February 23rd, 2009
by

Mortimer: A Rails Password Manager

Today we release mortimer, our Rails-based password management application. The goal was to produce a secure, multi-user password vault providing basic user permissions and a simple interface. Here’s a screenshot from the current app:

mortimer.png

Public-key Cryptography

mortimer secures password using public-key cryptography. Each user on the system has a unique key pair. When you create a password entry, mortimer stores a uniquely-encrypted version of that password entry for each user with access to that password. This ensures that any time a password changes, all users have access to the change, with no compromise in security. And since all private keys are symmetrically encrypted with the user’s password, even a compromised database is fairly useless.

Precautions

Many would still argue that “web application” and “password manager” are mutually exclusive terms. It depends. We recommend, at minimum the following:

  • Do not expose mortimer to the public internet.
  • Run it over SSL (this is, in fact, required).
  • Use strong passwords, and limit access to the production environment.

A work in progress

mortimer should be considered alpha as it will remain under active development. Expect improvement to the UI, along with security tweaks and cross-browser compatibility. Let us know if you find it useful.

Contributions are welcome. Clone or fork us on GitHub.

Technology

4 Comments

  1. Hi Kyle,
    I’m the co-founder of Clipperz, an online password manager that like Mortimer is based on the counterintuitive idea of building web apps while preserving privacy and security for the users and their data.
    We call Clipperz a zero-knowledge web app. You can read more here:
    - Anatomy of a zero-knowledge web application
    - Freedom and privacy in the cloud, a call for action
    Clipperz is open source (AGPL) and it would be great if we could join our resource to build the best online password manager.
    What do you think?
    Marco

    Marco Barulli on March 4, 2009 at 12:40 pm

  2. Hi Kyle,
    your app is awesome. I’d love to extend it with another security feature, but unfortunately I don’t know ruby.
    Situation: You’re at an internet cafe and desperately want a password, pin or whatever. So you don’t want it to be shown to the client-pc.
    My solution: Send the username:password via textmessage to the users mobile. I use the perl script from sipgate to do the job.
    http://www.sipgate.co.uk/user/download_api.php
    A friend and me implemented this for secure login to a protected website, but I’m not capable of implementing the same within your app.
    Is it possible that you might add it or assist me to get used to ruby and your app?
    Kind Regards,
    Patrick
    mortimer-public@rebscher.org

    Anonymous on October 3, 2009 at 10:36 am

  3. Interesting art design. I’m currently going to through the code and I’ll be happy to contribute patches if any come up.
    I hope this project stays afloat, there are seemingly very few alternatives out there.
    Regards,
    Daniel

    Anonymous on February 15, 2010 at 3:58 pm

Leave a Comment

* = required