WebSphinx
+ Add to Firefox

Categories

Developer

websphinx

WebSphinx v0.1.1

  • rating
  • rating
  • rating
  • rating
  • rating
0 (0 reviews)
WebSphinx is an password manager, based on the Sphinx protocol by Krawczyk et al. It provides end-to-end encryption of passwords between your browser and the password storage. For how this works see: https://www.youtube.com/watch?v=px8hiyf81iM WebSphinx

sphinx: a password Store that Perfectly Hides from Itself (No Xaggeration)

websphinx is a cryptographic password storage as described in https://eprint.iacr.org/2015/1099

IMPORTANT Further installation steps are describe here:
https://github.com/stef/websphinx-firefox#installation

What is this thing?

It allows you to have only a few (at least one) passwords that you need to remember, while at the same time provides unique 40 (ASCII) character long very random passwords (256 bit entropy). Your master password is encrypted (blinded) and sent to the password storage server which (without decrypting) combines your encrypted password with a big random number and sends this (still encrypted) back to you, where you can decrypt it (it's a kind of end-to-end encryption of passwords) and use the resulting unique, strong and very random password to register/login to various services. The resulting strong passwords make offline password cracking attempts infeasible. If say you use this with google and their password database is leaked your password will still be safe.

How is this different from my password storage which stores the passwords in an encrypted database? Most importantly using an encrypted database is not "end-to-end" encrypted. Your master password is used to decrypt the database read out the password and send it back to you. This means whoever has your database can try to crack your master password on it, or can capture your master password while you type or send it over the network. Then all your passwords are compromised. If some attacker compromises your traditional password store it's mostly game over for you. Using sphinx the attacker controlling your password store learns nothing about your master nor your individual passwords. Also even if your strong password leaks, it's unique and cannot be used to login to other sites or services.

Dependencies
Besides this extension you also need to install the Native Messaging backend pwdsphinx, and the libsphinx library. For querying the password you also need the pinentry tool from GNUPG.

Linux/MacOS

The backend can be installed using the python tool pip: pip install pwdsphinx. For more information see https://github.com/stef/websphinx-firefox#installation. You also need from this repository the libsphinx library, but due to the libdecaf dependency you have to compile this manually.

Windows
If you are on 64bit Windows, you can download an installer which packages the python modules and the other binary dependencies you still have to install python from an official source though. Get the installer from: https://www.ctrlc.hu/~stef/sphinx.msi