Password management can be a huge hassle. Sure, people say you're "supposed" to use a different password for every site, but how are you going to remember a unique password for every site? Are you gonna write them down? If you do that then if you lose that piece of paper your passwords are all gone and there's a chance all of your accounts are compromised. What about one of those fancy password managers like 1pass, Dashlane, or Lastpass? Well first off they're not completely free, and secondly with data breaches becoming more and more common what happens if one of those companies gets compromised? Storing things on a centralized server means that you don't have complete control of your own data, so who knows what can happen.
With all of that in mind we decided to create a password manager that
Doesn't store any password data. At all.
Is completely free and open-source
Is as secure as possible from end-to-end
And is (most importantly) convenient for the end user
What it does
There are two components to PrintN'Pass: the mobile app and browser.
1) User chooses to send username credentials to browser (optional)
2) Android app asks for biometric identification and once approved generates a constant and unique master password using SHA-256. This password is never saved anywhere.
3) The master password is encrypted to prevent traffic sniffing
4) The encrypted master password and username corresponding to the website is sent to a webserver
1) The browser receives a notification from the webserver indicating that a login request has been made
2) The browser fetches the encrypted master password and username. The 'encrypted master password' is then decrypted.
3) Browser gets the current website in focus and extracts its domain name from the URL.
4) Browser hashes the master password with the domain name to create a unique password for each website.
5) The username and password fields on the webpage are filled in and the user can now login
Note that no databases are used and nothing is ever stored on the client or server. Everything is automatically generated when needed
How we built it
Node.js & express.js - used to create a simple webserver that bridges the connection between the mobile app and browser
Google Cloud Platform - used to host the webserver because who wants to keep their computer running all the time
Android SDK - used to develop the mobile app
Chrome Web Extension API - used to add TouchN'Pass functionality to the browser
Challenges we ran into
We originally did not want to have a webserver since that would be another moving part in what we wanted to be a very simple service. However, we eventually settled on creating one since it would improve user experience.
We originally intended to use Firebase Cloud Messaging to send notifications across platforms. However, due to lack of documentation on using Firebase with the Chrome Extension API, we decided to pivot and use a standard Node.js webserver.
Every website has different identifiers for their username and password fields. We wanted the fields to be filled in automatically so some hacky workarounds needed to be used to actually identify these fields .
Accomplishments that we're proud of
Successfully created a structurally complex and secure Android app (ie integrating fingerprint unlock, dynamically generating password data, etc.)
Implementing end-to-end encryption for the sensitive data sent from the mobile device to the browser
Not having to store any password data anywhere.
Creating a flexible password management system that works for any website or login form.
Creating a streamlined user experience that just about anyone can pickup and use.
This project since it's something that we'd like to use in our daily lives.
What we learned
Firebase is cool but kinda hard use in some cases
Chrome's Extension API is weirdly complex but powerful.
Those cookies had a lot of caffeine
Google Cloud Platform is surprisingly simple to use
How to detach a process from terminal so closing ssh doesn't kill it
How to implement fingerprint authentication on Android app
How to write and view logs with Logcat
Giving everyone access to the master branch on Github can be hectic, even counterproductive, at times
How to output to and input from a file from an Android app
How Android RecyclerViews work
How to completely mess up a git repository
What's next for PrintN'Pass
As we had mentioned earlier we did not want to include a webserver in our service, however after the last 36 hrs we think it's definitely possible to redo this project without using a webserver and without sacrificing to much of the user experience in exchange. It would also be possible to rewrite the chrome extension as a native desktop app so the password manager could also work with apps like Steam or Discord.
> thumbnail not relevant