Skip to content

Yessirskiy/Telegram-pswd-manager

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Telegram-pswd-manager

Description

General

If you are interested in secure online experience you should have strong and different passwords for each service you use. Password Manager is an application which can help you to generate and store strong passwords from different services. To access your passwords you only need Master Password. Password Manager only saves hash of usernames and passwords, so anyone who will get DB will not be able to get real creds without Master Password

Realisation

This project based on Telegram Messanger which allows programmers to develop their own bots. CLI version of most Password Managers limits users to use it on PC. At this point Telegram Bot can be used on mobile phones, PCs and browsers with access to the Internet.

Telegram Bot

Using this telebot you can easily add, edit, delete any profiles (profile - username and password for particular service). Telebot is individual password manager. It means that in most cases you are the only user of the bot.

How does it work?

The Idea

We can't just store passwords and usernames in DB cause in case of vulnerability in a server, hackers may gain access to your credentials what is acutally fatal.
To prevent we are not storing usernames and passwords exactly, but store its hashes.
Using Master Password we can encrypt credentials into hash and decrypt it back into a actual password or username.
So your master password is the most important thing. You should have strong password in order not to be brute forced.\

Exact Mechanism

Using PBKDF2 algorithm we are hashing Master Password - Manager.HashPassword()
Then, using Fernet module and hash of MP we can encrypt any data we want into hash - Manager.encryptData()
Opposite proccess applies to the decryption - we provide hash of MP and using Fernet module to decrypt pre-built hash back into normal credential - Manager.decryptData()\

In order not to provide MP every time we want to encrypt or decrypt smth, I decided to use MP verificaion:
Using MasterPswdGen.py we can build file with salt and verifier.
Combining exact salt and MP together and appling hash-function to that we get new hash.
If provided MP is correct hashes of pre-built verifier will be same as hash I previously mentioned.
Important thing is that verifier cannot be used to decrypt or encrypt any data from DB cause salt used in Manager is not the same salt generated by MasterPswdGen.py module\

Setting up

Installation

Firstly, make sure you have python3 installed on your computer. If not, check out this tutorial
Secondly, open CMD and enter this command: git clone https://github.com/Yessirskiy/Telegram-pswd-manager.git to get source-code of the project
Then move into working direcotory using cd Telegram-pswd-manager command
Finally install all the needed modules, using pip install -r requirements.txt\

config.py

BOT_TOKEN = '' # Token bot from Telegram (str)
ADMIN_IDS = [] # List of admin's IDs from Telegram (int)
DB_NAME = 'pwd_manager.db' # Name of the DB file (str)
MASTERKEY_VALIDATION = 12 # How long master password can be used without re-entering, in hours (int)
CREDS_DELETE_TIMEOUT = 3 # How long message with credentials will be in chat, in minutes (then deleting) (int)
VERIFIER_FILE = 'verify.json' # Name of the file with verification

Create config.py file in the working directory and paste code above into it.
All the parametrs are clearly explained in the comments.
How to get BOT_TOKEN:

  • Follow instructions from here
  • Provide Token you got to the BOT_TOKEN, between single quotes
    How to get chat_id(ADMIN_ID):
  • Open Telegram and find @getidsbot
  • Send random message to the bot and copy ID statement
  • IDs should be provided in List format. If you are the only user List should contain only one ID

I highly recommend you to stay with 12 hours for MASTERKEY VALIDATION and 3 minutes for CREDS_DELETE_TIMEOUT.\

Master Password

As mentioned above you should have strong Master Password.
How to create such password is clearly explained in a great video\

Launch MasterPswdGen.py and input your Master Password when it asks.
You will see new file with .json extension in the working directory.
Make sure you have copy of this file stored somewhere else.\

Launch

Finally run main.py file. If you have done everyting right, the bot you have created will respond to your /start command.\

Usage

Starting and entering MP

To start conversation with bot just type '/start' command or press 'START' button. Bot will automaticaly respond and buttons from menu will appear on your screen.
Press any button to enter Master Password
Enter Master Password If you have entered right MP you will see this message: Verified Master Password If MP you entered is wrong, message you see will be: Not Verified Master Password

Export Profiles

To export profiles, logs and verifier in ZIP file use button: Export Profiles 📤
Exporting Profiles Files in ZIP folder: Files in ZIP

Getting Profile's Creds

To get profile's credentials use button Get Profile 🔑
After you enter service name from the list you get message with credentials which will be deleted in time you have set in config file. Get Profiles

Editing Profile

To edit profile's name or credentials use button Edit Profile ⚙️
Follow instructions in message in order to send new credentials in a proper format. You may leave some data untouched, in this case just enter same name/username/password as you had before.\t To generate new password enter '.g' as a password. Editing Profile If you did everything right, creds will be updated immediately: Edited Profile Updated

Deleting Profile

To delete profile use button Delete Profile 🗑️. Then type 'DELETE {profile}' as a confirmation.
I highly recommend you to export profiles before deleting in case of wrong deletion. Deleting Profile

Adding New Profile

To add new profile use button Add Profile 🖊️. Bot will ask you for username. New Profile's Username To protect username and password bot will automatically delete message which containes your credentials.
If you want to generate new password, enter '.g' as a password: Generating Profile's Password When all the credentials will be entered you can check new profile by using Get Profile 🔑 button: New Profile

Advicing

Is it safe to use this Password Manager ?

Well, as far as we rely on TG privacy, it is safe. But, personally I wouldn't recommend to use this Password Manager as a main one. In this particular case, TG is third-party service which stores all the messages you input, including private credentials.
Storing passwords and usernames in DB table using their hashes is safe approach as long as your Master Password is secured and strong.

How do I create strong Master Password ?

How to create such password is clearly explained in a this videovideo
Strong password is very important in any Password Manager no matter which you use, all of them can be cracked if you MP is not strong enough.

References

Sources

This project couldn't be done without this tutorial. In my opinion, this is the best explanation of Password Manager mechanism. Also I would recommend to check out this article. Get familiar with Fernet module and how to use it in python(And ofc read some docs)

If you found any bugs in code or have any interesting ideas how to improve project please text me, that's very important for me

About

Password manager with Telegram Bot Interface

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages