Mortimer: A Rails Password Manager
Today we release mortimer, our Rails-based password management application. The goal was to produce a secure, multi-user password vault providing basic user permissions and a simple interface. Here’s a screenshot from the current app:
Public-key Cryptography
mortimer secures password using public-key cryptography. Each user on the system has a unique key pair. When you create a password entry, mortimer stores a uniquely-encrypted version of that password entry for each user with access to that password. This ensures that any time a password changes, all users have access to the change, with no compromise in security. And since all private keys are symmetrically encrypted with the user’s password, even a compromised database is fairly useless.
Precautions
Many would still argue that “web application” and “password manager” are mutually exclusive terms. It depends. We recommend, at minimum the following:
- Do not expose mortimer to the public internet.
- Run it over SSL (this is, in fact, required).
- Use strong passwords, and limit access to the production environment.
A work in progress
mortimer should be considered alpha as it will remain under active development. Expect improvement to the UI, along with security tweaks and cross-browser compatibility. Let us know if you find it useful.
Contributions are welcome. Clone or fork us on GitHub.