Bluepass – An Interesting New Password Manager

Bluepass LogoIf you use passwords, you should store them securely somehow. This generally saves you from losing something, and should help you improve the strength of passwords you already use on websites. I’m a big fan of the powerful tool named Keepass, but always on the lookout for new and interesting tools that might help us improve password storage and use. This search lead me to Bluepass, a new tool (like Keepass) that intends to have cross-platform support and a new syncing feature for your data. Bluepass is currently in its early stages and looking for support.

Bluepass SynchronizationWhat had me most interested in Bluepass was the synchronization feature. Could this be shades of Bittorrent Sync, while ushering a new age of cloudless data synchronization? I might have been a tad over ambitious with my assessment of the tool, but it seems clear that this could be a future addition to the product. The project is GPL3 open source and available on GitHub to anyone.

Recently, the author also took to Hacker News and answered some questions about his new tool. Here are some of the more interesting answers (questions paraphrased) from the session.

Will synchronization traverse NAT and firewalls?

The P2P is done over local networks only. It uses multicast DNS for service discovery. Bluepass syncs between your own devices only. As long as the devices occasionally share a (W)LAN, it will work.

You’re asking for $60,000, how is this number reached?

The calculation of the funds is rather straightforward: $10k for each of the platforms that need work: iOS, Android, Chrome, FF, Mac and Windows.

Why only support “LAN” synchronization?

Regarding the question around Firefox sync: even if you use your own server, you are sending senstive (sic) data that is encrypted with a password or passphrase over the Internet. This opens you up to dictionary attacks now, and if the communications are intercepted, far into the future.

What will the mobile version of the tool cost?

The mobile versions will be somewhere between $5 and $10. As a perk for funding Bluepass, whatever the price turns out to be, your version will include unlimited free upgrades.

Does it support the Keepass database format?

At this point it does not. But a feature to import a keepass DB into the Bluepass native format is in the plan.

Why not use the Keepass format?

The Keepass format is not suitable for my use. Bluepass uses an append-only database containing a forest of nodes. Each node is a specific password version, and child nodes are updates of a parent. This data structure is used to do conflict resolution in case of concurrent updates. It also gives you infinite history, which is nice. The file format itself is an SQLite database with JSON documents in it.

For the ultra-paranoid, this is an interesting way to keep the encrypted data local to devices you control, but yet in-sync with each other. It may be true that everyone should be that paranoid, but the challenge is to make it easy for those not savvy enough to create and remember 35 character passwords and make hidden encrypted containers. Security needs to be personally verifiable anyway.

I’m interested to see where this project goes.

Bluepass is an open source password manager written by Geert Jansen, a programmer based in Italy. Geert is looking to raise $60,000 for his project, Bluepass.