I guess my key wasn't unlocked (just created it), but i added an item, and while it was prompting me to sign in, I saw this:

http://swordfish.dev/?title=Test&data.username=test&data.password=test#

And that of course hits the server, so most of it shows up in the logs:

Started GET "/?title=Test&data.username=test&data.password=[FILTERED]" for 127.0.0.1 at 2012-09-22 18:57:11 -0500 Processing by DashboardController#index as HTML Parameters: {"title"=>"Test", "data.username"=>"test", "data.password"=>"[FILTERED]"} Rendered dashboard/index.html.erb within layouts/application (0.1ms) Completed 200 OK in 42ms (Views: 40.3ms)

Besides "logins", we should be able to easily store:

• Accounts: logins to non-web things like servers, databases, desktop apps, etc.
• Notes: any text
• Software Licenses
• Wallet items: credit cards, membership accounts, etc

I still think there are a lot of open questions about building a web-based solution. I'd like to create a space to discuss them.

1. Is JavaScript cryptography secure enough?
2. Is localStorage secure enough for storing the encrypted private key?
3. Is there a way to securely store the passphrase or decrypted private key?

To clarify, by "secure enough" I mean: without crossing some boundary, could an attacker gain access to the data? If the server or client is compromised, there can be no expectation of security with any architecture.

If there are multiple logins for the same domain, show a popup to pick one.

What good is a password app that doesn't automatically store passwords?

Autosaving currently saves the attributes without modification, so if a form uses something besides "username" and "password", then the details can't be viewed in the web interface.

We should inspect the submitted params and populate swordfish's username/password fields.

A password manager isn't much use without user authentication.

If a form was autofilled, it doesn't need to be saved.

If a login is already saved for a host, it would be awesome to prompt to update the existing one, or create a new login.

Hi guys,

the tool seems really useful so I started with getting my ruby setup going on my Debian box,
the standard test application works (the one "rails testapplication" generates), but for some reason,
swordfish does not.

I actually was wondering if anybody got some pointers for me on how to setup this properly so I can start giving this tool a try out.

What I did so far:
I installed libapache2-mod-fcgid and libfcgi-ruby1.8
created an apache vhost
git cloned the repository into a folder and added this into public/.htaccess

# General Apache options
#AddHandler fastcgi-script .fcgi
#AddHandler cgi-script .cgi
AddHandler fcgid-script .fcgi
Options +FollowSymLinks +ExecCGI

# If you don't want Rails to look in certain directories,
# use the following rewrite rules so that Apache won't rewrite certain requests
#
# Example:
#   RewriteCond %{REQUEST_URI} ^/notrails.*
#   RewriteRule .* - [L]

# Redirect all requests not available on the filesystem to Rails
# By default the cgi dispatcher is used which is very slow
#
# For better performance replace the dispatcher with the fastcgi one
#
# Example:
#   RewriteRule ^(.*)$ dispatch.fcgi [QSA,L]
RewriteEngine On

# If your Rails application is accessed via an Alias directive,
# then you MUST also set the RewriteBase in this htaccess file.
#
# Example:
#   Alias /myrailsapp /path/to/myrailsapp/public
#   RewriteBase /myrailsapp

RewriteRule ^$ index.html [QSA]
RewriteRule ^([^.]+)$ $1.html [QSA]
RewriteCond %{REQUEST_FILENAME} !-f
#RewriteRule ^(.*)$ dispatch.cgi [QSA,L]
RewriteRule ^(.*)$ dispatch.fcgi [QSA,L]

# In case Rails experiences terminal errors
# Instead of displaying this message you can supply a file here which will be rendered instead
#
# Example:
#   ErrorDocument 500 /500.html

ErrorDocument 500 "<h2>Application error</h2>Rails application failed to start properly"

Has worked for the standard ruby app as said before, but not for this. Obviously I am missing something :)

Thanks for your help!

I've got some code started (not all pushed at the moment), but step one is getting a workable design. I spent some time today working on a mockup. It's far from perfect, and still more to do (especially in the right pane), but it's a start.

I don't know how to write code without guard. I want the JS specs to run when js files or specs are saved.

The JS specs are currently run via evergreen, which is no longer maintained. I would love to migrate the specs to something that is maintained and better integrates with the Rails asset pipeline.

When I click Sign Out

I see:

Routing Error

No route matches [GET] "/signout"

I'm guessing that this is a result of changes from #30.

The ItemKey still uses CryptoJS because I couldn't figure out how to properly encode the output from forge's AES implementation.

Hitting ⌘/ will autofill if the keypair is unlocked, but silently fails if it is locked. It should prompt to unlock.

I would prefer to replace "reveal" with a "copy to clipboard" feature. Generally, you need a password so you can paste it somewhere else. There is rarely an instance where you want to see the password, and in that case you can just paste it somewhere else where it is readable.

I'm not sure what the current state is of the clipboard api in browsers, but it would be awesome if we could clear the copied password after a timeout, or at least after autolock. I'm guessing the clipboard APIs require some kind of user action (click, keyboard) to modify the clipboard, so worst case scenario, we should be able to copy a blank string to the clipboard on the next user action.

When logging into Swordfish having a one time password generated for every login could really help in security. You could take it even further and use it for two factor authentication as well.

For more information on YubiKey: http://www.yubico.com/products/yubikey-hardware/yubikey/

Are there extension points for third party authentication support? Is this something that the Swordfish community would be interested in?

Every time secure data is accessed (ItemsController#show), it should be audited.

• Who
• When
• From IP
• From location (geocoded IP)
• What browser

Has there been any thought put towards supporting the storage of secure notes (i.e. freeform/arbitrary text content) in addition to storing authentication details? I’m not sure if we want to go down the line of having swordfish store all kinds of different special data types like some apps do (except credit card details maybe?), but maybe supporting a freeform text item type is worth thinking about?

Once you navigate to an item, refreshing the page breaks the layout.

Before refresh: http://cl.ly/image/0L3f0d3q2T33
After refresh: http://cl.ly/image/0L1q0H2O232J

I just need to make sure the backbone router properly loads each layout section when reloading.

i just tried installing this app on my linux box and ran into this issue with the libpq-fe header. For the sake of the next noobie installer (just like Moi), is this issue worth mentioning somewhere?

Autosave infobar should have a "Never" button to always ignore submissions for that site.

Hi,

I checked out a copy of Swordfish, started up my local mongodb, then tried to run rake.

I got an error about:

/Users/victorhooi/.rbenv/versions/1.9.3-p194/bin/cucumber: No such file or directory - phantomjs --version
      undefined method `chomp' for nil:NilClass (NoMethodError)
      /Users/victorhooi/.rbenv/versions/1.9.3-p194/lib/ruby/gems/1.9.1/gems/poltergeist-0.7.0/lib/capybara/poltergeist/client.rb:64:in `check_phantomjs_version'
      /Users/victorhooi/.rbenv/versions/1.9.3-p194/lib/ruby/gems/1.9.1/gems/poltergeist-0.7.0/lib/capybara/poltergeist/client.rb:26:in `start'
      /Users/victorhooi/.rbenv/versions/1.9.3-p194/lib/ruby/gems/1.9.1/gems/poltergeist-0.7.0/lib/capybara/poltergeist/client.rb:9:in `start'
      /Users/victorhooi/.rbenv/versions/1.9.3-p194/lib/ruby/gems/1.9.1/gems/poltergeist-0.7.0/lib/capybara/poltergeist/driver.rb:34:in `client'
      /Users/victorhooi/.rbenv/versions/1.9.3-p194/lib/ruby/gems/1.9.1/gems/poltergeist-0.7.0/lib/capybara/poltergeist/driver.rb:22:in `browser'
      /Users/victorhooi/.rbenv/versions/1.9.3-p194/lib/ruby/gems/1.9.1/gems/poltergeist-0.7.0/lib/capybara/poltergeist/driver.rb:115:in `reset!'
      /Users/victorhooi/.rbenv/versions/1.9.3-p194/lib/ruby/gems/1.9.1/gems/capybara-1.1.2/lib/capybara/session.rb:70:in `reset!'
      /Users/victorhooi/.rbenv/versions/1.9.3-p194/lib/ruby/gems/1.9.1/gems/capybara-1.1.2/lib/capybara/dsl.rb:87:in `block in reset_sessions!'
      /Users/victorhooi/.rbenv/versions/1.9.3-p194/lib/ruby/gems/1.9.1/gems/capybara-1.1.2/lib/capybara/dsl.rb:87:in `each'
      /Users/victorhooi/.rbenv/versions/1.9.3-p194/lib/ruby/gems/1.9.1/gems/capybara-1.1.2/lib/capybara/dsl.rb:87:in `reset_sessions!'
      /Users/victorhooi/.rbenv/versions/1.9.3-p194/lib/ruby/gems/1.9.1/gems/capybara-1.1.2/lib/capybara/cucumber.rb:10:in `After'

Failing Scenarios:
cucumber features/items.feature:3 # Scenario: creating and editing an item
cucumber features/key_generation.feature:3 # Scenario: Sign up and create new key
cucumber features/key_generation.feature:16 # Scenario: Successfully Unlocking key
cucumber features/key_generation.feature:24 # Scenario: Uploading key to sign in
cucumber features/key_generation.feature:33 # Scenario: Failing to unlock key
cucumber features/signout.feature:3 # Scenario: Sign out and lock key

6 scenarios (6 failed)
66 steps (6 failed, 60 skipped)
0m1.022s
rake aborted!
Command failed with status (1): [/Users/victorhooi/.rbenv/versions/1.9.3-p1...]

Tasks: TOP => default => cucumber => cucumber:ok
(See full trace by running task with --trace)

I've put the full trace in a Gist here:

https://gist.github.com/3843330

By the way - is there any way we could put quickstart or installation instructions somewhere in the Readme? It can be a bit confusing how to properly use this app, particularly those of us who aren't from the Ruby/Rails world? =)

Cheers,
Victor

User can search for items across all vaults.

The true value of a good password management app is good browser integration. It should be able to automatically store new passwords and autofill existing passwords.

Hi,

Just checking - is this project still active?

It looked pretty awesome in the initial stages, it'd be a shame for Github to just let it die?

Cheers,
Victor

Vault should autolock after a configured timeout.

Should the timeout be configured per vault or per user? I can see each user wanting that control, but for certain shared vaults the vault owner might want to determine that.

When on a site that has a saved password, autofill the details with a keyboard shortcut or by clicking on the extension icon.

On first load, there's nothing there.

Realizing that Swordfish is playing in this domain, it seemed worth raising an issue to see if there's any future architectural planning that could come from having read this Web Cryptography API draft.

http://www.w3.org/TR/WebCryptoAPI/

This specification describes a JavaScript API for performing basic cryptographic operations in web applications, such as hashing, signature generation and verification, and encryption and decryption. Additionally, it describes an API for applications to generate and/or manage the keying material necessary to perform these operations. Key storage is provided for both temporary and permanent keys. Access to keying material is contingent on the same origin policy. Uses for this API range from user or service authentication, document or code signing, and the confidentiality and integrity of communications.

It currently continues to prompt you to save on every page load until you close the tab. After saving or dismissing the infobar, it should clear out login details and not prompt again.

We were on 3.1.x due to incompatibilities with ToyStore, but now that we're on ActiveRecord, there's no reason we can't and shouldn't upgrade.

The same cucumber feature always fails on Travis, even though it never fails for me locally. I'm not sure if it's an issue with the phantomjs version or what.

https://travis-ci.org/github/swordfish/builds/4332688

For the chrome extension we'll need a toolbar icon, which will be placed to the right of the address bar. It needs to look good on both dark and light backgrounds since users can (and often do) customize the theme.

See Chrome extension docs for more info.

If you already have a key set in localStorage, but go to #/key/load to load a different one, then stuff blows up:

Uncaught TypeError: Cannot call method 'decrypt' of undefined keypair.js:40
Keypair.Keypair.decrypt keypair.js:40
Item.Item.key item.js:30
Item.Item.data item.js:34
Item.Views.Show.Show.serialize show.js:31

Need to come up with a better way of passing the key around (or better yet, not passing it around and fetching it from a "global" whenever it's needed).

A shared per-vault password will work ok for minimal security, but ideally we should support some sort of PKI. Sharing a vault with another user would be a simple matter of storing the vault key encrypted with their public key.

It should be easier to use the app from multiple devices. To do that, we need an easy way to get the key on those devices. A few ideas:

1. Implement a separate key store service that will save private keys. This should be completely separate from the central data store and ridiculously secure.
2. Save the key to dropbox. This could even be as an HTML file, which has a big link to the app with the key as part of the hash, which could then be copied into localStorage
3. Google Authenticator or something like it. I think this requires that the server has the key, so this probably isn't a great option if we want to keep the keys off the server.

Pretty confusing if trying to add a key and it doesn't get saved or you're unable to see usernames & passwords, but you can see a list of them.

Implement a password generator that allows specifying some constraints, such as length, number of digits, and number of symbols, and shows the strength of the password.

It always gives invalid_credentials error when trying to login with github oauth login.

2012-08-28T05:22:58+00:00 app[web.1]: Started GET "/auth/failure?message=invalid_credentials&origin=https%3A%2F%2Fswordfish-v.herokuapp.com%2Fsignin&strategy=github" for 24.6.118.132 at 2012-08-28 05:22:58 +0000
2012-08-28T05:22:58+00:00 app[web.1]:   Processing by SessionsController#failure as HTML
2012-08-28T05:22:58+00:00 app[web.1]:   Parameters: {"message"=>"invalid_credentials", "origin"=>"https://swordfish-v.herokuapp.com/signin", "strategy"=>"github"}
2012-08-28T05:22:58+00:00 app[web.1]: Redirected to https://swordfish-v.herokuapp.com/signin

The extension currently prompts to save all forms. For now it should only attempt to save forms that have password fields.

Autosave in the extension saves the value for all fields. They don't need to be viewable by default, but the web view for an item should have a way of viewing these, maybe in the edit view.

This may sound trite, but I am curious why you chose to go with MongoDB as the store and not say, MySQL or PostgreSQL? I would think this would present a couple of issues:

1. MongoDB, ignoring it's reputation, isn't exactly an easy database to maintain. Configuration, at least used to be, somewhat of a pain to get right in order to keep MongoDB from freaking out and losing it's data. Admittedly I have relatively little experience using it or maintaining it compared to *SQL but the little interaction I did have and from what I've learned from others using it, it can be finicky.
2. The SQL's are well known, easy to manage and overall very stable. They represent less overhead for Ops (in general) due to their familiarity.
3. MongoDB has a pretty terrible reputation, even if it is wrong (I don't have enough experience to say), it could affect adoption.

I was just surprised when I saw you were using MongoDB, I am curious to hear what your point of view is here if you have a minute. Definitely not critical.

Would be great if the user interface surfaced "You need to change this password!" per a key rollover policy based on when the password information was added or last updated.

e.g. That would let you say for a Vault that passwords need to be changed annually.

Generate a random, secure password when adding an item.