Barapass console Password Manager

I decided to publish my simple console Password Manager. I called it barapass (github). I’ve been using It for quite some time in Linux and in Windows (in WSL). Probably it will also work natively in Windows and MacOS with minimal fixes, but I haven’t tried it yet.

Barapass logo

Why do people use password managers?

Well, with password manager it’s possible to avoid remembering passwords and make them arbitrarily complex and long. And no one will be able to brute force them. Of course, you can simply store passwords in text files, but password managers are better than this because:

  • no one will see your password over your shoulder;
  • if an attacker gains access to the files on your host, it won’t possible to read your passwords from the encrypted file or storage (well, ideally);
  • it’s easier to search for objects in the password manager and copy values from it.

I wanted something as simple as editing a text file with the key-value content. And I wanted it to be stored in a secure manner, and security could be easily checked, “simple and stupid”.

Why not use a ready-made password manager? (thousands of them)

IMHO, it’s very hard to control how password managers store the passwords and often very unpleasant vulnerabilities appear in them. I have everything in one small python file: a simple CLI, and functions for encryption/decryption. It’s only 200 lines.

Currently, barapass stores passwords encrypted using AES, but you can easily change it to any other cryptographic algorithm or a combination of them and use various methods to generate the keys. This customization can make it more secure in practical sense just because your passwords should be VERY interesting for the attacker to make this charades solving worth it. πŸ™‚

How to run barapass?

You will need to install python3 with some additional modules:

pip3 install clipboard stdiomask pycryptodome

And also some tool to work with clipboard:

For CentOS/RHEL:

sudo yum install xclip

For Ubuntu/Debian:

sudo apt-get install xclip

Then just run :

python3 barapass.py --interactive

How to use barapass?

The scheme is following:

  1. Create a text file with key-value data
  2. Create an encrypted version of the file in barapass
  3. Use barapass to search for keys in the encrypted file and copy values to the clipboard
  4. If you need to edit the file, decrypt it in barapass, make changes and create a new encrypted version of the file

Something like this:

Barapass example

Encrypting and decrypting files

Barapass works with text files in this format:

$ cat testcred.txt
### My Email ###
MyEmail|URL|https://yandex.ru
MyEmail|account|my_email@yandex.ru
MyEmail|password|password1234

### My Server ###
MyServer|SSH_Command|ssh user@server.com
MyServer|SSH_Password|password1234
MyServer|DB_User|testuser
MyServer|DB_Password|testpass123

You can encrypt testcred.txt in testcred.brp:

$ python3 barapass.py --interactive
Interactive mode (q for exit; fc for favorite commands)
Command >> encrypt testcred.txt testcred.brp
Container testcred.brp password >> ********
OK: Container testcred.brp was created successfully
Command >> q

This encrypted file looks like this:

{"profile": "Simple AES", "nonce": "zGIX48DdarHVWXbgYpoBWg==", "tag": "I+JR1hX6F/WuVxcjF/K2zQ==", "ciphertext": "9EIOPOTPZ1HvCGrxS7Uc8BQno2O75aX8khEut/sU9EvKFPFwsfofLqL38BTwPicddXiEvFXZdgu6aPg9Rlg44Oo099YhW1V3bS9HyvFPaiheeFat/goj+RynH8sC+Pz4OWFqtbgSPzS4YHdMB3cw2Od/gVFRf2UHVTz8wFuL6LqgGgz6BuehGQN9/snmUgMeXHyV65ZWsUCpCvFo4uIxTn4Evd5aIAvR048Wc8YHUxOYYKg4sD5K8dLcVQLtOjcUrJ4k1BVSbHq8QLzBCk720TzlwbhuaaLz7wWSvKj7ml3w8fI6vEQeBoKOH/3TK5q+xHkqDIdi8uT7/BDIYo9818CPSEiyOmoxGw=="}

You can decrypt testcred.brp in clear text testcred2.txt like this:

$ python3 barapass.py --interactive
Interactive mode (q for exit; fc for favorite commands)
Command >> decrypt testcred.brp testcred2.txt
Container testcred.brp password >> ********
OK: Container testcred.brp was decrypted successfully
OK: Raw file testcred2.txt was created
Command >> q

$ cat testcred2.txt
### My Email ###
MyEmail|URL|https://yandex.ru
MyEmail|account|my_email@yandex.ru
MyEmail|password|password1234

### My Server ###
MyServer|SSH_Command|ssh user@server.com
MyServer|SSH_Password|password1234
MyServer|DB_User|testuser
MyServer|DB_Password|testpass123a

Searching in encrypted file

To search in an encrypted file you should use encrypted file, enter the password and perform search request:

$ python3 barapass.py --interactive
Interactive mode (q for exit; fc for favorite commands)
Command >> use testcred.brp
Container testcred.brp password >> ********
OK: Container testcred.brp was decrypted successfully
OK: Container testcred.brp was loaded successfully
Command >> search Email
Found: MyEmail:URL
Found: MyEmail:account
Found: MyEmail:password
Copied to clipboard: MyEmail:URL (next value: Y/n)
Copied to clipboard: MyEmail:account (next value: Y/n)
Copied to clipboard: MyEmail:password (next value: Y/n)
Command >> q

All found results will be copied to the clipboard one by one, so that you can paste them where it is necessary.

Is it safe to copy passwords to clipboard?

Someone may say: what if the host is compromised and an attacker monitors the clipboard or searches for decrypted data in memory? Well, it’s possible. But the same attacker can also use keylogger or take screenshots. It’s hard to talk about secure authentication when the host is compromised. Anyway, it’s possible to store and retrieve passwords in more complex way, if necessary. πŸ˜‰

In conclusion

If someone will use this or want to participate – welcome! In factt, I want to make CLI more user friendly with autocomplete and command history (with up and down arrow keys). I also think about some portable GUI for Linux, Windows and Android. So your help will be highly appreciated. πŸ˜‰

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.