say that companies that manage private data are not secure. I believe that they are or try to be. It simply means that you should be aware of the risks and make sure that the company has sufficient protections to make you comfortable.

      Solutions that involve downloading software to your computer make me very nervous unless they are open source (so that the source code can be inspected) or they come from a highly trusted vendor. That is because any software downloaded to your computer can contain malware which can compromise your private data. Programs running on your computer are subject to the same attacks that client browser programs are subject to (ie., memory scraping, buffer overflow exploits, key logging, etc.) with the added drawback of potentially being malware. On the other hand, a program or app running on your device can be convenient because it can automatically fill in your username and password for you. Thus the highest level of convenience is associated with the highest risk. I really appreciate the convenience but the risk was too high for me to adopt this.

      If you are not concerned about mobile access, manage your passwords on a computer that is not connected to the internet. It may be less convenient but it is safer. If you choose this approach you will still want to make sure that private data is encrypted.

      If computers make you nervous, then store your password information on paper. That has the advantage of being safe from hacker attacks but it has the drawback of being vulnerable to physical theft. That can be mitigated somewhat by storing the passwords in a safe place and by using a simple encryption approach (reverse letters, leave something out, etc.) so that they can’t be used directly.

Leave a Reply