LessPass: sync-less open source password manager

[Batu69]

Managing your Internet passwords is not easy. You probably use a password manager to help you. The system is simple, the tool generates random passwords whenever you need them and save them into a file protected with a strong password.

This system is very robust, you only need to remember one password to rule them all! Now you have a unique password for each site on the Internet.

I have used this system for a long time. But every time I met the same problems:

• How do I synchronize this file on all my devices?
• How do I access a password on my parents’ computer without installing my password manager?
• How do I access a password on my phone, without any installed app?

So I searched for a simpler solution and as none satisfied all those criterion I created LessPass.

I want a password manager with open source code, that does not require synchronization.

The trick is to compute passwords rather than generate and store random passwords.

LessPass generates unique passwords for websites, email accounts, or anything else based on a master password and information you know.

LessPass is different from other password managers that you can find on the Internet because:

• It does not save your passwords in a database ;
• It does not need to sync your devices together ;
• It is open source (source code can be audited).

The system uses a pure function, i.e. a function that given the same parameters will always give the same result. In our case, given a login, a master password, a site and options it will returns a unique password.

No need to save your passwords in an encrypted file. You just need to access the tool to recalculate a password from information that you know (mostly the login).

To raise the cost of breaking your master password, the generation of the password must be time consuming, especially by brute force. So LessPass uses PBKDF2 with 8192 iterations and a hash function sha-256.

 

Password generation is based on pure functions stability.

The hash generated by the first function is derived and processed in order to respect the requested options (i.e. length, lowercase, uppercase, numbers, special characters, etc.):

function _renderPassword(encryptedLogin, site, passwordOptions) {
  const derivedEncryptedLogin = this._deriveEncryptedLogin(encryptedLogin, site, passwordOptions);
  const template = this._getPasswordTemplate(passwordOptions);
  return this._prettyPrint(derivedEncryptedLogin, template);
}

function _deriveEncryptedLogin(encryptedLogin, site, passwordOptions = {length: 12, counter: 1}) {
  const salt = site + passwordOptions.counter.toString();
  const derivedHash = crypto.createHmac('sha256', encryptedLogin).update(salt).digest('hex');
  return derivedHash.substring(0, passwordOptions.length);
}

The source code is very small, I invite you to have a look .

What does it look like?

A picture is worth a thousand words:

 

Generation password for news.ycombinator.com

The simplest way to try it (even if you are on your phone or on your grand-mother’s computer) is to use the official website https://lesspass.com/ ; then type your site, login and master password, the password will be generated on the fly so you just have to copy (with button or keyboard).

Try it on your phone, on another computer, offline, it will give the same result. No need to sync.

Is it available on my OS/device?

Yes, as soon as you have access to a browser it’s available to you. But we went behind that and added:

• a Chrome extension ;
• a Firefox extension ;
• a Cozy application (if you want to self-host it) ;
• and the official site.

What about complex password rules?

Sometimes some sites have specific password rules. For instance, some banks only accept passwords with numbers. So you have to remember both a strong password and the its complex rules.

Well, we built a “connected” version to tackle that. It works by saving your password’s profile, i.e. everything –except the master password and the generated password– to be able to generate the password. Then, next time you need this password you just have to select the profile and type the master password.

Here is what a profile looks like:

{
    "id": "40d31aef-7f91-8bc9-41ce-2f47477ad8c4",
    "login": "38491092",
    "site": "www.ingdirect.fr",
    "lowercase": false,
    "uppercase": false,
    "symbols": false,
    "numbers": true,
    "counter": 1,
    "length": 6,
    "created": "2016-10-10T12:15:17.354990Z",
    "modified": "2016-10-10T12:15:17.355023Z"
}

Below is a user connecting to it’s account to use his bank’s account profile:

---

 

The connected version can help you save complex profiles.

Self Hosted

You can host your own LessPass database if you do not want to use the official one. The requirement for self-hosting is to have docker and docker-compose installed on your machine.

Then run the following command, type your domain name and the tool does the rest:

bash <(curl -s https://raw.githubusercontent.com/lesspass/lesspass/master/lesspass.sh)

How do I change a password without changing my master password?

That’s the purpose of the counter field in the options field set, increment it and you will get a new password.

How to contribute?

• If you are scientist, help us to write a white paper ;
• Send pull-request to improve or fix the source code ;
• Drop us a line on github ;
• Rate the Firefox extension or the Chrome one ;
• Send us to the stars on github ;

Road Map

• Mobile (beginning 2017) ;
• Encryption of client-side profiles ;
• White Book.

---

Open Culture

LessPass is open source (MIT license), we refuse to install cookies, analysis tools on our applications (there are no Google Analytics, or links to external services on our tools).

We host our code on Vultr’s servers and our DNS are managed by Gandi .

We really like the idea of an open culture: all bugs that we find are visible.

We document our algorithms and our approach: no magic, no black box.

We love feedback and your ideas to improve the tool: We are aware of some limitations (change of strong password, for example) but we are working to improve the product.

We are not sponsored by any company, developing LessPass is done during our free time.

If you have comments or questions, feel free to email us at [email protected]

I want to thank Édouard Lopez for all the work on user experience and many returns on the product !

lesspass Official Website

Article source

[Petrovic]

Fake LastPass

open source password manager is not a reliable

[IronY-Man]

problems will arise where some people have more than 1 accounts for a site ; like mail accounts or something....seems fishy at the first glance and as @Petrovic said, not reliable !

[Batu69]

 

Most Internet sites and programs ship with password rules. Some may require a certain minimum or maximum length, others that numbers, special characters or upper case characters are included.

 

There is no way that deterministic password managers can take those requirements into account without interface that users may use to pick those information.

The password manager LessPass for instance displays those options on its site, while others may not offer them at all (which means they cannot generate working passwords for some services).

 

You do need to remember the rules that you have specified for certain sites though, or store those information locally or remotely.

The information stored contains sensitive information that may help attackers.

 

Continue read here

[DKT27]

I'm not a security expert, but the method it follows, it looks slightly more vulnerable than other password managers out there.