explorigin/password_manager
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix inaccurate claims.

Browse Source
This commit is contained in:
Timothy Farrell 2026-05-12 23:49:22 +00:00
parent 7655229aef
commit 0fdcaf4ecc
1 changed files with 6 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
README.md
View File

@ -11,7 +11,7 @@ An offline-first password manager that runs entirely in your browser. No server,
- **Password generator** — Configurable length (464), character types, custom exclusions, strength indicator.
- **Copy to clipboard** — One-click copy with 15-second auto-clear.
- **JSON import/export** — Export your entire vault as encrypted JSON. Import with merge or replace mode.
- **Auto-lock** — Vault locks automatically on tab switch, visibility change, or configurable inactivity timer.
- **Auto-lock** — Vault locks automatically on tab switch, visibility change, or 5-minute inactivity timer.
- **Dark theme** — Responsive layout that works on desktop and mobile.
## Quick Start
@ -53,9 +53,9 @@ Master Password ──PBKDF2──→ 256-bit Key ──AES-GCM──→ Encrypt
| Store | Fields |
|---|---|
| `entries` | `id`, `title`, `username`, `password` (encrypted), `url`, `notes` (encrypted), `groupId`, `createdAt`, `updatedAt` |
| `entries` | `id`, `title`, `username`, `encryptedPassword` (encrypted), `url`, `notes`, `groupId`, `tags`, `createdAt`, `updatedAt` |
| `groups` | `id`, `name`, `color`, `createdAt` |
| `meta` | `salt`, `testEncrypted`, `testPlaintext` |
| `meta` | `salt`, `testEncrypted`, `testPlaintext`, `dbVersion` |
## Security Considerations
@ -65,13 +65,14 @@ Master Password ──PBKDF2──→ 256-bit Key ──AES-GCM──→ Encrypt
| Weak passwords | Strength indicator on generator |
| Clipboard leakage | Auto-clear after 15 seconds |
| Tab left open | Auto-lock on visibility change (tab switch) |
| Database tampering | All sensitive data encrypted at rest with AES-256-GCM |
| Database tampering | Passwords encrypted at rest with AES-256-GCM |
| Brute force | PBKDF2 with 100,000 iterations slows offline attacks |
### Known limitations
- **No browser fingerprinting or anti-keylogger** — This is a local tool, not a hardened security appliance.
- **IndexedDB can be inspected** — Encrypted data is safe, but metadata (titles, usernames, URLs) may be visible if not encrypted. Currently only `password` and `notes` are encrypted; titles/usernames/URLs are stored in plaintext for searchability.
- **IndexedDB can be inspected** — Only `encryptedPassword` is encrypted at rest. Titles, usernames, URLs, and notes are stored in plaintext for searchability and are visible if the database is inspected.
- **Test plaintext stored in IndexedDB** — The `testPlaintext` value used for password verification is stored unencrypted in the `meta` store. An attacker with access to IndexedDB could use it to verify guessed passwords alongside the salt.
- **No automatic backups** — Use the JSON export feature to back up your vault regularly.
## Development