The aim is to create a password manager which is lightweight, user-friendly and open source so that even under zero-trust assumption, the users would be comfortable in storing the passwords in this application.
- Lightweight, stores stuffs into simple
sqlitedatabase file. - No internet connection required, the entire application resides in your machine offline.
- Even if an attacker probes into your machine, all he / she will see is encrypted sensitive info, and they cannot decrypt it without your master password.
- Your master password is stored using
Scrypt, hence nobody except you knows the password. - The encryption key is a combination of your master password and an app secret stored in the .env file of the repository. (You will need this .env file for hosting your own version of the app, but for security reasons it is omitted here. Please see details below.)
- To use the app encryption secret for encryption and decryption purposes, user must authenticate themselves using their master password and an time based OTP provided by any MFA authenticator app (Google Authenticator, Microsoft Authenticator, etc.)
- Python 3.x
- flask
- flask-wtf
- cryptography
- uuid
- base64
- python-dotenv
- pyotp
To run the application simply use:
python3 app.py
The .env file should contain at least the following lines:
APP_DBPATH = "./app.sqlite"
APP_BYTES_ENCODING = "utf-8"
APP_SECRET = "your-app-secret-used-for-csrf-token-protection-on-form-resubmission"
APP_ENCRYPT_SECRET = "your-app-secret-key-used-for-encrypting-sensitive-password-information"
You are free to look at the source code to find out bugs and potential security vulnerabilities. Please raise them in GitHub issues.