A password manager without a master password

zinggi 2018-06-11 13:30:09 UTC #1

Hi all!

I wanted to show what I’ve been working on for the last 6 months:

NoKey, a password manager without a master password.
Instead, you can unlock your passwords by confirming from another device. E.g. if you need a password on your PC, you only have to confirm this on your phone. No need to remember any passwords!

The vast majority of the code is written in Elm and it’s fully open source.

There is a browser extension for Chrome and Firefox and an Android app.
The application is only useful with at least two devices, so to really test it out, you’ll have to install it on two devices.
There is no iOS version and the web app doesn’t work on Safari either, sorry!

Any feedback or questions are greatly appreciated, be it regarding the actual application or about the code.

Download links, code and more info is in the readme at: https://github.com/Zinggi/NoKey/

avh4 2018-06-11 19:24:58 UTC #2

I think this is awesome, and is a really cool application of some good crypto techniques!

I didn’t see this stated in the docs anywhere, but am I correct in assuming that you can have any number of devices linked to your account, and that you need two devices to contribute their key to unlock a password (the device you’re going to use the password on (like your browser), and one one of the other devices to confirm (like your phone))?

Also, I guess NoKey has the risk that if you lose access to enough devices, you can no longer unencrypt anything. Has this been a problem for any NoKey users in practice? Do you think there are any good solutions to this problem?

zinggi 2018-06-11 20:05:35 UTC #3

Thanks!

I didn’t see this stated in the docs anywhere, but am I correct in assuming that you can have any number of devices linked to your account, and that you need two devices to contribute their key to unlock a password […]

First of, there is no “account”. Instead, you link devices together by pairing them which establishes trust between those devices.
Yes, you can link as many devices as you want, and for unlocking your passwords you can use any of those trusted devices to confirm.
It’s also possible to chose a security level of e.g. 3 which means you’d need to confirm the unlock on two other devices.

Also, I guess NoKey has the risk that if you lose access to enough devices, you can no longer unencrypt anything

That’s correct. That’s why there is a warning on the home screen if you have only as many devices as the highest security level in use, as losing a device in that situation would lock you out of your own passwords.

Has this been a problem for any NoKey users in practice?

There have not been many NoKey users yet , only a very small group of people so far. This is the first time I shared this in public.

Do you think there are any good solutions to this problem?

There is an optional way to unlock your passwords even if you only have one device:
I call this feature “key boxes”. It’s a password protected box that contains an additional key.
This way, by remembering a good password you can still unlock passwords saved with level 2 on one device. This could be useful when losing all devices except one. But if you chose a weak password, you lower the total security.

Those were great questions, thanks for your interest!

Janiczek 2018-06-12 23:33:25 UTC #4

This is pretty common, I think. Eg. I had a 2FA on Discord on my old phone. Didn’t think to make a backup when I switched phones, didn’t have backup codes. Can’t generate one-time-password now, and my account is locked with no way to get into it. Would have to register with another e-mail.

I actually don’t think it has a solution except for the backup codes.

zinggi 2018-06-13 08:15:36 UTC #5

Well I don’t think that’s a big problem with NoKey, as long as you make sure you pair more devices than the maximum used security level.
E.g. most people will probably only use security level 2, so they should pair at least 3 devices.
For instance, I have 4 paired devices: my desktop, my laptop, my phone and my university account. This way it’s pretty much impossible for me to lose any passwords.

Johnil_Quezada 2018-06-19 19:35:52 UTC #6

Is there a timeline for an ios app?

zinggi 2018-06-19 20:06:49 UTC #7

I do not own any Apple devices, so I really can’t develop for them.
But before an iOS version can exist, it has to first work on Safari. This is problematic at the moment.
But once it runs on Safari, an iOS version could follow, as it should be quite easy to implement, since it would just be a simple wrapper around a web view.

system 2018-06-29 20:07:03 UTC #8

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.