Paw is a cross platform application to manage your passwords and identities securely.
It is written in Go and uses Fyne as UI toolkit and age as encryption library.
- Cross platform application (linux, macOS, Windows, BSD ...) with a single codebase
- Open source: code can be audited
- Only one secret key to remember used to store securely your passwords
- Audit passwords against data breach
- Automatically detect and use password rules for known web sites that require ones
- Automatic backup / syncronization
- CLI application
- Mobile / Web applications
- Password import
- Stateless password derivation support
- Unicode password support
go install lucor.dev/paw/cmd/paw@latest
One or more vaults can be initialized to store passwords and identities.
When the vault is initialized user will be prompt for a vault name and password that are used for:
- generate an age Scrypt Identity and Recipient used to decrypt/encrypt the vault data;
- derive a symmetric secret key with Scrypt used as seed for the random password generation;
Random password are derived reading byte-by-byte the block of randomness from a HKDF cryptographic key derivation function that uses the seed above as secret. Printable characters that match the desired password rule (uppercase, lowercase, symbols and digits) are then included in the generated password.
Where a generated password is not applicable a custom password can be specified.
Vault internally is organized hierarchically like:
- vault
├── website
| └── www.example.com
| └── my.site.com
├── password
| └── mypassword
└── note
└── mysecretnote
where website, password and note are the Paw items, see the dedicated section for details.
Items are special templates aim to help the identity management.
Currently the following items are available:
- note
- password
- website
The threat model of Paw assumes there are no attackers on your local machine.
- Fork and clone the repository
- Make and test your changes
- Open a pull request against the
developbranch
See contributors page