Docs

README

Password Manager

A secure command-line password manager with AES-256 encryption, built to teach cryptography and security best practices in Python.

Features

  • ā€¢Military-grade encryption: AES-256-GCM for data at rest
  • ā€¢Master password: PBKDF2 key derivation with high iteration count
  • ā€¢Password generation: Cryptographically secure random passwords
  • ā€¢Clipboard integration: Auto-clear clipboard after timeout
  • ā€¢Password strength analysis: Check password security
  • ā€¢Categories and tags: Organize passwords
  • ā€¢Search: Find entries quickly
  • ā€¢Import/Export: CSV and JSON formats
  • ā€¢Secure memory: Wipe sensitive data from memory
  • ā€¢Auto-lock: Timeout-based security

Project Structure

06_password_manager/
ā”œā”€ā”€ README.md
ā”œā”€ā”€ requirements.txt
ā”œā”€ā”€ pwm/
ā”‚   ā”œā”€ā”€ __init__.py
ā”‚   ā”œā”€ā”€ __main__.py
ā”‚   ā”œā”€ā”€ cli.py
ā”‚   ā”œā”€ā”€ manager.py
ā”‚   ā”œā”€ā”€ crypto.py
ā”‚   ā”œā”€ā”€ storage.py
ā”‚   ā”œā”€ā”€ models.py
ā”‚   ā”œā”€ā”€ generator.py
ā”‚   ā””ā”€ā”€ utils.py
ā””ā”€ā”€ tests/
    ā”œā”€ā”€ __init__.py
    ā”œā”€ā”€ conftest.py
    ā””ā”€ā”€ test_manager.py

Learning Concepts

Cryptography

  • ā€¢AES-256-GCM: Authenticated encryption
  • ā€¢PBKDF2: Key derivation from passwords
  • ā€¢Salt: Preventing rainbow table attacks
  • ā€¢Nonce/IV: Ensuring encryption uniqueness
  • ā€¢HMAC: Message authentication

Security Best Practices

  • ā€¢Secure random: Using secrets module
  • ā€¢Memory wiping: Clearing sensitive data
  • ā€¢Constant-time comparison: Preventing timing attacks
  • ā€¢Input validation: Avoiding injection attacks

Python Concepts

  • ā€¢Dataclasses: Data modeling
  • ā€¢Context managers: Resource cleanup
  • ā€¢Decorators: Function wrapping
  • ā€¢Type hints: Code documentation

Installation

cd 06_password_manager
pip install -r requirements.txt

Usage

First Time Setup

# Initialize vault with master password
python -m pwm init

# You'll be prompted to create a master password

Basic Commands

# Add a new password entry
pwm add github.com --username myuser --generate

# Get a password (copies to clipboard)
pwm get github.com

# List all entries
pwm list

# Search entries
pwm search github

# Generate a password
pwm generate --length 20 --symbols

Managing Entries

# Add entry with all options
pwm add example.com \
    --username john@example.com \
    --password "MySecretPass123!" \
    --url "https://example.com" \
    --notes "Personal account" \
    --category "Work"

# Update existing entry
pwm update github.com --password "NewPassword123!"

# Delete entry
pwm delete github.com

# Show entry details (without revealing password)
pwm show github.com

# Copy password to clipboard
pwm copy github.com

Password Generation

# Generate random password
pwm generate

# Custom length
pwm generate --length 24

# Include/exclude character types
pwm generate --length 16 --no-symbols

# Generate passphrase
pwm generate --passphrase --words 4

Organization

# List by category
pwm list --category Work

# Add tags
pwm add site.com --tags "important,work"

# Search with filters
pwm search --category Personal --tags important

Security Features

# Check password strength
pwm strength "MyPassword123"

# Audit all passwords
pwm audit

# Change master password
pwm change-master

# Lock vault
pwm lock

# Export (encrypted)
pwm export backup.enc

# Import
pwm import backup.enc

Security Architecture

Encryption Flow

Master Password
      ā”‚
      ā–¼
   PBKDF2 (100,000 iterations)
      ā”‚
      ā–¼
   256-bit Key
      ā”‚
      ā–¼
   AES-256-GCM
      ā”‚
      ā–¼
Encrypted Vault

Vault Structure

{
  "version": "1.0",
  "salt": "base64_encoded_salt",
  "nonce": "base64_encoded_nonce",
  "data": "base64_encoded_encrypted_data",
  "auth_tag": "base64_encoded_auth_tag"
}

Key Derivation

# PBKDF2 parameters
iterations = 100_000
key_length = 32  # 256 bits
hash_algorithm = "sha256"

key = PBKDF2(master_password, salt, iterations, key_length, hash_algorithm)

Password Strength Criteria

StrengthScoreRequirements
Weak0-40< 8 chars, no variety
Fair41-608+ chars, 2 types
Good61-8012+ chars, 3 types
Strong81-10016+ chars, all types

Types: lowercase, uppercase, digits, symbols

API Usage

from pwm import PasswordManager

# Initialize
pm = PasswordManager("vault.enc")
pm.unlock("master_password")

# Add entry
pm.add(
    name="github.com",
    username="myuser",
    password=pm.generate_password(length=20)
)

# Get password
entry = pm.get("github.com")
print(entry.username)

# Always lock when done
pm.lock()

Testing

# Run all tests
pytest tests/ -v

# With coverage
pytest tests/ --cov=pwm

# Run specific test
pytest tests/test_manager.py -v

Exercises

  1. ā€¢Add TOTP support: Store and generate 2FA codes
  2. ā€¢Add password history: Track previous passwords
  3. ā€¢Add browser extension: Build a browser helper
  4. ā€¢Add sync support: Encrypt and sync to cloud
  5. ā€¢Add biometric auth: Fingerprint/Face ID support

Security Notes

āš ļø Important Security Considerations:

  1. ā€¢Master Password: Choose a strong, unique password
  2. ā€¢Backup: Keep encrypted backups of your vault
  3. ā€¢Memory: Vault data is decrypted in memory while unlocked
  4. ā€¢Clipboard: Auto-clears after 30 seconds by default
  5. ā€¢File Permissions: Vault file should be readable only by you

License

MIT License - Educational use

README - Python Tutorial | DeepML