If you are interested in secure online experience you should have strong and different passwords for each service you use. Password Manager is an application which can help you to generate and store strong passwords from different services. To access your passwords you only need Master Password. Password Manager only saves hash of usernames and passwords, so anyone who will get DB will not be able to get real creds without Master Password
This project based on Telegram Messanger which allows programmers to develop their own bots. CLI version of most Password Managers limits users to use it on PC. At this point Telegram Bot can be used on mobile phones, PCs and browsers with access to the Internet.
Using this telebot you can easily add, edit, delete any profiles (profile - username and password for particular service).
Telebot is individual password manager. It means that in most cases you are the only user of the bot.
We can't just store passwords and usernames in DB cause in case of vulnerability in a server, hackers may gain access to your credentials what is acutally fatal.
To prevent we are not storing usernames and passwords exactly, but store its hashes.
Using Master Password we can encrypt credentials into hash and decrypt it back into a actual password or username.
So your master password is the most important thing. You should have strong password in order not to be brute forced.
\
Using PBKDF2 algorithm we are hashing Master Password - Manager.HashPassword()
Then, using Fernet module and hash of MP we can encrypt any data we want into hash - Manager.encryptData()
Opposite proccess applies to the decryption - we provide hash of MP and using Fernet module to decrypt pre-built hash back into normal credential - Manager.decryptData()\
In order not to provide MP every time we want to encrypt or decrypt smth, I decided to use MP verificaion:
Using MasterPswdGen.py we can build file with salt and verifier.
Combining exact salt and MP together and appling hash-function to that we get new hash.
If provided MP is correct hashes of pre-built verifier will be same as hash I previously mentioned.
Important thing is that verifier cannot be used to decrypt or encrypt any data from DB cause salt used in Manager is not the same salt generated by MasterPswdGen.py module
\
Firstly, make sure you have python3 installed on your computer. If not, check out this tutorial
Secondly, open CMD and enter this command: git clone https://github.com/Yessirskiy/Telegram-pswd-manager.git
to get source-code of the project
Then move into working direcotory using cd Telegram-pswd-manager
command
Finally install all the needed modules, using pip install -r requirements.txt
\
BOT_TOKEN = '' # Token bot from Telegram (str)
ADMIN_IDS = [] # List of admin's IDs from Telegram (int)
DB_NAME = 'pwd_manager.db' # Name of the DB file (str)
MASTERKEY_VALIDATION = 12 # How long master password can be used without re-entering, in hours (int)
CREDS_DELETE_TIMEOUT = 3 # How long message with credentials will be in chat, in minutes (then deleting) (int)
VERIFIER_FILE = 'verify.json' # Name of the file with verification
Create config.py file in the working directory and paste code above into it.
All the parametrs are clearly explained in the comments.
How to get BOT_TOKEN:
- Follow instructions from here
- Provide Token you got to the BOT_TOKEN, between single quotes
How to get chat_id(ADMIN_ID): - Open Telegram and find @getidsbot
- Send random message to the bot and copy ID statement
- IDs should be provided in List format. If you are the only user List should contain only one ID
I highly recommend you to stay with 12 hours for MASTERKEY VALIDATION and 3 minutes for CREDS_DELETE_TIMEOUT.\
As mentioned above you should have strong Master Password.
How to create such password is clearly explained in a great video\
Launch MasterPswdGen.py and input your Master Password when it asks.
You will see new file with .json extension in the working directory.
Make sure you have copy of this file stored somewhere else.
\
Finally run main.py file. If you have done everyting right, the bot you have created will respond to your /start command.\
To start conversation with bot just type '/start' command or press 'START' button. Bot will automaticaly respond and buttons from menu will appear on your screen.
Press any button to enter Master Password
If you have entered right MP you will see this message:
If MP you entered is wrong, message you see will be:
To export profiles, logs and verifier in ZIP file use button: Export Profiles 📤
Files in ZIP folder:
To get profile's credentials use button Get Profile 🔑
After you enter service name from the list you get message with credentials which will be deleted in time you have set in config file.
To edit profile's name or credentials use button Edit Profile ⚙️
Follow instructions in message in order to send new credentials in a proper format. You may leave some data untouched, in this case just enter same name/username/password as you had before.\t
To generate new password enter '.g' as a password.
If you did everything right, creds will be updated immediately:
To delete profile use button Delete Profile 🗑️
. Then type 'DELETE {profile}' as a confirmation.
I highly recommend you to export profiles before deleting in case of wrong deletion.
To add new profile use button Add Profile 🖊️
. Bot will ask you for username.
To protect username and password bot will automatically delete message which containes your credentials.
If you want to generate new password, enter '.g' as a password:
When all the credentials will be entered you can check new profile by using Get Profile 🔑
button:
Well, as far as we rely on TG privacy, it is safe. But, personally I wouldn't recommend to use this Password Manager as a main one. In this particular case, TG is third-party service which stores all the messages you input, including private credentials.
Storing passwords and usernames in DB table using their hashes is safe approach as long as your Master Password is secured and strong.
How to create such password is clearly explained in a this videovideo
Strong password is very important in any Password Manager no matter which you use, all of them can be cracked if you MP is not strong enough.
This project couldn't be done without this tutorial. In my opinion, this is the best explanation of Password Manager mechanism.
Also I would recommend to check out this article. Get familiar with Fernet module and how to use it in python(And ofc read some docs)
If you found any bugs in code or have any interesting ideas how to improve project please text me, that's very important for me