Passky-Server
Passky-Server copied to clipboard
Rabbit-Company
Add Shared Hosting Finalization
#8
Passky Shared Hosting
# Makes installers executable
chmod +x installer.sh installerGUI.sh shared-hosting-finalization.sh
# Start the GUI installer
./installerGUI.sh
# Then do the finalization for Shared Hosting environment
./shared-hosting-finalization.sh
This PR will create a public folder, which Shared hosting should point to that location only. From cPanel for instance, this can be done easily by subDomain to directory mapping, like passky.example.com which point to Passky-Server/public.
I don't think most shared website hosting providers will allow users to execute bash code. But we can provide them with all the files and navigate them where they need to put them.
I don't think most shared website hosting providers will allow users to execute bash code. But we can provide them with all the files and navigate them where they need to put them.
Agree, but I suggest that we can make both options available, which will be a very handy tool. I feel that in the future Shared Hosting will change its course to make the shell available for all. Always there is a trick, for instance, any Shared Hosting has a CRON which is a Shell execution in a selected time. 🙃🤣
I'm now working on the big update.
Changes:
- AES replaced with XChaCha20 (NordPass already uses XChaCha20 and to be future proof it is better to switch sooner with less users than later)
- SHA replaced with Argon2id (Argon2 is the winner of Password Hashing Competition)
- Password Entropy (Users will be able to use any character / emoji... for their password. So it would be a lot easier for users to create their account) https://github.com/Rabbit-Company/Passky-Server/issues/6
- Load-Balancer will be deployed on eu.passky.org and another one on us.passky.org, that will redirect and split users between multiple VPS (scalability). So database won't be located on each VPS / Passky server anymore, but it will be located on PlanetScale. With this method Passky will be able to scale like other password managers.
- Passky Client will notify you and refuse to connect on unsupported Passky Server. So you will then be able to choose the correct Passky Client in order to connect.
- Each account on eu.passky.org and us.passky.org servers will be able to store of up to 100 passwords for free. If user will upgrade their package to paid version, it will be able to store of up to 1000 passwords. So both free and paid packages will contain all the features and only difference will be the amount of passwords the account can store. I'm still not sure for the pricing of a paid package. But for the current Passky users I will give paid package for free forever.
- Whitepaper on how Passky works / improved FAQ
- API documentation, so developers could start making their own clients
After this update, I think that Passky will be ready to reach the masses. It would most likely take few months for everything to be completed and tested. I have also contacted few companies for a security audit and I think that I will go with a Cure53.
In this update (When those features will be added) we can also test everything on a shared hosting and add official support for it.
If you have any suggestion feel free to provide it.
AES replaced with XChaCha20 (NordPass already uses XChaCha20 and to be future proof it is better to switch sooner with less users than later)
Sorry for the late response, I got busy. BTW, I don't know how to implement XChaCha20! So, I think it will be a good practice if there is a blog, a reference, and a comments in the Source Code as well for how to implement XChaCha20, because as far as I know, any encryption algorithm has its own parameters and it demands some tweaks to be practical and secure. Core encryption requires a good care, specially when converted from known encryption algorithm to another.
So, I think it will be a good practice if there is a blog, a reference, and a comments in the Source Code as well for how to implement XChaCha20, because as far as I know, any encryption algorithm has its own parameters and it demands some tweaks to be practical and secure.
XChaCha20 has already been implemented. You can check dev branch from https://github.com/Rabbit-Company/Passky-Website. XChaCha20 has been build based on RFC and already tested with a test vectors. https://github.com/Rabbit-Company/XChaCha20-JS
Argon2id implementation is still in progress.
Core encryption requires a good care, specially when converted from known encryption algorithm to another.
The power of XChaCha20 is that it's really easy to implement and hard to screw things up. That's why a lot of cryptographers recommend it over AES.
NordPass wrote amazing blog about XChaCha20: https://nordpass.com/features/xchacha20-encryption/
Security audit of XChaCha20 implementation would cost 3.750€ from Cure53.
Security audit of XChaCha20 implementation would cost 3.750€ from Cure53.
Had be done a Security audit for AES implementation before, which encouraged the project to adapt it?
Had be done a Security audit for AES implementation before, which encouraged the project to adapt it?
We have used existing CryptoJS library that majority of world used. So this library has already went thru a lot of security audits.
Also what do you think about pricing: https://passky.org/pricing
I still don't know if I should provide unlimited passwords in Premium package or 1000. If I choose unlimited then I would need to regularly monitor accounts that they are not abusing it.
Had be done a Security audit for AES implementation before, which encouraged the project to adapt it?
We have used existing CryptoJS library that majority of world used. So this library has already went thru a lot of security audits.
BTW, I don't know how to check all Security audits that any library went thru! if you know the way please tell me? Most of the developers supposed, that any library had many stars on Github, it should be secured and trusted by default, because no one complaint. (Yes, of course no one complaints on the surface at least.) The common sense here is suspected, that while more developers used the library the more likelihood its much secure. But stop and think, even if anyone said so and all the world wants your privacy, is it really true? Of course from small project and open source prospective, herd usage is better than nothing. I really do respect all parties, I do this to move to better direction. I think this project needs more open source involvement. So, I suggest that XChacha20 implementation should be added by a PR into CryptoJS, that will make a good attention for all. Later the project can make as many as it needs of Security audits. 🤗
Most of the developers supposed, that any library had many stars on Github, it should be secured and trusted by default, because no one complaint.
This is also true.
So, I suggest that XChacha20 implementation should be added by a PR into CryptoJS, that will make a good attention for all.
The problem is that CryptoJS library uses WASM. So it's written in a C language and then it's compiled to support browsers. While my implementation is written in a plain JS (So performance of my library should be slower as C is faster than JS). That's why CryptoJS won't accept my implementation because it is written in pure JS and not in C.
I have also tested performance of XChaCha20 in Libsodium (Libsodium also uses C / wasm).
Here are the results of my XChaCha20 implementation in pure JS:
Here are the results of Libsodium's XChaCha20 implementation in C:
As you can see Libsodium does win in decryption which is more important for a password manager. But WASM (Libsodium) is not supported on browser extensions with manifest V3. That's why I needed to create my own implementation in pure JS.
Also what do you think about pricing: https://passky.org/pricing
Pricing is a good start, but consider into account The Purchasing Power Parities (PPP).
I still don't know if I should provide unlimited passwords in Premium package or 1000. If I choose unlimited then I would need to regularly monitor accounts that they are not abusing it.
Of course, Premium package must has unlimited passwords. But to stop abusing, the project can implement an algorithm to guarantee a Fair Use, which differentiate between abusing and fair use automatically.
Pricing is a good start, but consider into account The Purchasing Power Parities (PPP).
When you buy a Premium package you will receive a license key. This license key can be send / resold to another person. So users can start buying thousands of licenses in poor countries and just resell them for a cheaper price to others.
(I will start with License system implementation this week)
Another problem will be privacy. For example if user will be able to buy Premium package anonymously with Monero in order to have PPP, I would need to request / get the country of the user, which would also reduce the privacy.
Of course, Premium package must has unlimited passwords. But to stop abusing, the project can implement an algorithm to guarantee a Fair Use, which differentiate between abusing and fair use automatically.
Thanks, I will use unlimited passwords with a fair use policy.
Pricing is a good start, but consider into account The Purchasing Power Parities (PPP).
When you buy a Premium package you will receive a license key. This license key can be send / resold to another person. So users can start buying thousands of licenses in poor countries and just resell them for a cheaper price to others.
(I will start with License system implementation this week)
Another problem will be privacy. For example if user will be able to buy Premium package anonymously with Monero in order to have PPP, I would need to request / get the country of the user, which would also reduce the privacy.
Of course, Premium package must has unlimited passwords. But to stop abusing, the project can implement an algorithm to guarantee a Fair Use, which differentiate between abusing and fair use automatically.
Thanks, I will use unlimited passwords with a fair use policy.
In fact, after sometime of thinking, I remember that I'm currently a LastPass user, and I did my first Premium purchased at 12 USD Annually before owned by LogMeIn. At then I made a purchase for 10 years which is a 120 USD. Now, I will think twice before repeat the same purchase again, because it is more expensive. So, I think 12 USD Annually is better price, many people want to get back the great days of first LastPass. 🤗
Ahh, Nice days 😂
You have saved so much money by buying subscription for multiple years. Now it would cost you a lot more with current LastPass pricing.
With password limit:
No limit option 1:
No limit option 2:
Which option would you more prefer?
You have saved so much money by buying subscription for multiple years. Now it would cost you a lot more with current LastPass pricing.
Yes, indeed. This is can be another marketing motivation. "Let's restore the great days of LastPass" 🤗
With password limit:
No limit option 1:
No limit option 2:
Which option would you more prefer?
Option 2 is better, if there is no limit. Don't mention it.
BTW, what is your main Password manager?
My main password manager is Passky. That's why I have created it, to fulfill my needs.
I have just added option for removing password limit and account limit on the server.
This can be achieved by setting ACCOUNT_MAX and ACCOUNT_MAX_PASSWORDS to -1 in .env file.
Now I will also need to add pagination for accounts in Admin Panel. As now if you have more than 1000 accounts on your Passky Server created, and if you check the "Accounts" page in Admin Panel it will take some time in order to display 1000 accounts. Pagination will make everything a lot faster for managing bigger Passky Servers thru Admin Panel (GUI).
I switched to the latest Dev branch in order to make a full test, I didn't use the project as my main Password Manger before.
But, now I'm looking forward to so.
I can't login to an empty passwords account.
You are using old Passky Client v7.1.0, which is not compatible with Passky Server v8.0.0.
Make sure you also use Passky Client v8.0.0 from https://github.com/Rabbit-Company/Passky-Website dev branch.
Also currently other languages won't work as I'm waiting for translators, so please use English.
BTW, what is your main Password manager?
My main password manager is Passky. That's why I have created it, to fulfill my needs.
I tried to import from LastPass and I have this error:
Uncaught URIError: URI malformed
at decodeURIComponent (<anonymous>)
at XChaCha20.b64DecodeUnicode (XChaCha20.min.js:6:3778)
at XChaCha20.xchacha20_decrypt (XChaCha20.min.js:6:3005)
at XChaCha20.decrypt (XChaCha20.min.js:6:4332)
at decryptPassword (default-functions.js:128:19)
at import_data (export.js:361:105)
at import_csv (export.js:353:2)
at document.getElementById.onclick (export.js:426:60)
b64DecodeUnicode @ XChaCha20.min.js:6
xchacha20_decrypt @ XChaCha20.min.js:6
decrypt @ XChaCha20.min.js:6
decryptPassword @ default-functions.js:128
import_data @ export.js:361
import_csv @ export.js:353
document.getElementById.onclick @ export.js:426
