README

2 min read18 headings

Password Manager

A secure command-line password manager with AES-256 encryption, built to teach cryptography and security best practices in Python.

Features

Military-grade encryption: AES-256-GCM for data at rest
Master password: PBKDF2 key derivation with high iteration count
Password generation: Cryptographically secure random passwords
Clipboard integration: Auto-clear clipboard after timeout
Password strength analysis: Check password security
Categories and tags: Organize passwords
Search: Find entries quickly
Import/Export: CSV and JSON formats
Secure memory: Wipe sensitive data from memory
Auto-lock: Timeout-based security

Project Structure

06_password_manager/
├── README.md
├── requirements.txt
├── pwm/
│   ├── __init__.py
│   ├── __main__.py
│   ├── cli.py
│   ├── manager.py
│   ├── crypto.py
│   ├── storage.py
│   ├── models.py
│   ├── generator.py
│   └── utils.py
└── tests/
    ├── __init__.py
    ├── conftest.py
    └── test_manager.py

Learning Concepts

Cryptography

AES-256-GCM: Authenticated encryption
PBKDF2: Key derivation from passwords
Salt: Preventing rainbow table attacks
Nonce/IV: Ensuring encryption uniqueness
HMAC: Message authentication

Security Best Practices

Secure random: Using secrets module
Memory wiping: Clearing sensitive data
Constant-time comparison: Preventing timing attacks
Input validation: Avoiding injection attacks

Python Concepts

Dataclasses: Data modeling
Context managers: Resource cleanup
Decorators: Function wrapping
Type hints: Code documentation

Installation

cd 06_password_manager
pip install -r requirements.txt

Usage

First Time Setup

# Initialize vault with master password
python -m pwm init

# You'll be prompted to create a master password

Basic Commands

# Add a new password entry
pwm add github.com --username myuser --generate

# Get a password (copies to clipboard)
pwm get github.com

# List all entries
pwm list

# Search entries
pwm search github

# Generate a password
pwm generate --length 20 --symbols

Managing Entries

# Add entry with all options
pwm add example.com \
    --username john@example.com \
    --password "MySecretPass123!" \
    --url "https://example.com" \
    --notes "Personal account" \
    --category "Work"

# Update existing entry
pwm update github.com --password "NewPassword123!"

# Delete entry
pwm delete github.com

# Show entry details (without revealing password)
pwm show github.com

# Copy password to clipboard
pwm copy github.com

Password Generation

# Generate random password
pwm generate

# Custom length
pwm generate --length 24

# Include/exclude character types
pwm generate --length 16 --no-symbols

# Generate passphrase
pwm generate --passphrase --words 4

Organization

# List by category
pwm list --category Work

# Add tags
pwm add site.com --tags "important,work"

# Search with filters
pwm search --category Personal --tags important

Security Features

# Check password strength
pwm strength "MyPassword123"

# Audit all passwords
pwm audit

# Change master password
pwm change-master

# Lock vault
pwm lock

# Export (encrypted)
pwm export backup.enc

# Import
pwm import backup.enc

Security Architecture

Encryption Flow

Master Password
      │
      ▼
   PBKDF2 (100,000 iterations)
      │
      ▼
   256-bit Key
      │
      ▼
   AES-256-GCM
      │
      ▼
Encrypted Vault

Vault Structure

{
  "version": "1.0",
  "salt": "base64_encoded_salt",
  "nonce": "base64_encoded_nonce",
  "data": "base64_encoded_encrypted_data",
  "auth_tag": "base64_encoded_auth_tag"
}

Key Derivation

# PBKDF2 parameters
iterations = 100_000
key_length = 32  # 256 bits
hash_algorithm = "sha256"

key = PBKDF2(master_password, salt, iterations, key_length, hash_algorithm)

Password Strength Criteria

Strength	Score	Requirements
Weak	0-40	< 8 chars, no variety
Fair	41-60	8+ chars, 2 types
Good	61-80	12+ chars, 3 types
Strong	81-100	16+ chars, all types

Types: lowercase, uppercase, digits, symbols

API Usage

from pwm import PasswordManager

# Initialize
pm = PasswordManager("vault.enc")
pm.unlock("master_password")

# Add entry
pm.add(
    name="github.com",
    username="myuser",
    password=pm.generate_password(length=20)
)

# Get password
entry = pm.get("github.com")
print(entry.username)

# Always lock when done
pm.lock()

Testing

# Run all tests
pytest tests/ -v

# With coverage
pytest tests/ --cov=pwm

# Run specific test
pytest tests/test_manager.py -v

Exercises

Add TOTP support: Store and generate 2FA codes
Add password history: Track previous passwords
Add browser extension: Build a browser helper
Add sync support: Encrypt and sync to cloud
Add biometric auth: Fingerprint/Face ID support

Security Notes

⚠️ Important Security Considerations:

Master Password: Choose a strong, unique password
Backup: Keep encrypted backups of your vault
Memory: Vault data is decrypted in memory while unlocked
Clipboard: Auto-clears after 30 seconds by default
File Permissions: Vault file should be readable only by you

License

MIT License - Educational use