Nihal's Password Manager
git clone git://
Log | Files | Refs | README | LICENSE

README (1987B)

      1 # Nihal's Password Manager
      3 ## Rationale
      5 I normally use `pash`, as my password manager, which uses gpg2 to do all of the
      6 cryptography. In my setup (and likely the setups of most people who use pash or
      7 pass), the private key is on the same drive that holds the encrypted passwords.
      8 So if an attacker gets access to the encrypted passwords, they likely also have
      9 access to the encrypted private key for encrypting those passwords. The private
     10 key is probably encrypted using only a master password, so if an attacker gains
     11 access to this master password, all encrypted passwords are compromised.
     13 If an attacker gains access to the passwords without also gaining access to the
     14 encrypted private key, public key encryption is advantageous only if the master
     15 password is sufficiently weak.
     17 So given that the password database is practically only as secure as the master
     18 password, gpg2 provides little value for this use case.
     20 To replace it, I wrote a program that only performs the cryptographic functions
     21 necessary for this use case: encrypting and decrypting using a master password.
     22 It uses Monocypher 3.1.2 for cryptography, which uses XChaCha20 for encryption,
     23 and Argon2 for key derivation.
     25 ## Programs
     27 ### npm-core
     29 `npm-core` produces files containing encrypted passwords, and decrypts them. It
     30 provides the core encryption functionality of `npm` as the name implies.
     32 ### npm-agent
     34 `npm-agent` implements password caching over a simple socket protocol. It reads
     35 a path to a file produced by `npm-core`, containing an encrypted password. Then
     36 using the master password (requesting it if necessary), it decrypts the content
     37 of the file and writes it back over the socket.
     39 ### npmc
     41 npmc is just an interface for npm-agent usable in a shell. It takes a file path
     42 to a `npm-core` password file, talks to `npm-agent`, and prints the password it
     43 returns to stdout.
     45 ### npm
     47 The password manager is just a modified version of `pash` where gpg is replaced
     48 by `npm-core` and `npmc`.