glitterware / passy Goto Github PK

(Sorry for using a issue for asking an offtopic question, but I don't know where else to ask)

Is it possible for GlitterWare to create a Joplin-style notes program, but with Passy-style synchronization?

One of my main reasons for using something like Joplin or Bitwarden is the synchronization between devices, although I would honestly prefer not to have to rely on a server and a membership and always looked for a Passy style program that would easily synchronize my information between devices, without relying on the cloud, or even worse, Syncthing...

Is there any possibility/interest that in the distant future GlitterWave will create a Joplin-style notes app but with the ability to sync between devices simply with a QR code? Yes, I've already used Passy's notes category and it has its function, but for something like a password manager it doesn't make sense to create something as advanced as Joplin.

Ability to choose whether to activate the automatic backup or not, and to have the ability to create a backup after a change is made or every certain period of time.

• New entries data structure/conversion - 6182f6a.
• Optimize data saving (append one line at a time) - 944c40a.
• On demand entry retrieval - d98614d.
• Using random access to retrieve entries - 545aef2.
• Load metadata instead of full entry data - a30ec08.
• Random IV for better security - e9b03e0.

Currently entries are stored in files passwords.enc, notes.enc, payment_cards.enc, identities.enc and id_cards.enc, encrypted in CSV format. When Passy starts up, it loads all of the data contained within these files, including the passwords. This contributes a lot of data to memory, usually with very few of this data being used per visit. It is preferable to reduce the amount of data loaded at all times to prevent performance issues and possible security concerns.

There is currently no easy way to provide random access to these data without having to read and decrypt the entire file. Before decryption, newlines are added between entries, but when encrypted the string becomes a single line. It is possible to instead encrypt entries individually to then insert newlines afterwards, which would allow to read the file line by line. This would be the first step to random data access, because it would add the ability to iterate through entries without having to keep the entire file contents in memory.

To make it possible to identify entries without having to decrypt them, it is possible to add the unencrypted entry keys at the beginning of each line, separated by a comma from the encrypted entry. This would allow the parsing mechanism to find the requested entries without having to read the entire line. There might be a question of security about storing the entry keys in an unencrypted format, since those could be considered private data. However the only information they consist of and therefore reveal are the exact entry creation dates. While one could argue that this information could potentially pose a threat due to the revelation of one's activity timeline if attacked, I doubt it would give any useful information to the attacker.

As an alternative idea, it would be possible to avoid modifying existing database information by storing encrypted minimal metadata about the entries in separate files. This, however, seems sub optimal, as I would consider such data a runtime artifact rather than meaningful information. It seems redundant to include as a part of the database, but it might be possible to implement it later as cache data instead to improve security.

Hi,
it would be great to be able to share single passwords to other users. I'm thinking of sharing my WIFI password with my GF or similar.
Another idea would be to have shared portions. I'm sure this can be achieved by having one user that's shared and another one for each personal account. But it would be cool to not login into several accounts just to find out where the actual password got saved to. So one solution could be, to introduce groups users are assigned to. Each group is "secured" by a shared secret combined with the actual user authentication.

Happy to discuss ideas

Already resolved in 3edcf08.

Next update will not have this issue.

Suggestion

Thank you so much in advance for this app, it's perfect, it doesn't require registration which can make you question privacy and security, it's very convenient and simply the best among all analogs, but I'm missing one feature

Please add the ability to attach photos for all tabs for example for passport photos or discount card barcode photos from a store, or some photo in the notes and the like

Submission checklist

• I have specified my suggestion in the issue title

Bug description

If I initialize Passy with a username and password, create a password record, exit passy, than restart passy, I am prompted once again to "Create a local account". https://github.com/GlitterWare/Passy says that on Linux, the Passy database is stored in /home/<username>/Documents. Even after I create a "Documents" directory in advance (such a thing does not otherwise normally exist on my machines) and try again, it remains empty, Passy stores nothing there, or anywhere else that I can see.

Expected outcome

No response

Steps to reproduce

No response

Error log

No response

App version

v1.5.0 - Browser Extension

Submission checklist

• I have specified the problem in the issue title
• I have provided a verbose description of the problem

Hi,
There is sync error When I scan QR code on PC from Android.

What should I do?
log below:

Connecting... 
Local exception has occurred: Failed to connect.
SocketException: Connection timed out, host: InternetAddress('192.168.0.105', IPv4), port: 58293
#0      _NativeSocket.connect.<anonymous closure>.<anonymous closure> (dart:io-patch/socket_patch.dart:954)
#1      _RootZone.run (dart:async/zone.dart:1647)
#2      Future.timeout.<anonymous closure> (dart:async/future_impl.dart:864)
#3      Timer._createTimer.<anonymous closure> (dart:async-patch/timer_patch.dart:18)
#4      _Timer._runTimers (dart:isolate-patch/timer_impl.dart:398)
#5      _Timer._handleMessage (dart:isolate-patch/timer_impl.dart:429)
#6      _RawReceivePortImpl._handleMessage (dart:isolate-patch/isolate_patch.dart:192)

Suggestion

No response

Submission checklist

• I have specified my suggestion in the issue title

Hi!

How to update android app to 1.3.1?

Used Syncthing to get backups from android ver to Windows and tried importing it but when it cam to importing the account, it said this:

A simple process running in the background of the OS used as Host that automatically synchronizes real-time changes occurring on any of the synchronized devices, and that is able to remember the synchronized devices.

flutter_barcode_scanner implementation broke on new flutter.
Will be replaced with barcode_scanner.

Suggestion

1. Minimize to tray when click close button

Could you add a option that control the behavior when click close button? Sometimes I want to minimize Passy to the system tray, but not close it.

2. Steam OTP(2FA) support

Passy does not support the Steam OTP algorithm which is not a standard TOTP implementation, but many password managers or 2FA applications support that, like KeePassXC, KeePassDX, Aegis, Authenticator Pro, etc..

3. biometrics support on Windows

Passy doesn't seem to support biometric authentication on Windows. Does it only support the mobile app? I think supporting biometrics on Windows is nice for convenience. Like the KeePassXC, requiring the master password when first start Passy, and biometrics auth when open Passy from the background is a good choice.

Submission checklist

• I have specified my suggestion in the issue title

Bug description

Browser extension saying No connector found.
Checked the native messaging directories, manifest files are not updated as they need to be.

Expected outcome

No response

Steps to reproduce

Install snap/flatpak package, open once, use browser extension

Error log

App version

v1.5.0 - Browser Extension

Submission checklist

• I have specified the problem in the issue title
• I have provided a verbose description of the problem

link to script:‌ https://gist.github.com/b82577ed3fd06f305a28a18a81a580d2

to use it export from lockwise and passy, give the script the path to the lockwise file and the passy passwords.enc file and it will do its thing

Hi!

After install new version can't login.

FileSystemException: Cannot copy file to 'C:\Users\Husband\Documents\Passy\accounts\Stas\id_cards.enc_temp', path = 'C:\Users\Husband\Documents\Passy\accounts\Stas\id_cards.enc' (OS Error: Невозможно создать файл, так как он уже существует.
, errno = 183)
#0      _File.throwIfError (dart:io/file_impl.dart:635)
#1      _File.copySync (dart:io/file_impl.dart:340)
#2      convert2_0_0AccountTo2_1_0._convert (package:passy/passy_data/legacy/convert_2d0d0_account_to_2d1d0.dart:19)
#3      convert2_0_0AccountTo2_1_0 (package:passy/passy_data/legacy/convert_2d0d0_account_to_2d1d0.dart:37)
#4      convertLegacyAccount (package:passy/passy_data/legacy/legacy.dart:80)
#5      loadLegacyAccount (package:passy/passy_data/legacy/legacy.dart:93)
#6      PassyData.loadAccount (package:passy/passy_data/passy_data.dart:167)
#7      _LoginScreen.login.<anonymous closure> (package:passy/screens/login_screen.dart:95)
#8      _RootZone.run (dart:async/zone.dart:1647)
#9      _FutureListener.handleWhenComplete (dart:async/future_impl.dart:190)
#10     Future._propagateToListeners.handleWhenCompleteCallback (dart:async/future_impl.dart:736)
#11     Future._propagateToListeners (dart:async/future_impl.dart:792)
#12     Future._completeWithValue (dart:async/future_impl.dart:566)
#13     Future._asyncCompleteWithValue.<anonymous closure> (dart:async/future_impl.dart:639)
#14     _microtaskLoop (dart:async/schedule_microtask.dart:40)
#15     _startMicrotaskLoop (dart:async/schedule_microtask.dart:49)

That is paid pass manager and one of the most used . So this would be a great feature. In their site they support importing from Google passwords and others

Is there any intention to release a version of Passy as Flatpak? I have no problem with Snap, I just find it interesting if you plan to release a flatpak version.

I couldn't find Passy on AUR either.

Bug description

When sync link is pressed in windows 10, only appears "setting up synchronization" for a few seconds (bottom bar) and nothing more.

Expected outcome

if at least the ip and port could show up....

Steps to reproduce

No response

Error log

No response

App version

v1.5.0 - Browser Extension

Submission checklist

• I have specified the problem in the issue title
• I have provided a verbose description of the problem

Hello, i tried to toggle automatic backup, then selecting a folder, and it says "access denied, try another folder". Is there any fix? (Android)

Bug description

when trying import an exported zip file from cel (android) to windows 10 22h2 error occurs:

FormatException: Unfinished UTF-8 octet sequence (at offset 1)
#0      _Utf8Decoder.convertSingle (dart:convert-patch/convert_patch.dart:1747)
#1      Utf8Decoder.convert (dart:convert/utf.dart:351)
#2      Utf8Codec.decode (dart:convert/utf.dart:63)
#3      skipLine (package:passy/passy_data/common.dart:65)
#4      PassyEntriesEncryptedCSVFile.keys.<anonymous closure> (package:passy/passy_data/passy_entries_encrypted_csv_file.dart:18)
#5      processLines (package:passy/passy_data/common.dart:267)
#6      PassyEntriesEncryptedCSVFile.keys (package:passy/passy_data/passy_entries_encrypted_csv_file.dart:16)
#7      LoadedAccount.notesKeys (package:passy/passy_data/loaded_account.dart:584)
#8      new LoadedAccount (package:passy/passy_data/loaded_account.dart:94)
#9      JSONLoadedAccount.toEncryptedCSVLoadedAccount (package:passy/passy_data/loaded_account.dart:959)
#10     PassyData.importAccount (package:passy/passy_data/passy_data.dart:353)
<asynchronous suspension>
#11     _ConfirmImportScreen._onConfirmPressed (package:passy/screens/confirm_import_screen.dart:26)
<asynchronous suspension>

Expected outcome

No response

Steps to reproduce

No response

Error log

No response

App version

None

Submission checklist

• I have specified the problem in the issue title
• I have provided a verbose description of the problem

Attempting to scan the QR code from my host machine (Manjaro, Appimage) and my guest device (Android 11) results in this error:

Connecting... 
Local exception has occurred: Failed to connect.
SocketException: Connection refused (OS Error: Connection refused, errno = 111), address = 127.0.0.1, port = 41042
#0      _NativeSocket.startConnect (dart:io-patch/socket_patch.dart:682)
#1      _NativeSocket.connect (dart:io-patch/socket_patch.dart:948)
#2      _RawSocket.connect (dart:io-patch/socket_patch.dart:1815)
#3      RawSocket.connect (dart:io-patch/socket_patch.dart:21)
#4      Socket._connect (dart:io-patch/socket_patch.dart:2038)
#5      Socket.connect (dart:io/socket.dart:743)
#6      Synchronization.connect (package:passy/passy_data/synchronization.dart:664)
#7      LoadedAccount.connect (package:passy/passy_data/loaded_account.dart:159)
#8      SynchronizationWrapper.connect (package:passy/common/synchronization_wrapper.dart:63)
#9      _ConnectScreen.build.<anonymous closure> (package:passy/screens/connect_screen.dart:88)
#10     _InkResponseState.handleTap (package:flutter/src/material/ink_well.dart:1072)
#11     GestureRecognizer.invokeCallback (package:flutter/src/gestures/recognizer.dart:253)
#12     TapGestureRecognizer.handleTapUp (package:flutter/src/gestures/tap.dart:627)
#13     BaseTapGestureRecognizer._checkUp (package:flutter/src/gestures/tap.dart:306)
#14     BaseTapGestureRecognizer.acceptGesture (package:flutter/src/gestures/tap.dart:276)
#15     GestureArenaManager.sweep (package:flutter/src/gestures/arena.dart:163)
#16     GestureBinding.handleEvent (package:flutter/src/gestures/binding.dart:464)
#17     GestureBinding.dispatchEvent (package:flutter/src/gestures/binding.dart:440)
#18     RendererBinding.dispatchEvent (package:flutter/src/rendering/binding.dart:337)
#19     GestureBinding._handlePointerEventImmediately (package:flutter/src/gestures/binding.dart:395)
#20     GestureBinding.handlePointerEvent (package:flutter/src/gestures/binding.dart:357)
#21     GestureBinding._flushPointerEventQueue (package:flutter/src/gestures/binding.dart:314)
#22     GestureBinding._handlePointerDataPacket (package:flutter/src/gestures/binding.dart:295)
#23     _invoke1 (dart:ui/hooks.dart:167)
#24     PlatformDispatcher._dispatchPointerDataPacket (dart:ui/platform_dispatcher.dart:341)
#25     _dispatchPointerDataPacket (dart:ui/hooks.dart:94)

No matter if I try to use my Android as a Host, the same thing happens, and I already verified that no firewall is interfering, in fact I turned them off and the problem persisted...

This issue contains a list of features and improvements planned for Passy v1.4.0, organized by priority (Features ready to be included are ticked).

New Features:

• #16
• #30
• #31
• #19
• #21
• #32

Edit 1:
You may visit the issues mentioned above to discuss them individually.

Edit 2:

Submission process:

• GitHub.
• AppImageHub.
• AUR.
• Snap Store.
• FlatHub.

Suggestion

Passy does not seem to perform any kind of key derivation, instead using the length-padded passphrase as the encryption key directly. This introduces several issues:

• The passwords are capped at 32 characters
• Cracking passwords is much faster as key derivation often intentionally introduces delays and memory constraints (usually configurable!) to mitigate brute-force attacks
• Your available key space is reduced by a few magnitudes - key derivation functions make sure you're able to utilize any of the 256³² keys AES allows, but using the passphrase directly usually limits that to the characters available on the user's keyboard

A good choice would be Argon2, which is used in KDBX 4 (KeePass) and LUKS2. Implementing it should be trivial - you need to find a library for it, replace the custom padding mechanism in

Submission checklist

• I have specified my suggestion in the issue title

Hi,
as discussed in #13 (comment), here's a separate issue.

Searching for a password has multiple steps involved. I'd like to propose to use a quick-search field in the main screen.

Thanks

Perhaps to take advantage of the empty space in the app menu you could create a scrollable menu with large buttons with an icon, and if more functions were to be added they would be placed lower down.

Bug description

When attempted to use the extension on a non-English language system, connector fails to find the proper documents directory. This is because Windows documents directory location is localized and varies depending on the user language, which the connector does not account for.

Expected outcome

No response

Steps to reproduce

No response

Error log

No response

App version

v1.5.0 - Browser Extension

Submission checklist

• I have specified the problem in the issue title
• I have provided a verbose description of the problem

Invalid argument(s): Key length not 128/192/256 bits.
#0      AESEngine.generateWorkingKey (package:pointycastle/block/aes.dart:1163)
#1      AESEngine.init (package:pointycastle/block/aes.dart:1150)
#2      SICStreamCipher.init (package:pointycastle/stream/sic.dart:55)
#3      StreamCipherAsBlockCipher.init (package:pointycastle/adapters/stream_cipher_as_block_cipher.dart:29)
#4      PaddedBlockCipherImpl.init (package:pointycastle/padded_block_cipher/padded_block_cipher_impl.dart:47)
#5      AES.encrypt (package:encrypt/src/algorithms/aes.dart:35)
#6      Encrypter.encryptBytes (package:encrypt/src/encrypter.dart:12)
#7      Encrypter.encrypt (package:encrypt/src/encrypter.dart:20)
#8      encrypt (package:passy/passy_data/common.dart:122)
#9      EncryptedJsonFile.saveSync (package:passy/passy_data/encrypted_json_file.dart:61)
#10     new EncryptedJsonFile.fromFile (package:passy/passy_data/encrypted_json_file.dart:47)
#11     AccountSettings.fromFile (package:passy/passy_data/account_settings.dart:66)
#12     new LoadedAccount.fromDirectory (package:passy/passy_data/loaded_account.dart:143)
#13     PassyData.createAccount (package:passy/passy_data/passy_data.dart:130)
#14     _AddAccountScreen._addAccount (package:passy/screens/add_account_screen.dart:75)
#15     _InkResponseState.handleTap (package:flutter/src/material/ink_well.dart:1096)
#16     GestureRecognizer.invokeCallback (package:flutter/src/gestures/recognizer.dart:253)
#17     TapGestureRecognizer.handleTapUp (package:flutter/src/gestures/tap.dart:627)
#18     BaseTapGestureRecognizer._checkUp (package:flutter/src/gestures/tap.dart:306)
#19     BaseTapGestureRecognizer.acceptGesture (package:flutter/src/gestures/tap.dart:276)
#20     GestureArenaManager.sweep (package:flutter/src/gestures/arena.dart:163)
#21     GestureBinding.handleEvent (package:flutter/src/gestures/binding.dart:464)
#22     GestureBinding.dispatchEvent (package:flutter/src/gestures/binding.dart:440)
#23     RendererBinding.dispatchEvent (package:flutter/src/rendering/binding.dart:336)
#24     GestureBinding._handlePointerEventImmediately (package:flutter/src/gestures/binding.dart:395)
#25     GestureBinding.handlePointerEvent (package:flutter/src/gestures/binding.dart:357)
#26     GestureBinding._flushPointerEventQueue (package:flutter/src/gestures/binding.dart:314)
#27     GestureBinding._handlePointerDataPacket (package:flutter/src/gestures/binding.dart:295)
#28     _invoke1 (dart:ui/hooks.dart:164)
#29     PlatformDispatcher._dispatchPointerDataPacket (dart:ui/platform_dispatcher.dart:361)
#30     _dispatchPointerDataPacket (dart:ui/hooks.dart:91)

android 12 miui 13.0.5 , 1.5.0 f-droid repo

still can't

Bug description

I have reinstalled the passy application multiple times, even tried uninstalling it and removing it from my pc, to then reinstall and no matter what I do, the extension always says no connector found.

v1.5.0 - Browser Extension

Suggestion

First thanks to the developers for your attempt at a new password manager.

Description
I did not see mention of kdbx.
kdbx is a very common import export format for password databases, popularized by another opensource password manager.
The diligent user is also worried about "lock-in"
A user will want to try and stay as along as the app is the best choice to that user.
kdbx files are also password protect-able. So it reduces the risk for passwords lying around in plaintext files in plain sight.

It is preferable if the import/export to kdbx is in-built into the app.
But its also okay, if import/export is done as externally using distributed command line tools.

• I saw that there is a csv import facility merged recently
  • 20230501 CSV import implemented
  • 20230501 Better decoding in CSV import
• Is there a proper specification of the fields (column titles) that go in the csv format.
  • I count 222 entries in https://github.com/GlitterWare/Passy/blob/efb59aa703cf9978975dce857b48904cd136c3f5/lib/l10n/app_en.arb
  • Where do you get this field list from ?
    • Is it exhaustive enough to round trip to another app and back?
      • Let know a list of other open-source apps that are confirmed to be round-trippable with this csv format.
    • Is it decoupled from passy-specific internal-state?
• I am guessing there may be a recommended tool or command process that does
  • import: kdbx >- decrypt ->csv -> passy
  • export: passy -> csv -> encrypt -> kdbx
• Pls do provide details/steps/tools/commands on such reliable process as well.

I noticed the description said something about a backup zip file. I am guessing this is a csv export. More details on that pls?

Expected outcome
no lock-in guarantee
easy to migrate to passy
easy to migrate away from passy
This gives passy motivation to stay competitive and respectful of users choices.

Ref

• #32

Submission checklist

• I have specified my suggestion in the issue title

Hi, entered passwords stay in memory and could be read out by an attacker.

I'll start working on it

Bug description

After I logged in, pressing passwords the screen suddenly turned gray, I can't access my old passwords.

Expected outcome

No response

Steps to reproduce

No response

Error log

No response

App version

v1.5.2 - Windows Hotfix

Submission checklist

• I have specified the problem in the issue title
• I have provided a verbose description of the problem

Suggestion

I find it really privacy-conscious that they are aiming for exclusive serverless p2p synchronisation, but could a system be used that allows synchronisation without having to scan qr codes (which doesn't work on my Xiaomi 12X, I have to enter the host manually), like the Brave Sync acting as password, address and credit card manager built into Brave Browser, or at most along the lines of Syncthing?

Both systems use the qr code only for the first association for example, then synchronise with each change, as Bitwarden does, but without a server.

Submission checklist

• I have specified my suggestion in the issue title

Bug description

Grey screen when entering 'password' and 'search all items' menu

Expected outcome

When entering passwords menu, see the lisp of saved passwords

Steps to reproduce

Log into program, open passwords menu

Error log

Don't know where to get

App version

v1.5.2 - Windows Hotfix

Submission checklist

• I have specified the problem in the issue title
• I have provided a verbose description of the problem

Hi,
just another proposal:
whenever I sync with other devices, I feel a bit hesitant to do so. Especially when I altered the database on many devices. It would be helpful to see which passwords get added (or removed!) to then acknowledge or to discard.

Thanks,

Hi @GleammerRay

The app works great. Thanks for your work.

I have been wanting to contribute to some newish open source projects that could benefit from a design revamp/improvement. I am a ui/ux designer by the day and have been wanting to contribute towards better looking open source design?

Do you think there is anything you need help on?

Hi,
as discussed in #13 (comment), here's a separate issue.

Some settings paths have more levels than needed.
Example: Settings -> backup and restore -> backup -> passy backup

thanks

Bug description

Synchronization is not working on the Snap package.

Expected outcome

No response

Steps to reproduce

Attempted to synchronize same account between Android and Snap Passy.

Error log

{"error":"type":"Module not found"}

App version

v1.4.1 - Quality Patch

Submission checklist

• I have specified the problem in the issue title
• I have provided a verbose description of the problem

Bug description

When trying to use autofill, a blank gray screen appears and stays without change, unreactive.

Expected outcome

Login screen should appear instead, allowing to sign in and choose an entry to fill.

Steps to reproduce

Enabled Android autofill, attempted to use autofill.

Error log

No response

App version

v1.4.1 - Quality Patch

Submission checklist

• I have specified the problem in the issue title
• I have provided a verbose description of the problem

In Padloc, a great FOSS password manager, you have the ability to add attachments, and this works great when a page gives you a file as an account recovery file.

And the history function allows me to see in a timeline the changes I have made to my Vault Items (that is, the file where my password is stored), making it much simpler to recover a password, for example, from a site I changed but didn't apply, so I only keep my new no-saved password, and I need my old password, so I don't depend so much on recovering all my manual backups until I find the one with the correct password.

hi!

¿has your software language files? i want translate your app spanish

thanks!

Hi,
as discussed in #13 (comment), here's a separate issue.

When being in main screen, you can simply press 'back' button to get back to login screen. I'd like to propose to use the screen after login screen as main screen and that you cannot get back to login via 'back'.
Possible replacements could be a toast telling you to double press 'back' or a dedicated icon to 'logout'.

Thanks

Hi,

This might be a very silly question, how do I use obscured passwords?

When I try to copy then in order to login, it just copies the randomly generated password and not the original one.

Thanks!

Sorry for my ignorance, does this mean that Passy will no longer be maintained on that date?

Hi,
it would be great to set specific entries as "favorites" and to have them displayed on the main screen. Then you don't even need to search for passwords most commonly used. (refer to #16)

Thanks

Suggestion

Please add the ability to create and name folders (whatever I want to name the folder, so it will be) to group passwords of similar services for example to group such services as social networks (discord, GitHub, google and others), passwords of gaming companies (E.A. STEAM and others) and banks (login password for banking application, card password), as well as any other services.

Submission checklist

• I have specified my suggestion in the issue title

Hi,
as discussed in #13 (comment), here's a separate issue.

When being in the login view, there is no button to launch biometric authentication and I'm stuck. I need to switch apps to bring this dialog up.

Thanks

The app looks promising but there is a few quirks that bug me and make it difficult to use. I'm specifically using the android app:

Locking up whenever the app screen is left is too much. It should only prompt for the password when the app is closed and reopened again.

Minor UI suggestions:
1- Add some padding between the username and the password in the log in screen.
2- The 2FA boxes take too much space in the new password menu. You can instead add a button that shows all of these boxes when clicked.
3- Implement a smooth circle bar animation for the 2FA timer.