I am building Bluepass. Bluepass is designed to be a modern password manager that is useful and secure in the world of today. It combines broad platform support, peer-to-peer synchronization over local networks (never using the cloud), and openness with a simple, intuitive, and easy-to-use interface.
The start of Bluepass is here today. It is available on Github under the GPLv3, and works on Linux. To complete the vision, more platforms need to be supported, and it needs to be made available on mobile devices and web browsers. You can help build the modern password manager by participating in the Bluepass fundraiser. I am raising $60,000 to complete the work on Bluepass.
In our online lives, we are required to keep track of tens if not 100s of passwords for the web sites we use every day. And we all know the basic rules of secure passwords: we need to use strong passwords, long random strings of characters, and we need to use different passwords on every site we use. For a Human, it is virtually impossible to comply with these rules. Therefore, we can use a password manager. A password manager can create strong passwords and store them securely in an encrypted database.
There are many password managers around. However, times have changed, and so have the requirements. We now live in a multi-device world, so broad device support and synchronization need to be a key part of the design. And recently, we have become aware that governments and national security agencies are spying on our online traffic on a massive scale. This has repercussions on how we need to synchronize, and the methodology by which the software needs to be developed.
A modern password manager can help us be safer online by solving our password management in a way that secure today. For me, the modern password mananager has 3 essential properties which are listed below. Together with a simple and intuitive user experience, it can result in a substantial improvement of our online security.
Below are some screenshots of the Linux version, and a table summarizing the current porting status.
|Platform||Supported?||P2P Sync?||Packages||Tested On|
|Linux||YES||YES||Source code only||Fedora, Ubuntu|
|Mac OSX||YES||NO||Source code only||OSX Mountain Lion|
|Windows||Needs porting and packaging effort.|
|Mobile Devices||Planning support for Android and iOS|
|Browser support||Planning plugins from Chrome and Firefox|
Who are you?
I am Geert Jansen. I am an Open Source developer for almost 18 years. You can see some of my projects on my Github page.
What are you raising funding
I am raising the funding to create Android and iOS versions of Bluepass, to complete the various bits of the Windows and Mac OSX versions, and to create plugins for Chrome and Firefox.
What if you don't raise enough money?
I will certainly use the money to make as much progress as I can. But it is not guaranteed that I will be able to complete all the work mentioned above.
Under what license will the different versions be
The current version of Bluepass is available under the GPLv3, and that will not change. Having an open source project behind Bluepass is essential to the vision of a truly secure password manager. The focus of the current code is to support general general purpose desktop operating systems.
To complete the vision of Bluepass, it is important that there are quality, productized versions of Bluepass available for mobile platforms and browsers. These platforms are in essence rapidly changing mass market consumer platforms controlled by a single vendor. This makes these platforms costly to support. As of yet, there are not many examples where a purely open source project is able to provide the frequent quality releases required for these platforms.
I believe that an essential part of achieving the Bluepass vision is to support the mobile versions through a revenue stream from the platform app stores. I am considering options on how to achieve this. The mobile versions will use the same backend as the desktop version, and a custom front-end that may be platform specific. The source code for the platform front-ends will be certainly be available for audit and personal recompilation. However I cannot commit yet that the license would allow redistribution on a platform app store.
What will be the price of the mobile versions?
The mobile versions will be available for a small price. I have not yet decided the pricing level, but it will be somewhere between $5 and $10. The vision is that of a truly secure password manager that is available to everybody. Charging an excessive price would be incompatible with this.
What do I get when I fund you?
Once the software is ready, you will get unlock codes for the mobile versions for the amount you funded. As a special appreciation for being an early customer, these codes not expire and will unlock the mobile versions for life.
Why are you doing this?
It has become clear that our essential freedoms as citizens are being eroded by governments that want total visibility in anything we do. Bluepass is an attempt to solve a small part of this, namely, how to securely manage your passwords.
Why is Bluepass secure?
First and foremost, your passwords never travel on the public internet, not even in an encrypted way. All sychronization is done peer-to-peer on your own home network. Bluepass employs many encryption techniques to offer security. In addition to this, the majority of Bluepass is written in a high-level language (Python) which makes certain security flaws like buffer overruns less likely.
How does Bluepass use Cryptography?
There are multiple answers to this. All passwords that travel over (your home) network are encrypted using 2048-bit RSA encryption. Each device has its own keys, and those keys never leave the device. The encrypted passwords are then synchronized between devices using SSL with anonymous Diffie-Hellman encryption (providing perfect forward secrecy). The trust relationships between different devices are securely set up via a Diffie-Hellman key exchange and are authenticated using a 6 digit PIN code that needs to be entered in a 60 second window. On your device, your vault is unlocked by a secure Diceware(tm) passphrase that is generated for you. This passphrase is properly salted and stretched using PBKDF2. For more information on Bluepass security, see the "docs" directory in the Github repository.
Can I email you?
Yes, you can send email to email@example.com.
You will receive Bluepass announcements.