WingNews logo WingNews GitHub [2]
top | item 19835258

New, portable, open source password manager for Windows

52 points| nvr82 | 7 years ago |ylvapasswordmanager.com | reply

58 comments

order
[+] gruez|7 years ago|reply
Why this over keepass?

Also, a quick skim of the source code shows that the program keeps the decrypted file on-disk[1]. That seems like a huge vulnerability if you don't have FDE enabled.

[1] https://github.com/nrosvall/ylva/blob/2a4afcfb3727151fa09fdd...

https://github.com/nrosvall/ylva/blob/2a4afcfb3727151fa09fdd...

[+] regecks|7 years ago|reply
I think you need FDE no matter what. e.g. Hibernation will dump your passwords to disk, even if they're only kept in in unmanaged, VirtualProtect'ed memory.
[+] jakobdabo|7 years ago|reply
And they are doing MAC-then-Encrypt in 2019.

The author may be a great person and an excellent software developer, but they are an amateur in applied cryptography.

Use with caution.

[+] akx|7 years ago|reply
Yeah, that looks suspect. Maybe open a GitHub issue about it?
[+] whatl3y|7 years ago|reply
I unfortunately agree with the sentiment of others from this only being supported on windows. I built a CLI password manager[1] sort of as a learning exercise, but to this day I use it daily and have over 250 accounts managed in it. I temporarily back up the encrypted file to S3 in case my computer blows up, but for some reason I have a small sense of satisfaction that my passwords don’t live in a 3rd party like LastPass, even though I’m aware of the auditing and scrutiny they go through consistently to maintain credibility for what they do.

[1] https://github.com/whatl3y/hide

[+] captn3m0|7 years ago|reply
LastPass has been breached 3 times, and they’ve had RCEs in their Chrome Extensions.
[+] keltex|7 years ago|reply
Another one I've used for years is password safe:

https://pwsafe.org/

Free and open source.

[+] phs318u|7 years ago|reply
Same. And I'm surprised by how rarely it gets mentioned in these kind of HN discussions. I would have thought given it's origins (originally designed by Bruce Schneier and open-sourced in 2002 [0]), it would have a bigger following.

[0] https://www.pwsafe.org/history.shtml

[+] Someone|7 years ago|reply
Portable… for Windows? It’s a .Net application using Windows Forms. That’s open sourced, and thus portable in theory. In practice, it’s Windows only.

Turns out they use a different meaning of “portable”:

”Open source version of Ylva is available as a single binary file which is portable by default. You can run it from a USB stick.”

[+] santoshalper|7 years ago|reply
In the world of Windows applications, portable means that the program can be run without any installation or storing anything locally. So you could run it off a usb or other portable storage. This is a common usage.
[+] NoPicklez|7 years ago|reply
But this can't go everywhere my password are needed, why would I use this?

Not to be harsh, but LastPass (and others) works across Mac, PC, IOS & Android in multiple ways. A password manager to a degree needs to make my life easier, this means being portable and compatible.

[+] noisy_boy|7 years ago|reply
I have been using Keepassx[1] with Syncthing[2] for synchronizing the password database. It has been a great experience due to following reasons beyond the crypto advantages:

- Open source

- Peer to peer without having to share file contents with central server like Dropbox etc.

- Full featured Android and Linux (KeepassXC) clients with nice UIs (on Android I have the option of using fingerprint auth to open my database)

- Autofill integration on Android (I haven't tried on Linux)

[1]: https://www.keepassx.org/ [2]: https://syncthing.net/

[+] _x5tx|7 years ago|reply
I’ve been using Bitwarden for a little more than a month and it is by far the best password manager I used. And being open source is a very nice bonus. I’m going for tue paid option to support the company behind it.
[+] mehrdadn|7 years ago|reply
Does it have the following? They're what have kept me stuck on KeePass:

- Browser integration (a single key combo unlocking & filling in passwords)

- OTP support

- SSH agent and key storage

- Entry-level (rather than file-level) synchronization

- Google Drive synchronization

- Automatic history maintenance

- Storing arbitrary additional data

- Icons (makes identifying entries so much faster)

[+] tetrisgm|7 years ago|reply
Seconded. I used LastPass for probably 5 years, and moved to Bitwarden a few months ago. No regrets. It was a breeze to setup the Docker image, migrate my data, and the TOTP support works even better. It'd take a lot for me to consider another open source implementation.
[+] 7ewis|7 years ago|reply
I've been considering moving to Bitwarden or Enpass, as my 1Password subscription is ending.

Is there anything missing from Bitwarden that's in other paid apps?

[+] crispinb|7 years ago|reply
Looks nice. I've been a 1password user for some years, but the lack of a proper linux client is a pest. Bitwarden seems like it would be worth a try.
[+] dusted|7 years ago|reply
I'll shamelessly plug my own open source password manager, not because it's mine but because I believe it is better. And it is more portable, just put it in your pocket! It's at https://finalkey.net/
[+] aasasd|7 years ago|reply
Hmm, I guess this year everyone writes their own password manager.

(Can we have a year of fast PIM outliners? The competition is pretty sparse there.)

[+] ejcx|7 years ago|reply
The first thing I do whenever someone writes their own password manager is to read the Encrypt function. This one is AES-CBC with its own hand rolled integrity scheme. Not very strong by modern standards
[+] beefhash|7 years ago|reply
Doesn't look very hand rolled to me. It's standard HMAC. The only unusual thing is the timing-unsafe comparison[1], which probably needs fixing. It looks like an attempt was made at a constant-time comparison (|= ^ pattern sure looks like it), but the early return breaks it again. I'm not sure if much can be gained from a timing attack in this particular instance though, since the key fully depends on user input in the first place.

(By the way, even Microsoft's own documentation doesn't use constant-time comparisons for HMAC[2]!)

[1] https://github.com/nrosvall/ylva/blob/2a4afcfb3727151fa09fdd...

[2] See the example on https://docs.microsoft.com/en-us/dotnet/api/system.security....

[+] stevekemp|7 years ago|reply
As soon as I saw "verkkokauppa" in the list I assumed it was a Finnish developer.

It looks like a nice project, but I'd echo the other compaints - having a tree, or folders, would make it much more useable.

I tend to have a structure which looks like this (simplified):

    Git/
       github.com
       gitlab.com
    Servers/
       ssh.example.com/
          root.txt
       ssh.example.org/
          webmail.txt
    Websites/
       lwn.net
Having all the items in a flat list soon becomes very crowded. Checking my own password store I have over 300 entries.
[+] bboygravity|7 years ago|reply
All password managers and form fillers I've tried are quite terrible at correctly finding and filling fields/text boxes. They all seem to rely on finding patterns for things to fill from code. Which doesn't work. As there is no clear pattern accross billions of non-standard web-forms.

Does anybody know of pw managers that work using image recognition (OCR-like) on the GUI to find fillable fields? AKA: using the same form-API that humans do?

[+] ubercow13|7 years ago|reply
I would guess that it wouldn't be worth the hassle of the inevitable inaccurate identifications. The most ergonomic password entry tool I've used is rofi-pass [1]. It's so effortless that I don't think anything smarter could improve on it in practice. It works in a predictable and way in any application (eg SSH pw in a terminal) without any complex integrations being needed and once you get used to using the hotkey it's basically as quick as form autofilling.

[1] https://github.com/carnager/rofi-pass

[+] kuzimoto|7 years ago|reply
Hmm unfortunately I don't have an answer for your question. Though sounds like KeePass is the next best thing. You can define custom auto-type patterns, for forms that don't follow the typical <username><tab><password><enter> format. It's great for saving ftp sites for filezilla, or ssh logins.
[+] tenebrisalietum|7 years ago|reply
I tried this briefly under Wine in Linux. On the surface it doesn't look like it has 2 features I really like about Keepass:

- Folders. I like using folders and subfolders to keep related sets of passwords together.

- Support for attachments. Keepass lets me keep track of keyfiles, notes, and certificates in addition to passwords. Ylva has a notes field but I really like Keepass's ability to attach files.

The QR integration is interesting I guess, I don't have any apps that allow QR code for password input but if I did it would be useful.

[+] mrgalaxy|7 years ago|reply
This is nice and all, but what am I going to do with a Windows only password manager? I use several different OSs and a phone. It's pretty much a must that my password manager works on all of them.
[+] walrus01|7 years ago|reply
What does this achieve over the feature set of keepassx?
[+] pnunesc|7 years ago|reply
I use Passbolt at work for a geo-deslocated team and it works very good.
[+] rekshaw|7 years ago|reply
The title is a bit of an oxymoron.

"...portable...for Windows"

[+] detaro|7 years ago|reply
In the context of Windows applications, "portable" is also used to mean "runs without installation/further dependencies, you can just run it from a folder somewhere".
[+] runxel|7 years ago|reply
No, please not another password manager... I have not looked into it much, but hell, it looks like it even ships its own crypto.
[+] ComodoHacker|7 years ago|reply
Not a single word about how security features are implemented. Not very convincing for HN audience.
[+] eps|7 years ago|reply
Please don't take on yourself to speak for everyone even if the point itself is valid. That's been bad manners since the BBS days if not earlier.