Releases · zeruniverse/Password-Manager

17 Feb 07:40

4397117

11.01 Release Latest

Latest

Email verification service changed from SendGrid to Gmail. I received complaints about SendGrid not friendly to individual users and thus I changed default / sample email verification method to Gmail. You only need a valid Gmail account to make email verification work. Just set up 2-step verification and generate an app-specific password for this password manager.

Except for above email verification change, this release is same with 11.00. So to upgrade from 11.00, you just need to overwrite source code files.

Assets 2

07 Aug 23:25

zeruniverse

11.00

2e7e2eb

11.00 Release

ALL USERS ARE REQUIRED TO UPGRADE TO THIS VERSION!

v11.00 requires at least PHP 7.1. Note PHP 7.1- is no longer supported by PHP devs and you should upgrade to PHP 7.2+

Security enhancement:

Server-side PBKDF2 SHA2 -> SHA3 and more iterations.
Client-side CryptoJS -> WebCryptoAPI. With the greatly improved performance, the client-side PBKDF2 iterations in v11.00 is 1e6 (compared to 5e2 in v10.00)
Implemented email-based two-step verification
Username based salting for secret-key generation to prevent rainbow table attack. (therefore, backup file will now include login username in plaintext for decryption needs)
Changed backup to use random salt instead of fixed jsSalt. Backup PBKDF2 iterations is now configurable (and will be written into backup file so you don't need to worry about recovery)
Server-side random number / random bytes are now crypto secure.
Poll to server every 5 seconds and server will terminate session if not receiving poll for 16 seconds. (This is useful when you put safari at background on your iphone. Before, you will still be able to check password when you switch safari to foreground later)
(Optional but recommended) Client-side source file integrity check to provide fail-safe when your server is hacked.

Security fixes:

Fixed many bugs associated with inactivity checks at client-side.

Others:

Account activity page now has a go-back button at the top
Removed redundant "count" key in customized fields
Re-designed "position" key in customized fields. The old implementation is buggy (e.g. if position 3 item is rendered before position 2 item, the old method will fail)
Re-designed cls key in customized fields. Now you don't need the additional space at beginning.
Fixed textarea type in customized fields. Now, it will be real <textarea>
Fixed empty row span bug (the old empty info cell will not span the entire row)
Account URL (link) button will now open the corresponding login page at new tab
Fixed CSV import bug introduced in v10.00
Fixed file export bug introduced in v10.00 (files not exported even if include files checkbox is checked)
Fixed a bug in recovery page that if you have multiple files (in multiple accounts), only one of them gets processed
Fixed details window so now textarea \n is rendered as a new line.
Fixed a bug that causes password last change time not displayed at details window
Fixed a bug that clipboard plugin not working on Safari (as a result, copy to clipboard will only show up after you click show password *****)
Changed Password history to keep most recent 15 passwords
Changed CSV export to not include any system fields (last change time / password history). To migrate / upgrade password manager, user should use RAW as RAW will be a full copy.
Implemented file delete support. Before, you can only overwrite files.
Better handling of cookies.

Assets 2

25 Jul 05:00

BenjaminHae

10.00

2b3e13c

10.00 Release

Use previous release if you have this issue (#217)

Functional changes:

copy to clipboard plugin

A lot has happened in the code.

For upgrading please create a backup of your database and the code.
Adapt the config in the new version to fit your needs and add the current database. No changes in the database layout are necessary so everything should work immediately.

The Chrome/Firefox Addon in the Chrome Web Store does not support the new version yet. A working version will be deployed in a few days. This version can already be built manually from code.

Assets 2

08 Apr 21:30

zeruniverse

9.15

ec16ae6

9.15 RELEASE

Fix multiple bugs introduced in v9.13

import/export problems
session out problems
edit form problems
false alert on changing password
ONE_DAY cache.

New features

server side pbkdf2
All forms using POST. Information will not be logged on error log
Remove unnecessary server-side encryption
Remove login token (to support server-side pbkdf2)
System variable support.

To upgrade
Please note the database structure as well as the encryption method are changed. For lazy expert users, upgrade.zip might be used to help them rebuild the database without export & import. If you don't know how to use those files, DON'T USE THEM

For other users, please backup your data (with files) and recover the data with your old password manager. Then you can install the new password-manager and import the .raw file into this new password-manager.

Assets 3

04 Feb 16:37

zeruniverse

9.13

f930767

9.13 RELEASE

Security update (commit 9898201):

separated controller and view (all html output is now free from program logic) this makes the code more readable. It should now be easier to spot security issues and write clean code.
separated javascript from html. This partly belongs to the first point but I list it extra because this allows us to introduce a Content-Security-Policy which should remove any threat of Cross-Site-Scripting
Introduced header X-Frame-Options to prevent clickjacking.
Fixed a small information disclosure vulnerability (finding out which users exist)

Bug fix: