Home
- A free and open-source password manager.
- A password manager that safeguards all your passwords without the need for a master password.
- A password manager wherein the encrypted passwords, when synced online, are stored in an account that you own.
These requirements were previously fulfilled by the Trezor Password Manager (TPM), which, unfortunately, has been deprecated.
The Temporary Password Manager (TPM) serves as a replacement for the now-deprecated Trezor Password Manager, a Chrome extension originally developed by Satoshi Labs. The original extension was discontinued due to the extensive modifications required to make it compatible with the new Chrome extension API (MV3).
Our project involves rewriting the TPM Chrome extension, with the objective of replicating its existing functionalities in a progressive web app (PWA) format. PWAs are web apps that employ a service worker functioning as a proxy, capable of caching data and enabling offline usage.
The revamped TPM will transcend the limitations imposed by the Chrome extension API, eventually offering limited offline support. Apart from being open-source, we are aiming to facilitate a trustless installation process for users.
Despite the open-source nature of this project, it is imperative to establish a mechanism allowing users to verify the code operating on their systems, ensuring it matches the code housed in this repository. The most viable method to achieve this is by enabling users to build the code personally and install it on their systems. This mirrors the process with web extensions, where, for instance, Firefox no longer permits the deployment of locally-built (unsigned) extensions. Extensions must undergo Mozilla's verification process and obtain a signature before users can download the package. However, this procedure is not user-friendly. Consequently, we adopted the PWA approach, which, being web apps, should be accessible on any device equipped with a web browser, maintaining a unified codebase across all platforms.
By utilizing a PWA, users can clone the repository and execute the code through the local development server (initially). Upon launching the app, users have the option to install it. The service worker is designed to cache the app, facilitating offline use of TPM without the necessity for a development server.
So far, I have completed a vertical slice of the core functionality, allowing users to log in to Dropbox, connect with their Trezor device, and add and edit password entries, associating them with specific tags. The AppData and passwords can be decrypted when the user reconnects to the app. What remains is to address the device events and edge cases, along with further enhancements to both quality and security.
Going forward, I plan to minimize the reliance on third-party dependencies in this project, a step aimed at reducing the potential for supply chain attacks. Additionally, I intend to furnish comprehensive technical documentation for the project. This documentation will facilitate a deeper understanding of the code for individuals with basic programming knowledge, making it more accessible and transparent.
The position of the randomized number pad is shown on the hardware wallet screen.
The only thing captured by an attacker would be the length of your pin. Trezor Model T, has its own screen for pin entry.
