| Why would I use this to my existing keepassxc workflow? - does it have better encryption? - does it support Android / AOSP with the same file? - does it have a better browser extension for chromium? - does it have 2FA support, too? - Is it open source? What's the license? - How are passwords online stored? What's the privacy policy regarding GDPR? I hope you are aware that password managers are the most critical infrastructure on the web, therefore if any of the above points are not checked (or it turns out you actually don't encrypt anything or simply forgot to e.g. bcrypt pws online) then you can forget about it. Users need to put a lot (a damn effing lot) of faith in you if there's no audit and no code and no proven track record available. And sceptical people like me need evidence to see this is a secure and safe product. Evidence in this case can only be open sourced code. Otherwise I would just use bitwarden and forget about it anyways. |
Every password manager has their quirks and is filling up some niche. The same is with PassPilot, it is similar in terms of security, much simpler in terms of features but quite unique overall. Let me explain by answering your questions:
- does it have better encryption? PassPilot uses AES 256bits so it is same as keepassxc (from what i see in their docs https://keepassxc.org/docs/) but additionally PassPilot forces strong 20 characters long master password (other managers will allow for weaker passwords) and uses 200000 iterations of the PBKDF2 to derive key for encrypting your data (LastPass default for example is 100100) and you can increase that to as much as your hardware can take. I say it is solid.
- does it support Android / AOSP with the same file? It is a web based application so you can use it on any OS in any browser. It doesn't have Android app (not yet) but if the user base grows I will create an android app.
- does it have a better browser extension for chromium? It does not have browser extensions, my personal opinion is that extensions do not add security in opposite they weakens your security.
- does it have 2FA support, too? Two factor authentication is not a default feature in most (if not all) of passwords managers, many consider it a premium feature. But that is a great feature for some users and I believe I can add 2FA in a future release.
- Is it open source? What's the license? Github repository will soon be up and it will be open source, in fact the entire code of the application is already public because it uses client side encryption and everything is in the source code of that single HTML file, nothing is compiled it is fully transparent, any user can view source and clearly see how the app encrypts the data and what is being sent to the server in online mode, for me there is no better transparency. I bet overwhelmingly more people can verify JavaScript source code than for example keepassxc source code.
- How are passwords online stored? What's the privacy policy regarding GDPR? The beauty of PassPilot and another unique feature is that no passwords are stored in the database, PassPilot stores only the encrypted vault and a login hash which is different from the encryption hash. Even if the database is compromised and both the encrypted vault and login hash gets stolen then I claim no one will be able to decrypt that vault because brute forcing encryption key that uses minimum 20 characters long password and 200000 PBKDF iterations (HMAC-SHA256 also this is more secure than regular SHA1 in other default PBKDF2 implementations) would take quadrillion years (1 quadrillion has 15 zeros). Our universe is only 13.8 billion years (1 billion has 9 zeros). As for privacy it is explained in the privacy policy in a pretty straightforward way https://www.passpilot.com/terms.pdf
I say PassPilod is very solid and secure, some users may find it even inconvenient (to come up with a strong password and wait a couple of seconds for the 20000 iterations each time they save), but PassPilot was not created for convenience.
You can find all the details about security in the FAQ section of the website https://www.passpilot.com/#/faq
After all, I don't expect someone who is happy with their password manager to switch but some people that are not using any password manager yet may find PassPilot’s unique features something that exactly meets their needs. Like the save all to file feature, keep it private and off the grid.
I would rather ask people to use any password manager to be more secure but if they choose PassPilot even better :)
Thanks again for a great set of questions, It is important for me to learn the opinion of people who know the subject.