Github: https://github.com/Q-Vault/qvault
Website (under construction): https:qvault.io
Q Vault is a new open source password manager built using electron, javascript, and vuejs. The goal was to create an open source password manager that:
Is user friendly
Secure enough to store cryptocurrency
Has built-in optional cloud storage backups
Can be used offline
Can require a physical key for extra security (Plastic Cards with QR Code used for dual encryption)
Top comments (27)
Also, what's up with this?
I don't think that a hardcoded salt is production ready ...
What library/libraries does it use for cryptography?
I guess it's fine to have a built-in syncing feature, but it divides your attention. You should be focusing on securing the secrets, rather than syncing files and checking for conflicts.
Users could use NextCloud, DropBox, Syncthing, etc. There are already existing solutions. Just sync the file and let those solutions handle conflicts.
2) It's debatable.
3) It is not the password manager's job to sync files. Let the user deal with that. Save it to a file and call it that. Stop trying to do everything. Do one thing, and do it well.
Oh okay, that makes sense now. I thought you were using a salt legitimately.
But that's no excuse for reusing salts.
You might as well not use a salt.
Libsodium isn't "training wheels". It's a production ready solution that most people should be using.
I'd avoid it. It seems really low level from reading some of your source code. Check out a Libsodium port for Node.js.
Using low-level cryptography libraries make it easy to screw up.
Okay. It makes sense. Why do you want AES-256 in GCM mode? And why Scrypt?
Libsodium is a cryptography library that's easy to use. You should be using that instead of what you're doing.