pass 0.0.1 API

JPass

A simple password manager written in Java 21 as a credit program in the course NPRG013 at MFF UK.

Used packages

• Bouncy Castle - library implementing Argon2
• JSON In Java - library for working with .json files
• JNativeHook - library containing keyboard listeners

Implementation

1. After running jpass, the config file with all its parameters is first loaded and stored in variables. (using class LoadConfig)
   If the config file does not exist, the program prompts the user to create it.
2. The user has to enter a password (first the hash is verified) and then this password is used to decrypt the password file
3. The password file is decrypted into memory (byte[] data) and kept there until the program is terminated. Any changes to the database work with this data. It is therefore important to terminate the program properly, otherwise data will be lost (if the database has been modified in any way).

Passwords

• Common passwords - When a password is entered, it is verified that the password entered is not one of the TOP 10000 most common passwords of 2017. This wordlist is browsed using class checkForCommonPassword.
  • The Levenshtein distance of the password is also checked using class WordSimilarity. If it is less than 4 and a match occurs, the password is again considered very weak and the user is notified.
• Entropy - for each entered password, its entropy is calculated in bits using class PasswordEntropy. I was inspired by this generator. At the same time, the entropy status is reported to the user - whether the password is weak/strong (based on the number of bits).

Encrypting and decrypting a password file

• Decryption/ encryption is done by AES-256. The whole process runs in the class dbEncryptionAES.
• Decryption - The existence of encrypted password file name.pass is required. The user enters a password and then verifies (the hashes must match the .secret file). The database is then decrypted and loaded byte by byte into byte[] data memory. (Then this data is converted to JSON format...) .
• Encryption - byte[] data is encrypted into the file name.pass.

Most important classes

• Main - entry point of the application.
• ConfigInit - initialize path to config file and check for existing config If config file doesn't exist, create it (also create version file, move wordlist into config directory and create secret file)
• ParseArgs - parse all command line arguments and calls the corresponding function.
• dbEncryptionAES - encrypt and decrypt the password file (AES-256). The data is stored in byte[] ConfigGetter.data.
• passEncryptionArgon2 - encrypt entered password using Argon2d algorithm (password for .pass file)
• JsonReader - read data from password database (database in JSON)- usernames, passwords, etc.
• JsonWriter - write to password database in JSON

Packages

Package	Description
org.jpass
org.jpass.crypt
org.jpass.database
org.jpass.utils