
More recently I've moved from Dropbox to GoogleDrive (mainly because I have more free storage there and it's convenient to keep everything in one place, plus I'm almost married to Google due to Android, Chrome, etc.) but PasswordSafe (on both Windows & Android) and PasswordSafeSync still make my life much, much better than it would be without them.
#Pwsafe org android#
That setup also worked when I started using PasswordSafe on my Android phone, but it got easier on the phone when PasswordSafeSync came along.
#Pwsafe org update#
Later I started using Dropbox to immediately and automatically update my systems everywhere and stopped using SyncToy with my thumbdrive (though I still use it to sync copies of my backups to external HDDs for offsite storage). I was already using a free program from Microsoft called SyncToy and that made it easy to keep the thumbdrive and my PCs synchronized. I was already in the habit of carrying a USB thumbdrive with me all the time so it was a simple step to start copying the vault from the computer I was on to the thumbdrive before logging out and then to copy it to the other computer when logging on (i.e. If we failed to address any concern, please let us know.Years ago when I first started using PasswordSafe, I found it convenient to keep both work and personal info in the same vault. (2) You might want to check what version of the database these programs support, pre-2.0, 2.0 or 3.0. Notes: (1) I have not tested these personally.
#Pwsafe org code#
Please mind the code is fully copyrighted and that you are not supposed to reuse it in any form, you are granted a license just to find possible security issues in it. Password Safe - Related Projects It seems that Password Safe inspired a few folks to write their own variations, mainly to support other platforms.

For other pages, please let us know via email, we will check and give you a reply. The source code is not obscured or minified in any form, just unpack the extension and examine it at will. Among pages recommended for Password Safe Org, if the not-working page is the official login page, it may be because the site is temporarily suspended. When designing the extensions, we took great care to protect your passwords at all times, but you are welcome to examine the extensions source-code at any time. If you happen to find any problem we missed, please report it back to us, so that we can fix it as soon as possible. Session keys depend on both sides random number generators, making it harder to exploit a PRNG fault.Ī new sequence number to prevent agains replay attacks, and On every session, new encryption and authentication keys are generated, so as to guarantee perfect forward secrecy (PFS). The user then matches both, defending against man in the middle attacks.Īfter validation, the extension and pwSafe save the other party's public key and verify it on every new connection, closing it if it changed, preventing man-in-the-middle attacks. When you first connect, both sides calculate an identifier which is a hash of both parties' public keys (RSA-2048) and display it to the user. Since the SSL certificate validation logic cannot be overridden by the extension, we use a non-encrypted HTTP connection with our own security (encryption and authentication) layer on top.Įverything but the handshake is fully encrypted (AES-CBC-256) and authenticated (HMAC-SHA-256).

To defend against malicious apps on your Mac:Ĭommunications between the extensions and pwSafe are run over a standard HTTP Websocket connection to localhost. It can only report which fields are present on the webpage and, when ordered to, fill them with the provided values. The component which runs on the webpage context can't connect to pwSafe directly, so it can't send commands to it asking for more passwords. When listing entries, it only gets titles, details (username and url) and groups.Įxtensions are broken in two main components: one running inside the displayed webpages (more vulnerable) and another one running in an isolated context (more secure).
#Pwsafe org full#
The full list of passwords is never sent to the extension, which only gets the password needed to fill the currently displayed webpage.

These two facts pose a series of security concerns that we address. This makes them more susceptible to malicious websites and also very restricted when it comes to interacting with the local machine.

Modern browser extensions are javascript apps that run inside the web-browser.
