Padlock (Password Manager) #178

New Issue

2017-02-11T19:10:37Z

xlbrto commented

2017-02-11 19:10:37 +00:00

(Migrated from github.com)

I wanted to suggest an open source password manager Padlock looks very promising.
Source Code

They offer a cloud based subscription to sync across devices for $3.99 a month with a 30 day free trial of the cloud service. All information is encrypted before being uploaded to the server.
Cloud Source Code

However I believe they also offer local only (for free) for smartphones. IOS, Android, Windows and Mac platforms are supported with Linux on the way.

They recently had a security audit, here are the results and the notes about it by Padlock.

I am researching more about the service but I wanted you guys to check it out and know what you think of it. I don't know if Spideroak is going to keep developing Encryptr. Last update for Android was December 7, 2015, so that's why I am suggesting a new password manager.

I wanted to suggest an open source password manager [Padlock](https://padlock.io/) looks very promising. [Source Code](https://github.com/MaKleSoft/padlock) They offer a cloud based subscription to sync across devices for $3.99 a month with a 30 day free trial of the cloud service. All information is encrypted before being uploaded to the server. [Cloud Source Code](https://github.com/MaKleSoft/padlock-cloud) However I believe they also offer local only (for free) for smartphones. IOS, Android, Windows and Mac platforms are supported with Linux on the way. They recently had a security audit, here are the [results](https://cure53.de/pentest-report_padlock.pdf) and the [notes](https://padlock.io/pentest-1604-notes/) about it by Padlock. I am researching more about the service but I wanted you guys to check it out and know what you think of it. I don't know if Spideroak is going to keep developing Encryptr. Last update for Android was December 7, 2015, so that's why I am suggesting a new password manager.

Hillside502 commented

2017-02-12 15:00:08 +00:00

(Migrated from github.com)

Useful review by the proliferate JohnFastman at:-
Padlock Reviews - AlternativeTo.net
https://alternativeto.net/software/padlock/reviews/

Useful review by the proliferate JohnFastman at:- Padlock Reviews - AlternativeTo.net https://alternativeto.net/software/padlock/reviews/

ghost commented

2017-02-16 17:43:16 +00:00

(Migrated from github.com)

So this is just my quick opinion after skimming the security audit and not representative of what I think about (because I haven't used it). From the security audit, it seems like basic mistakes were made that shouldn't have. Whoever seems to designed it wanted it to be a password manager first and foremost without attention to security (when it should be the first thought); maybe a side project that turned into something serious?

If you actually look at the pen testing notes, here are some of the things that are listed:

User info stored in clear-text
Password is not obfuscated on the UI by default (so quick screenshots or glances)
Unprotected files at rest (not encrypted when saved) - they were able to find the authorization key in one of the unprotected DB files; one can use this key to impersonate a user
And a bunch more that you can read at your own leisure ...

And quoting the paper itself, "Padlock.io maintainers’ attitude to positioning security at the center of the future development process will be crucial." So it's great that this security audit is out, because it shows us that just because it's open source, no one was actually checking the code until now.

Anyways, it'll be interesting to see where this project goes and if it will get more attention from it's developers to be more secure. Right now, I'd tread with caution until the fixes are released and a little bit of skepticism due to some of the basic mistakes (like seriously, why isn't the authorization keys and some other metadata not at least hashed or concealed; I have some tools that can execute this attack at home too and I'm not a dedicated pen tester).

So this is just my quick opinion after skimming the security audit and not representative of what I think about (because I haven't used it). From the security audit, it seems like basic mistakes were made that shouldn't have. Whoever seems to designed it wanted it to be a password manager first and foremost without attention to security (when it should be the first thought); maybe a side project that turned into something serious? If you actually look at the pen testing notes, here are some of the things that are listed: - User info stored in clear-text - Password is not obfuscated on the UI by default (so quick screenshots or glances) - Unprotected files at rest (not encrypted when saved) - they were able to find the authorization key in one of the unprotected DB files; one can use this key to impersonate a user - And a bunch more that you can read at your own leisure ... And quoting the paper itself, "Padlock.io maintainers’ attitude to positioning security at the center of the future development process will be crucial." So it's great that this security audit is out, because it shows us that just because it's open source, no one was actually checking the code until now. Anyways, it'll be interesting to see where this project goes and if it will get more attention from it's developers to be more secure. Right now, I'd tread with caution until the fixes are released and a little bit of skepticism due to some of the basic mistakes (like seriously, why isn't the authorization keys and some other metadata not at least hashed or concealed; I have some tools that can execute this attack at home too and I'm not a dedicated pen tester).

ghost commented

2017-02-16 18:58:12 +00:00

(Migrated from github.com)

Good point. It's important to seek how trivial mistakes were discovered in an audit. Things shouldn't be trusted just because they were audited.

Good point. It's important to seek how trivial mistakes were discovered in an audit. Things shouldn't be trusted just because they *were* audited.

leobel96 commented

2018-11-23 07:21:44 +00:00

(Migrated from github.com)

Padlock got better in two years. Please reconsider it.

privacytoolsIO commented

2019-04-02 03:27:53 +00:00

(Migrated from github.com)