I haven't looked at the crypto yet, but some tips as someone who's designed a few password managers[1][2]:<p>* Don't allow the user to supply their password via argv. The names and argument vectors of running processes aren't considered privileged information, and the password can be inadvertently leaked or cached by e.g. a process auditing system. Instead, have the user provide their password via standard input.<p>* Consider a different interface for the master password. An environment variable isn't the worst, but has some of the same leakage problems that argv does. "Best practice" here is to either use the system keychain or an agent-style helper program.<p>[1]: <a href="https://github.com/kbsecret/kbsecret" rel="nofollow">https://github.com/kbsecret/kbsecret</a><p>[2]: <a href="https://github.com/woodruffw/kbs2" rel="nofollow">https://github.com/woodruffw/kbs2</a>
What's the difference between this and <a href="https://www.passwordstore.org/" rel="nofollow">https://www.passwordstore.org/</a> ?
Making project is a great way to learn stuff, so congrats!<p>I had a look at your crypto code, and the usual advice would be not to roll out your own crypto. Of course, since we are here to learn, that does not apply, so instead here are a few pointers on things you might want to learn about:<p>- authenticated encryption<p>- key derivation functions<p>- secure hash algorithms<p>I found this pretty good and pretty accessible <a href="https://www.crypto101.io/" rel="nofollow">https://www.crypto101.io/</a><p>Good learning!
This seems dangerous to use? Just a few issues looking at the code:<p>- No master password is required - if you don't set one a default value of "hide" is used<p>- The description says it uses AES256 (it is the default) but the code lets you specify your own algorithm, and supports ECB mode and even Triple DES<p>- When an algorithm requires a (for instance) 32 byte key, and your master password is larger than 32 bytes, it will just take the first 32 bytes and ignore the rest. If your master password is less than 32 bytes, it will just keep concatenating your password with itself until it gets 32 bytes: <a href="https://github.com/whatl3y/hide/blob/master/src/libs/Encryption.ts#L131-L135" rel="nofollow">https://github.com/whatl3y/hide/blob/master/src/libs/Encrypt...</a>
1. Why are all the output lines in the examples in the "Usage" section prefixed with '# '? The output lines in the examples later for individual commands are not prefixed that way.<p>2. It might be useful to have an option for show to just show the password. Perhaps -P (upper case P). E.g.,<p><pre><code> $ hide show -n facebook.com -P
my_password1
</code></pre>
I'd expect that most of the time people use -p to retrieve the password they are going to copy/paste it into a browser. With a password-only option they could pipe to something that puts it on the clipboard. A Mac user, for exampled, could use<p><pre><code> $ hide show -n facebook.com -P | pbcopy
</code></pre>
It would also be useful with commands line tools that take a password on the command line:<p><pre><code> $ some_tool --password=$(hide show -n some_tool -P)
</code></pre>
or with commands that read the password from a file<p><pre><code> $ other_command --pwfile <(hide other_command -n some_tool -P)</code></pre>
Couldn't find a PBKDF, closest code-wise I could find is this; <a href="https://github.com/whatl3y/hide/blob/1c3aaca634f504c3c274bac6a184b8783cd72df8/src/libs/Encryption.ts#L131" rel="nofollow">https://github.com/whatl3y/hide/blob/1c3aaca634f504c3c274bac...</a><p>Edit: looks like you had bcrypt then decided to remove it?<p><a href="https://github.com/whatl3y/hide/commit/0a8262d50929366bdd9ae4de280cdb90cc8cd6a8" rel="nofollow">https://github.com/whatl3y/hide/commit/0a8262d50929366bdd9ae...</a><p>You don't need to compare, just feed the resulting hash to AES and see if the output is any good.
If someone pwns your m/c they can "search" and get all password right, what am I missing? May be you should prompt for the master key instead of exporting? Or you are depending on the fact export goes away with the term session?
Nice! I've been using <a href="https://pwsafe.org/" rel="nofollow">https://pwsafe.org/</a> + Dropbox for quite a while. Is it similar, what are the new features?
Ive got to say. The title looked interesting. But when I see that .vscode has been checked in, I lose a bit of confidence that this is going to be 100% secure.
Nah, if we talk about tiny, take the 'standard unix password manager' :<p><a href="https://www.passwordstore.org/" rel="nofollow">https://www.passwordstore.org/</a><p>Otherwise <a href="https://keepassxc.org/" rel="nofollow">https://keepassxc.org/</a>
I have been using keypass for years. I have a flash drive with a key file and keypass software that gets synced to my personal drive everytime I plug in.<p>I plug it in, enter my master password and right click to copy password to paste it on websites.