One cool feature of this password manager is that you can save it to a file and it will create a self contained application that includes your encrypted vault, all in a single html file that you can use offline, save wherever you want and use however you like. I used it for many years myself but always wanted to improve it and share it with the world now I finally managed to finish it.
Why would I use this to my existing keepassxc workflow?
- does it have better encryption?
- does it support Android / AOSP with the same file?
- does it have a better browser extension for chromium?
- does it have 2FA support, too?
- Is it open source? What's the license?
- How are passwords online stored? What's the privacy policy regarding GDPR?
I hope you are aware that password managers are the most critical infrastructure on the web, therefore if any of the above points are not checked (or it turns out you actually don't encrypt anything or simply forgot to e.g. bcrypt pws online) then you can forget about it.
Users need to put a lot (a damn effing lot) of faith in you if there's no audit and no code and no proven track record available.
And sceptical people like me need evidence to see this is a secure and safe product. Evidence in this case can only be open sourced code.
Otherwise I would just use bitwarden and forget about it anyways.
Every password manager has their quirks and is filling up some niche. The same is with PassPilot, it is similar in terms of security, much simpler in terms of features but quite unique overall. Let me explain by answering your questions:
- does it have better encryption?
PassPilot uses AES 256bits so it is same as keepassxc (from what i see in their docs https://keepassxc.org/docs/) but additionally PassPilot forces strong 20 characters long master password (other managers will allow for weaker passwords) and uses 200000 iterations of the PBKDF2 to derive key for encrypting your data (LastPass default for example is 100100) and you can increase that to as much as your hardware can take. I say it is solid.
- does it support Android / AOSP with the same file?
It is a web based application so you can use it on any OS in any browser. It doesn't have Android app (not yet) but if the user base grows I will create an android app.
- does it have a better browser extension for chromium? It does not have browser extensions, my personal opinion is that extensions do not add security in opposite they weakens your security.
- does it have 2FA support, too?
Two factor authentication is not a default feature in most (if not all) of passwords managers, many consider it a premium feature. But that is a great feature for some users and I believe I can add 2FA in a future release.
- Is it open source? What's the license?
Github repository will soon be up and it will be open source, in fact the entire code of the application is already public because it uses client side encryption and everything is in the source code of that single HTML file, nothing is compiled it is fully transparent, any user can view source and clearly see how the app encrypts the data and what is being sent to the server in online mode, for me there is no better transparency. I bet overwhelmingly more people can verify JavaScript source code than for example keepassxc source code.
- How are passwords online stored? What's the privacy policy regarding GDPR?
The beauty of PassPilot and another unique feature is that no passwords are stored in the database, PassPilot stores only the encrypted vault and a login hash which is different from the encryption hash. Even if the database is compromised and both the encrypted vault and login hash gets stolen then I claim no one will be able to decrypt that vault because brute forcing encryption key that uses minimum 20 characters long password and 200000 PBKDF iterations (HMAC-SHA256 also this is more secure than regular SHA1 in other default PBKDF2 implementations) would take quadrillion years (1 quadrillion has 15 zeros). Our universe is only 13.8 billion years (1 billion has 9 zeros).
As for privacy it is explained in the privacy policy in a pretty straightforward way https://www.passpilot.com/terms.pdf
I say PassPilod is very solid and secure, some users may find it even inconvenient (to come up with a strong password and wait a couple of seconds for the 20000 iterations each time they save), but PassPilot was not created for convenience.
After all, I don't expect someone who is happy with their password manager to switch but some people that are not using any password manager yet may find PassPilot’s unique features something that exactly meets their needs. Like the save all to file feature, keep it private and off the grid.
I would rather ask people to use any password manager to be more secure but if they choose PassPilot even better :)
Thanks again for a great set of questions, It is important for me to learn the opinion of people who know the subject.
* PassPilot is simpler (if that is what you are looking for)
* You can store and access your encrypted vault online after logging in to access it anywhere.
* PassPilot if used offline from local file (like KeePass) is much lighter (only one file about 250KB) and you can move it easily, send it in email copy to cloud, it is HTML file not EXE so it is more transparent.
* everything in PassPilot is straightforward, your records are kept in JSON format then they are encrypted with AES, you have full freedom about what you want to do with either, you can even manipulate that JSON manually encrypt that and save it to file and it will work, full flexibility, you can copy the encrypted text and save it elsewhere then paste it back and decrypt in PassPilot.
It really depends on what you are looking for. I actually created this password manager for myself as I didn't like any other :), I like the save to file feature as it gives me confidence that if all internet goes dark I have my backup copies stored in several places, but for everyday use I like to login and use it online, if you like such model I recommend PassPilot ;)
Correct no repo yet, and you are right everything is client side, it uses client side encryption, everything is in the HTML. I guess adding a repo will convince some people so I will add that to my work backlog, the repo should be up soon, thanks for the suggestion!
Hi, the Unix pass uses Unix shell and it is great, I believe there is a GUI for that as well. Let me point out some of the differences that I can see in favor of PassPilot:
* PassPilot is platform agnostic (not only unix) it is an HTML application that will run in any modern browser on any platform.
* PassPilot also offers online storage
* in PassPilot everything is in a single file not separated into multiple files so it is easier to move around
* PassPilot does not require knowledge of unix and is quite simple to use, it would be probably harder for me to explain Unix pass to my dad that to explain how to use PassPilot
At the and if you are happy with your password manager you will unlikely to switch but still I encourage you to test PassPilot since it is free anyways.
I created PassPilot also for people who are not pro Unix users. Of course pro users will get the most out of PassPilot but if you understand how internet works in general you will benefit from using such password manager anyways.
As for your question: Looks like you can’t hide which entities you have a password with, when using gnu pass. Also looks like you can’t store usernames with gnu pass (well, I suppose you can create two files for each entity...).
Other than that, gnu pass looks pretty cool and fun to use if you’re into command line stuff.
So, depending on who you are, that’s 3 reasons to use something like this over gnu pass
try switching to bright theme from the left menu see if this helps, I would be grateful if you could send me some screenshots or more info about your issue you can write to me at passpilot.com@gmail.com, thanks!
thanks for the information, the sharing section was added just now actually so probably the style.css file got cached in your browser, try refreshing the page or clearing cache, this should help I hope. thanks again for sharing!
Definately something to try out before 16th. The encryption is solid. I wonder if it could also store some notes. To become a one stop shop for all encrypted data
Hi, every record you add has a "notes" field (textarea) and you can put anything there, also you can add your own fields. If you want to use it only offline then there is no limit to how much information you store and encrypt (only your hardware is the limit ;)) for online there is a limit of 100,000 characters in your encrypted vault for standard account, and 1,000,000 for premium account, but I thought anyone who in any way supports the website will get the premium account, now first 100 people registering will get premium for the fact that they trusted something that is new.
I think tomaszs was referring to the changes in LastPass free offering where starting March 16th, 2021, LastPass Free will only include access on devices of one type so if you want to use it on desktop and mobile you have to pay for premium access.
* backup/restore: It actually has a great backup feature because you can save everything to a file from time to time and keep the file wherever you want (the file itself can be accessed and decrypted as it is a self contained application), there is also a restore option because if someone wants, they can copy their whole vault text or even decrypted text and move it between files or online account - advanced tab (I just have to describe that in FAQ). Still I plan to add an import from file and a merge option to get your backup files integrated quickly.
* Non-web distribution: I think that is how most web based password managers do, even LastPass is no different here but I am planning to create a GitHub repo although it doesn't change much. I would love to learn more about how to do such web distribution.
There is however one big advantage PassPilot can be saved to a single HTML file and used totally off the grid so you can be sure no one can manipulate that, you can even disconnect from internet when using the offline file, no html password manager will give you that (I don't count the EXE password managers as they are compiled so you don't know what sits there), here nothing is compiled you can examine the code in your notepad.
* TOTP generation: there are many features I haven't thought about as I wanted the application to be simple but I will look into that.
Thanks, I see backup/restore is more-or-less there.
For the non-web distribution... I'm currently a keepassXC user so I'm used to getting it from my distro and having installed software, and having transparency of updates. I guess this is probably not a dealbreaker though, just requires trust.
When you save to file you don't have to use the same password that you are using online. Data in the file is encrypted with the password used for that particular file so if you want to change that password you have to open that file, decrypt the content with the old password and save the content to a new file again providing new password, you can overwrite that file if you don't want to create new file or write to a new file and delete the old one.
That was a good question, I will add that to the FAQ on the website, thanks!
Thank you for the question.
Bitwarden is another great password manager, a big one with lots of features.
PassPilot is a small password manager with minimum features that a good password manager should have to be usable but again PassPilot’s unique feature is something that you won't get anywhere else i.e. the possibility to save your vault together with the entire application to a single HTML file (some 300KB or less) that you can take with you, save it wherever you want and never come back to the website.
This is something others don't want you to do, they want you to stay.
For me knowing that people appreciate my work and are using my application is already rewarding (like the other free app I made for my son https://play.google.com/store/apps/details?id=com.www24hday.... as I hate apps for kids full of ads, for me this is cruel), in the end it is yet another step before creating something much bigger (I hope), and a tiny contribution to making the world a safer place.