wraith

Wraith Password Manager

Warning: This is a pet project, and it currently sprays both key material and plaintext passwords all over the process memory space. ANYTHING ON OR ATTACHED TO YOUR SYSTEM WITH DMA ACCESS, OR RUNNING IN A MORE PRIVILEGED RING WILL BE ABLE TO PWN YOUR DATA. I hope to mitigate some of this in the future, but DO NOT USE THIS TO STORE ANYTHING IMPORTANT YET.

I have found most unix command-line password managers lacking, including pass. Some of my personal uppity requirements include:

• No external dependencies, including PGP
• Single, portable data file
• Provides its own shell
• Off-system synchronization and versioning
• Resistant to length-based attacks

So, I did what any self-disrespecting developer would do. I rolled my own. This is also a bit of an experiment to teach myself a little bit of effective cryptography engineering.

This will be mostly useless for everyone, but it doesn't kill me to throw it up here with an MIT license in the off-chance that someone might find it useful.

Current "Features"

• Symmetric key (hashed passphrase) encryption
• Scrypt-based key derivation
• Add, List, Show, and Delete unquoted K/V pairs
• Secure 4-32 random character password generation
• Very naive synchronization via DropBox API v2 Access (OAuth Token needed)

Maybe In The Future

• Version-tracking synchronization server using Noise Pipes Protocol
• Plaintext JSON export / import
• Offsite versioned sync (vector clocks?)
• Key+data hiding/scattering for a touch of memory forensics resistance