I cannot start Padlock in my development environment, because Chrome is bothered by the Content-Security-Policy:

Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self' gap:". Either the 'unsafe-inline' keyword, a hash ('sha256-B4XSnYTW0R_oqcAPMdmI9UDnCWideRtvmE1o0XL9Z4c='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

As the CSP in the file is actually

<meta http-equiv="Content-Security-Policy" content="default-src 'self' gap:; style-src 'self' 'unsafe-inline'; connect-src https://cloud.padlock.io">

this makes sense, because index.html contains inline scripts, which is not allowed.

So shouldn't the inline scripts be either put in a separate file or am I missing something here?

I can't enter text in the import data field where it says 'paste in your data'

You know how in most apps we have "Pull To Refresh" can we have a "Pull to Sync"?

The websites are listed in alphabetical order. Would it be possible to add the option to list by section? That would make sections more useful than they are now as currently they are more like tags. I ask because this is a feature of LastPass and SafeInCloud from which I've switched. Also if the section and alphabetical headers were collapsible I believe it would speed up the UX by reducing the amount of scrolling required.

I hope that's helpful. I'm currently running Padlock Cloud on two PCs and Android with no issues.

Is there an option to do that ?
It would be very nice if you added that 👍

Noticed an issue on synchronisation. When I add a new record, it instantly appears on other devices. When I delete it, it disappears only from the device that it was deleted from. It is still present on other devices, even when running manual synchronisation.

It's nice to look at at first, but if you're using the app frequently they slow you down quite a bit

Not sure how this will affect padlock.

Source: http://blog.chromium.org/2016/08/from-chrome-apps-to-web.html

Could you make Password sharing like this app https://github.com/mitro-co/mitro ?

Why not use something like google drive for this? Seems to be a lot simpler than running padlock cloud.

Some sites/apps don't allow "?", "/", etc. in passwords, but at the same require characters other then letters and numbers. It would be nice to be able to configure this.
thank you!

Could you add Settings for custom cloud server address?

I'm just looking through the source code wether the app supports auto-locking (the vault is locked when the app is sent to the background).

If I read this right, the _pause-method is called when this event happens. But the _pause-method doesn't call the _lock-method. It seems to hide the view, the user currently is in (which could result in showing the lock-view I guess), but it i.e. doesn't delete the remote source password, as _lock does. Or am I missing something here?

Common password managers support the unlocking of the vault using the iOS TouchID fingerprint identification framework.

I will post more information to this issue about the implementation and possible ways in Polymer or cordova.

Right now, Padlock is able to sync with cloud.padlock.io, which is great, however, I would love to be able to run my own instance of the server and let the (mobile) apps (iOS/Android/possible stand-alone application to be developed) sync with it instead of trusting a third party with my password/sensitive information.

So there'd need to be a choice when setting up sync, i.e. entering a custom URL etc.

The ability to stay unlocked for a few minutes to all day for both mobile and desktop

I have started using padlock and I love it! I would just love to be able to keep my hands on my keyboard when I use it. In this aspect, I think it would be nice if in the field's menu, every option would have a shortcut: c for "Copy", e for "Edit", g for "Generate" and r for "Remove".
It could be done on every menu.

Also, above the records' list, it says "tap to search...". I tried typing but it did nothing. I understood we need to click on the text. It would be nice to focus the input when we start typing.

I looked at the source code for both of those but I couldn't get my head around it. I'm not really a front-end type of guy, sorry. 😄

IDK if this is a real issue or not, but I was thinking about it this morning

It seems like the architecture is that the DB file is symmetrically encrypted using the passphrase I choose and stored on the server to be synchronized with other devices

That means if someone gets ahold of my database file somehow (e.g. back end server breach) they could relatively easily brute force or dictionary attack passwords on the file unless my passphrase was very complicated (and I doubt most people have complicated passphrases)

Seems like padlock should be using public key encryption where each machine has its own key pair and the key pair has a passphrase-allows you to use different keyphrases on different machines as well. The only limitation of that approach is that a machine with access to the file has to be used to approve adding another device, because it would have to decrypt the file and re-encrypt with a new set of public keys

LMK if I'm totally off base here (I'm hoping that I am)

I love the ux on this app, but there could still be some improvements like the no animation issue #35 but some other stuff too.

I only have one idea right now so that's why I named this issue UX Features so users can add to it:

Idea: Holding a record field, should popup an easy copy feature, where once I hold a list of field names pops up and as I swipe up and down on the fields, it selects those and when I release it copies it. That would make it easy to copy what I want, while easily seeing my other records. Instead of having to:

1. Tap record
2. Tap field
3. Copy

Now idk how hard this would be to implement but hopefully you understood what I meant. I'll see if I can find some type of GIF example if you don't understand.

I opened Padlock on a local server and added a few entries. I then decided to open Padlock from a different browser, but rather than showing me the entries I had just added in the other browser it asked me to create a master password again. I didn't complete this step, but I think that Padlock should have realized that I already created a master password and a few entries.

If I use 3 different browsers and I have to open Padlock in each of them and add an entry for every account I have, then it loses a lot of utility as a password manager.

Heya good folks developing padlock! Thanks for making this tool :) With self interest in mind, I'm about to post a hand full of features that are keeping me from adopting padlock over keypass full time.

I'm using Linux so that might be part of the problem, but I cloned and installed the repo and wanted to test some things out. I added a few passwords and saw unexpected behavior:

I would've expected the Slack entry to be under its own "S" heading.

This issue led me to try PadLock in another browser, where I discovered issue #61

Attempting to Synchronise with padlock cloud on my desktop device but the activation email is just not being sent. I have tried disconnecting and reconnecting but the email is just not being sent to my email account.

The Andriod app works fine and synchronises with the custom server. But the Chrome app give the message "Failed to connect to Padlock Cloud. Please check your internet and try again!".

The browser works and I can connect to the login screen. I am using LInux and have tried it on several distros and versions but the Chrome app does not work. It does work with your own cloud.

When switching apps trying to login I have to keep inputing my master password which is annoying, there should be a timer/delay for when it ask me for that again.

Not that important, but would be nice

Common password managers support a custom iOS Safari Extension since iOS 8. That way, a password for the currently visited URL could be fetched from the Vault and copied to the clipboard or even fill out the form.

I will post more information to this issue about the implementation and possible ways in Polymer or cordova.

Hello MaKleSoft,

I use padlock on some devices and I like it!
Unfortunately I the devices running the chrome app loose the connection to the padlock cloud after a restart of chrome.
I invite you to have a beer if you fix this issue ;-)

Best regards,
Andre

When I go to create a record I can only ever enter text in the label field or the content field. As soon as I've entered text in one, I can't enter text in the other.

I'd like to start a discussion regarding a feature for Two-Factor Authentication. I think the subject of it's security is arguable both for and against but I hope this thread reveals how we could implement it or at least a good argument for why we shouldn't.

Let me start with some points:

• 2FA usually consists of Device, SMS, Email, and Phone methods. I believe if we are to implement any of it we should only concern ourselves with Device (Google Authenticator) for now. The reason being that all other methods require external server support.
• I personally use DUO (similar to Google Authenticator) and I know a lot of others use these too. I would suggest starting with support for Time-based-one-time-passwords (TOTP).
• 2FA should be an option but be disabled by default when starting to use the app for the first time. Enabling 2FA and setting it up should be done via the Settings screen. This is my personal preference anyway.
• We should consider if the 2FA tokens simply allow access to the application or if they contribute to part of the encryption key. I'm inclined to say just restrict access to the application for now as I don't feel messing with key generation is a good idea just yet.
• Losing access to your 2FA device would be devastating unless we provide the user backup codes. These backup codes should be provided after setup has been completed. Unlike other online service providers we can't rely on an email fallback if they lose their device as we don't want to rely on external services.
• Finally is 2FA worth it for locally run software? Jailbreaking your phone or gaining access to your computer may allow you to bypass this check entirely. I know Chrome plugins are easily manipulated via Chrome Developer Tools, it's just JavaScript after all but iPhone and Android apps will need to be jailbroken before anything can be changed. So does employing 2FA give us more security? Does defence in depth apply here?

Here are some working solutions to 2FA:

• Speakeasy.js a 2FA library for Node.js is small working implementation of a TOTP algorithm.
• NOTP another Node.js TOTP module implements an even smaller implementation of TOTP.
• Finally here is an article from Auth0 describing how to add 2FA to you're Node.js app. (not perfect for our use case but describes a lot) From theory to practice: Adding Two-Factor Authentication to Node.js

I personally believe that 2FA is a fairly simple to implement and that as it doesn't need to affect the encryption scheme we should have little risk in adding it. It's lightweight security to restrict access to the application, but is it too lightweight that we risk making the app more complicated for little benefit?

Your thoughts?

Enter app
Lock app
Unlock app by entering the password
Lock app
Unlock app without typing any password at all

Chrome.

The sooner we can allow people to go from git clone, to running the software, the more likely we are to bring people on board with the project.

I'm more than happy to put in the work to close this issue, making more use of npm scripts, which allow us to define a version of gulp or bower to use within the project, by adding them to our devDependencies. This should help reduce the number of bugs people hit if gulp or bower or similar update with a breaking change and prevent people from running the software.

We should also include a serve script + a dependency that can serve this, then we can have a default start script that will serve the content without any extra downloads or effort required.

I've opened #26 to get the install down to one command instead of two, and will open further PRs when I have time.

• Reduce complexity of installation. (Fixed with #26)
• Add bower to devDependencies (Fixed with #28)
• Alias gulp scripts to npm scripts, so we use the version of gulp defined locally (Fixed with #29)
• Add a serve script (Fixed with #30)

Sorry if I've put too many commits into any 1 PR. I have a habit of getting my branches mixed up and accidentally make a branch from a branch instead of master. Feel free to let me know what you think, and discuss these proposals either inside each PR, or in this issue.

This is mostly a documentation issue, but I couldn't find any information about where Padlock stores passwords (when using local storage, which AFAIU is the default?). Is this configurable somehow?

Apologies if I missed this - I only just discovered Padlock and haven't had much time exploring it in detail.

Many thanks for making Padlock available, and for staying true to the clear objective of keeping it minimalist and intuitive. :)

After updating to v0.10.0 Padlock Cloud synchronization works only when new records are created.
Deleting and updating records (adding/removing/updating fields) actions are not synchronized.
This problem is manifesting both ways on following setup:
Chrome app on PC (Win8.1, Chrome 45.0.2454.101) with iPhone app (iOS 9.0.2).

Hi Makle

First of all, congratulations for the software, I liked the idea and the system is getting cool.

I got a little lost and afraid, because we have no information about how our service works and how information is stored in the cloud.

Documentation on this would be very valuable to disseminate the software.

I hope to contribute code too soon.

Hi I have two machines running Windows 10, but just one has suddenly developed a problem launching Padlock.
After launching Padlock from Chrome app panel the browser blinks and becomes a background window and then nothing no Padlock window. Yet when I hover over padlock icon, that is underlined shows window is open, the open app shows in the popup but nothing when you select it.

Also if you use the Task View icon to show all open windows the padlock window shows but if you select it nothing?
I have tried restarting machine.
I have tried reinstalling Chrome
nothing has worked.
Oh and it also doesn't make a difference how you launch Padlock. I have docked the icon on the desktop launchbar and launching that way also doesn't work.
OK also tried deleting Padlock from Chrome and reinstalling no luck.

Chrome is killing chrome apps source

I´m not big with linux but I would love to see this password manager on my Synology DS Server.

There is a small spelling error under the dev setup heading, where it says "prever" I stead of "prefer."

Are there any plans for adding a sort of collaborative feature in the future? Padlock looks absolutely excellent, but I would like to use it in a somewhat "enterprise" environment and be able to share secrets with a user or group of users.

The chrome app has tab switching issues that make it a pain to use (and it seems like it will for the foreseeable future)
https://bugs.chromium.org/p/chromium/issues/detail?id=278408

Would like to suggest moving to something like electron
http://electron.atom.io/

Please consider adding support for self-signed certificates to the client.

Ability to require either a Yubikey/NFC/OTP/etc to unlock the keystore

It says:

"Strong passwords are hard to remember and the sheer number of different services makes it practially impossible to keep track of all of your credentials."

The word "practically" is spelled wrong. :)

I've managed to export all the data (as .csv) from my existing password manager app with a view to moving to Padlock. Along with the usual Username, Password & URL, most of my existing records have "Notes" along with Name, Category, Url, Username, and Password

I'd like to get all my existing data into Padlock including the notes - can I simply create a .csv containing Name, Category, Url, Username, Password, Notes - paste that into Padlock as part of the import process and expect Padlock to create a 'Notes' field?

Thanks,

Hi I have noticed lately when logging into padlock or when syncing to cloud that I am getting SSL certificate errors. Is this a big problem or has your certificate just lapsed?

This line contains a word/spelling error. "Loose" should be "lose".

In padlock.io in the section How can I use it? the link to Chrome Web Store instead of pointing to https://chrome.google.com/webstore/detail/padlock/npkoefjfcjbknoeadfkbcdpbapaamcif

it points to

https://chrome.google.com/webstore/detail/padlock/npkoefjfcjbknoeadf

which returns a 404

Hi,

I've found that shortcuts does not work on mac app while inside input fields.

If you try cmd+a (to select all), cmd+c / cmd+v (to copy / paste), none of these works.

It's a little bit annoying when you want to select all text to reenter a wrong password for example.

Copy and paste features are also really annoying when creating new entries (I know that copy is still working while non editing an input field).

Thanks for this great app 👍

So the tilte may be a bit bad, but I'll try and explain it a bit better here in the comments.
I'd very much like this to work in the following way:

1: I got to website A, where I'm not currently logged in. I click the padlock extension in the top right of chrome, and it prompts me for my master password. As soon as I've entered that, it shows me my credentials for the page that I'm currently on, as well as tries to automatically fill the appropriate fields.

2: I go to a website where I'm currently not using padlock / haven't registered. I go to register, and after typing in all my information except password, I hit the padlock icon. It asks me for the master pass, and after entering it, It tells me it has no record for the current website. Do I want to make a new one? I hit create new, hit randomize password and paste, and it makes a strong password, shows it and attempts to paste it in the correct box.

As a site note, it'd be nice to have a few options for the randomly generated passwords. Something like checkboxes for

• A-Z
• a-z
• 0-9
• And a field for special characters. Default value being all of them.

I'll take a look at the source as well, and see if I'm capable of doing these things myself. I doubt it though, as I haven't made any extention yet :/