1 # Nihal's Password Manager 2 3 ## Rationale 4 5 I normally use `pash`, as my password manager, which uses gpg2 to do all of the 6 cryptography. In my setup (and likely the setups of most people who use pash or 7 pass), the private key is on the same drive that holds the encrypted passwords. 8 So if an attacker gets access to the encrypted passwords, they likely also have 9 access to the encrypted private key for encrypting those passwords. The private 10 key is probably encrypted using only a master password, so if an attacker gains 11 access to this master password, all encrypted passwords are compromised. 12 13 If an attacker gains access to the passwords without also gaining access to the 14 encrypted private key, public key encryption is advantageous only if the master 15 password is sufficiently weak. 16 17 So given that the password database is practically only as secure as the master 18 password, gpg2 provides little value for this use case. 19 20 To replace it, I wrote a program that only performs the cryptographic functions 21 necessary for this use case: encrypting and decrypting using a master password. 22 It uses Monocypher 3.1.2 for cryptography, which uses XChaCha20 for encryption, 23 and Argon2 for key derivation. 24 25 ## Programs 26 27 ### npm-core 28 29 `npm-core` produces files containing encrypted passwords, and decrypts them. It 30 provides the core encryption functionality of `npm` as the name implies. 31 32 ### npm-agent 33 34 `npm-agent` implements password caching over a simple socket protocol. It reads 35 a path to a file produced by `npm-core`, containing an encrypted password. Then 36 using the master password (requesting it if necessary), it decrypts the content 37 of the file and writes it back over the socket. 38 39 ### npmc 40 41 npmc is just an interface for npm-agent usable in a shell. It takes a file path 42 to a `npm-core` password file, talks to `npm-agent`, and prints the password it 43 returns to stdout. 44 45 ### npm 46 47 The password manager is just a modified version of `pash` where gpg is replaced 48 by `npm-core` and `npmc`.