Github: https://github.com/Q-Vault/qvault
Website (under construction): https:qvault.io
Q Vault is a new open source password manager built using electron, javascript, and vuejs. The goal was to create an open source password manager that:
Is user friendly
Secure enough to store cryptocurrency
Has built-in optional cloud storage backups
Can be used offline
Can require a physical key for extra security (Plastic Cards with QR Code used for dual encryption)
Top comments (27)
Also, what's up with this?
I don't think that a hardcoded salt is production ready ...
Actually, I disagree, salts are used to prevent rainbow tables/pre computed KDFs, and it's a standard that's highly recommended. You can store the salt with the database. KeePass uses a random salt.
For example, if an attacker pre computed
password, and tried it on another user's machine if they're lucky their password is alsopassword, and the database decrypts. This wouldn't happen if you used salts.Just because the KDF isn't stored, doesn't mean you can't do rainbow tables.
What library/libraries does it use for cryptography?
2) It's debatable.
3) It is not the password manager's job to sync files. Let the user deal with that. Save it to a file and call it that. Stop trying to do everything. Do one thing, and do it well.
I guess it's fine to have a built-in syncing feature, but it divides your attention. You should be focusing on securing the secrets, rather than syncing files and checking for conflicts.
Users could use NextCloud, DropBox, Syncthing, etc. There are already existing solutions. Just sync the file and let those solutions handle conflicts.
I agree with both of you, however I think having additional features divides your attentions and increases the complexity of the project. Although it's a really good feature for non-tech savvy users.
Oh. That's great to hear! FYI, Qvault looks nice. Do you think you'll be able to do duel encryption via file(s), or physical security keys?
But that's no excuse for reusing salts.
You might as well not use a salt.
I've tried searching, but I can't seem to find anything about box-level encryption. What do you mean?
Okay. It makes sense. Why do you want AES-256 in GCM mode? And why Scrypt?