privacyguides/privacytools.io
Archived
1
0
Fork 0
Code Issues 304 Pull Requests 47 Activity

Padlock (Password Manager) #178

New Issue
Closed
opened 2017-02-11 19:10:37 +00:00 by xlbrto · 5 comments
xlbrto commented 2017-02-11 19:10:37 +00:00 (Migrated from github.com)
Copy Link

I wanted to suggest an open source password manager Padlock looks very promising.
Source Code

They offer a cloud based subscription to sync across devices for $3.99 a month with a 30 day free trial of the cloud service. All information is encrypted before being uploaded to the server.
Cloud Source Code

However I believe they also offer local only (for free) for smartphones. IOS, Android, Windows and Mac platforms are supported with Linux on the way.

They recently had a security audit, here are the results and the notes about it by Padlock.

I am researching more about the service but I wanted you guys to check it out and know what you think of it. I don't know if Spideroak is going to keep developing Encryptr. Last update for Android was December 7, 2015, so that's why I am suggesting a new password manager.

I wanted to suggest an open source password manager [Padlock](https://padlock.io/) looks very promising. [Source Code](https://github.com/MaKleSoft/padlock) They offer a cloud based subscription to sync across devices for $3.99 a month with a 30 day free trial of the cloud service. All information is encrypted before being uploaded to the server. [Cloud Source Code](https://github.com/MaKleSoft/padlock-cloud) However I believe they also offer local only (for free) for smartphones. IOS, Android, Windows and Mac platforms are supported with Linux on the way. They recently had a security audit, here are the [results](https://cure53.de/pentest-report_padlock.pdf) and the [notes](https://padlock.io/pentest-1604-notes/) about it by Padlock. I am researching more about the service but I wanted you guys to check it out and know what you think of it. I don't know if Spideroak is going to keep developing Encryptr. Last update for Android was December 7, 2015, so that's why I am suggesting a new password manager.
Hillside502 commented 2017-02-12 15:00:08 +00:00 (Migrated from github.com)
Copy Link

Useful review by the proliferate JohnFastman at:-
Padlock Reviews - AlternativeTo.net
https://alternativeto.net/software/padlock/reviews/

Useful review by the proliferate JohnFastman at:- Padlock Reviews - AlternativeTo.net https://alternativeto.net/software/padlock/reviews/
ghost commented 2017-02-16 17:43:16 +00:00 (Migrated from github.com)
Copy Link

So this is just my quick opinion after skimming the security audit and not representative of what I think about (because I haven't used it). From the security audit, it seems like basic mistakes were made that shouldn't have. Whoever seems to designed it wanted it to be a password manager first and foremost without attention to security (when it should be the first thought); maybe a side project that turned into something serious?

If you actually look at the pen testing notes, here are some of the things that are listed:

  • User info stored in clear-text
  • Password is not obfuscated on the UI by default (so quick screenshots or glances)
  • Unprotected files at rest (not encrypted when saved) - they were able to find the authorization key in one of the unprotected DB files; one can use this key to impersonate a user
  • And a bunch more that you can read at your own leisure ...

And quoting the paper itself, "Padlock.io maintainers’ attitude to positioning security at the center of the future development process will be crucial." So it's great that this security audit is out, because it shows us that just because it's open source, no one was actually checking the code until now.

Anyways, it'll be interesting to see where this project goes and if it will get more attention from it's developers to be more secure. Right now, I'd tread with caution until the fixes are released and a little bit of skepticism due to some of the basic mistakes (like seriously, why isn't the authorization keys and some other metadata not at least hashed or concealed; I have some tools that can execute this attack at home too and I'm not a dedicated pen tester).

So this is just my quick opinion after skimming the security audit and not representative of what I think about (because I haven't used it). From the security audit, it seems like basic mistakes were made that shouldn't have. Whoever seems to designed it wanted it to be a password manager first and foremost without attention to security (when it should be the first thought); maybe a side project that turned into something serious? If you actually look at the pen testing notes, here are some of the things that are listed: - User info stored in clear-text - Password is not obfuscated on the UI by default (so quick screenshots or glances) - Unprotected files at rest (not encrypted when saved) - they were able to find the authorization key in one of the unprotected DB files; one can use this key to impersonate a user - And a bunch more that you can read at your own leisure ... And quoting the paper itself, "Padlock.io maintainers’ attitude to positioning security at the center of the future development process will be crucial." So it's great that this security audit is out, because it shows us that just because it's open source, no one was actually checking the code until now. Anyways, it'll be interesting to see where this project goes and if it will get more attention from it's developers to be more secure. Right now, I'd tread with caution until the fixes are released and a little bit of skepticism due to some of the basic mistakes (like seriously, why isn't the authorization keys and some other metadata not at least hashed or concealed; I have some tools that can execute this attack at home too and I'm not a dedicated pen tester).
ghost commented 2017-02-16 18:58:12 +00:00 (Migrated from github.com)
Copy Link

Good point. It's important to seek how trivial mistakes were discovered in an audit. Things shouldn't be trusted just because they were audited.

Good point. It's important to seek how trivial mistakes were discovered in an audit. Things shouldn't be trusted just because they *were* audited.
leobel96 commented 2018-11-23 07:21:44 +00:00 (Migrated from github.com)
Copy Link

Padlock got better in two years. Please reconsider it.

Padlock got better in two years. Please reconsider it.
privacytoolsIO commented 2019-04-02 03:27:53 +00:00 (Migrated from github.com)
Copy Link

I think it's too expensive. We recommend Bitwarden already, that offers all of it for free: https://www.privacytools.io/software/passwords/#pw

I think it's too expensive. We recommend Bitwarden already, that offers all of it for free: https://www.privacytools.io/software/passwords/#pw
This repo is archived. You cannot comment on issues.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
🔍🤖 Search Engines
approved
approved, waiting for a PR
dependencies
Pull requests that update a dependency file
duplicate
feedback wanted
high priority
I2P
The Invisible Internet Project (I2P)
iOS
low priority
OS
Operating Systems
Self-contained networks
Social media
stale
A label for stalebot if it gets added
streaming
Anything related to media streaming.
todo
Tor
Anything covering the Tor network
WIP
active work in progress, do not merge or PR (yet)!
wontfix
Issues or bugs that will not be fixed and/or do not have significant impact on the project.
XMPP
Extensible Messaging and Presence Protocol
[m]
Matrix protocol
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
Browser Extension related issues
enhancement
software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
Correction of content on the website
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
Firefox & forks, about:config etc.
💻 hardware
🌐 hosting
🏠 housekeeping
Anything primarily related to site cleanup.
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
Virtual Private Network
🌐 website issue
*Technical* issues with the website.
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
Domain Name System
🗨️ instant messaging (im)
🇦🇶 translations
Anything covering a translated version of the site
No Label
🔐 password managers
🆕 software suggestion
Milestone
No items
No Milestone
Assignees
Clear assignees
jonah
No Assignees
1 Participants
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: privacyguides/privacytools.io#178
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?