PrintN'Pass

Homescreen
Website List
Add URL Prompt

Inspiration

Password management can be a huge hassle. Sure, people say you're "supposed" to use a different password for every site, but how are you going to remember a unique password for every site? Are you gonna write them down? If you do that then if you lose that piece of paper your passwords are all gone and there's a chance all of your accounts are compromised. What about one of those fancy password managers like 1pass, Dashlane, or Lastpass? Well first off they're not completely free, and secondly with data breaches becoming more and more common what happens if one of those companies gets compromised? Storing things on a centralized server means that you don't have complete control of your own data, so who knows what can happen.

With all of that in mind we decided to create a password manager that

Doesn't store any password data. At all.
Is completely free and open-source
Is as secure as possible from end-to-end
And is (most importantly) convenient for the end user

What it does

There are two components to PrintN'Pass: the mobile app and browser.

Mobile App

1) User chooses to send username credentials to browser (optional)

2) Android app asks for biometric identification and once approved generates a constant and unique master password using SHA-256. This password is never saved anywhere.

3) The master password is encrypted to prevent traffic sniffing

4) The encrypted master password and username corresponding to the website is sent to a webserver

Browser Side

1) The browser receives a notification from the webserver indicating that a login request has been made

2) The browser fetches the encrypted master password and username. The 'encrypted master password' is then decrypted.

3) Browser gets the current website in focus and extracts its domain name from the URL.

4) Browser hashes the master password with the domain name to create a unique password for each website.

5) The username and password fields on the webpage are filled in and the user can now login

Note that no databases are used and nothing is ever stored on the client or server. Everything is automatically generated when needed

How we built it

Node.js & express.js - used to create a simple webserver that bridges the connection between the mobile app and browser

Google Cloud Platform - used to host the webserver because who wants to keep their computer running all the time

Android SDK - used to develop the mobile app

Chrome Web Extension API - used to add TouchN'Pass functionality to the browser

Challenges we ran into

We originally did not want to have a webserver since that would be another moving part in what we wanted to be a very simple service. However, we eventually settled on creating one since it would improve user experience.
We originally intended to use Firebase Cloud Messaging to send notifications across platforms. However, due to lack of documentation on using Firebase with the Chrome Extension API, we decided to pivot and use a standard Node.js webserver.
Every website has different identifiers for their username and password fields. We wanted the fields to be filled in automatically so some hacky workarounds needed to be used to actually identify these fields .

Accomplishments that we're proud of
Successfully created a structurally complex and secure Android app (ie integrating fingerprint unlock, dynamically generating password data, etc.)
Implementing end-to-end encryption for the sensitive data sent from the mobile device to the browser
Not having to store any password data anywhere.
Creating a flexible password management system that works for any website or login form.
Creating a streamlined user experience that just about anyone can pickup and use.
This project since it's something that we'd like to use in our daily lives.

What we learned

Andros

Firebase is cool but kinda hard use in some cases
Chrome's Extension API is weirdly complex but powerful.
Those cookies had a lot of caffeine

Arden

Google Cloud Platform is surprisingly simple to use
How to detach a process from terminal so closing ssh doesn't kill it

Michael

How to implement fingerprint authentication on Android app
How to write and view logs with Logcat
Giving everyone access to the master branch on Github can be hectic, even counterproductive, at times

Eric
How to output to and input from a file from an Android app
How Android RecyclerViews work
How to completely mess up a git repository

What's next for PrintN'Pass

As we had mentioned earlier we did not want to include a webserver in our service, however after the last 36 hrs we think it's definitely possible to redo this project without using a webserver and without sacrificing to much of the user experience in exchange. It would also be possible to rewrite the chrome extension as a native desktop app so the password manager could also work with apps like Steam or Discord.

Hey this is an Alt text!

> thumbnail not relevant

Built With

android-studio
chrome-extensions-api
cryptography
css
express.js
google-cloud
html
java
javascript
node.js
volley

Submitted to

HopHacks Spring 2019
- Winner Google

Created by

I worked on setting up the server using google cloud services and also programmed part of the encryption

Arden Zhang
I worked on the UI and the IO for the Android app

Eric Wei
I developed the Chrome Extension and bridge between the app and browser, as well as some crypto stuff.

Andros Yang
I worked on creating and setting up the fingerprint activity and some UI on the Android App

Michael Li