Yith Library: an open source web password manager

The landing page, albeit nicely designed, could be slapped onto virtually any online password manager with minimal modifications. While it does a relatively good job explaining what the product does and why it's important, it doesn't do a particularly good job explaining how Yith is different from all the other password managers that are out there. After all, password management with client-side decryption and cross-device sync isn't exactly news these days.<p>So, what's special about Yith? What problems does it solve that other password managers such as KeePass, LastPass, etc. don't solve? Here's what I can tell from the landing page:<p>1. Yith is open-source, whereas some of the alternatives are closed-source.<p>2. Yith doesn't keep the master password in memory any longer than the time it takes to decrypt a single stored password. Most of the alternatives such as LastPass remember the master password (or the private key that it decrypts) for the duration of your browsing session (or for as long as the standalone app is running) unless you explicitly log out. So Yith might be more secure, but it also has the potential to be rather inconvenient.<p>What else? Is this a web app that you open in another tab while trying to log into a site? Or does Yith come with plug-ins for popular browsers? The "clients" page only lists a web app.

I once started developing such a tool, but abandoned it when I understood the web browser is not a safe environment.<p>You can't trust the javascript you execute: <a href="http://www.matasano.com/articles/javascript-cryptography/" rel="nofollow">http://www.matasano.com/articles/javascript-cryptography/</a><p>For another example, imagine a security breach on the server, some malicious javascript code injected server side, and your passwords get leaked, without you noticing.<p>If you think that you don't have to use SSL because you encrypt client side, think again. Without SSL a simple proxy can inject javascript in the page and get all your passwords.<p>The best solution I think, which I haven't had the time to implement yet, is a native app, retrieving only encrypted and signed data from the server.

Indispensables: zero knowledge <a href="http://www.clipperz.com/security_privacy" rel="nofollow">http://www.clipperz.com/security_privacy</a> , offline copy <a href="http://www.clipperz.com/support/user_guide/offline_copy" rel="nofollow">http://www.clipperz.com/support/user_guide/offline_copy</a> , one time passphrases <a href="http://www.clipperz.com/support/user_guide/onetime_passphrases" rel="nofollow">http://www.clipperz.com/support/user_guide/onetime_passphras...</a>

Cliperz (<a href="https://github.com/clipperz/password-manager" rel="nofollow">https://github.com/clipperz/password-manager</a>) is another alternative for an open source online password manager. A key feature is that it encrypts all information locally via javascript so the master key is never send over the wire.

For people who went to check: it's AGPLv3. So yeah, you can modify it, provided you do some other stuff as well.

Fantastic to see a project like this underway, I'm a happy lastpass user but an open source version is a great long term project.

As long as people shall keep thinking that the very concept of a master password you enter on your computer ain't totally broken from a security point of view I won't be surprised by all the security exploits out there.<p>It's the very mindset of people working in this field which is totally broken.<p>If someone installs a keylogger on your computer (eg thanks to, say, a 0-day Java applet vulnerability) and gets your master password, it's much much worse than if the same keylogger gets installed and manages to steal only some of your passwords.<p>For example I connect about once a year to MoneyBookers (where I have money). I connect rarely to the "admin" account of our Google Apps for Business/Domain (because things are correctly set up and just working nicely for our use cases). etc.<p>I a keylogger is installed on my system, there's a chance an anti-virus or even the user is going to notify, at one point, that something spooky is going on. And between the time the keylogger (say by re-installing the OS) got installed and its removal, I may very well never have connected to MoneyBookers, Google Apps for Bussiness's admin account and all the other sites which I very rarely connect to.<p>So although the security breach is terrible it is not anywhere near as bad as if my master password was sniffed by a keylogger and the attacker had access to <i>all</i> my passwords.<p>Note that a 0-day exploit and a keylogger aren't science-fiction: these are the kind of exploits happening on a daily basis and affecting a <i>lot</i> of people.<p>How can anyone possibly that a master password can ever be secure?<p>It cannot. It is the anti-thesis of security.<p>It is trading security for conveniency.<p>That trend in our industry and the fact that devs don't see what's deeply wrong with that scheme is frightening.<p>I have nightmares about what's coming in the future because, obviously, we're living in a world where nobody cares about security anymore.<p>Btw I'm the kind of person who boots a live Linux CD to connect to my online bank account and who did set 2 form factor auth wherever possible. So I'm unlikely to take fanboism and blind faith to the "master password" cult seriously.<p>Explain me how a master password isn't trading security for conveniency and I might listen.