PassManagerWeb: A Password Manager Built with Django

Hey everyone! I’ve been slowly developing a personal project called PassManagerWeb–a password manager designed to securely manage your online account passwords. The project is hosted and open-sourced on GitHub, with detailed instructions in the README on how to set it up locally.

I’m excited about how it’s shaping up so far, but I’m eager to keep pushing it forward by adding more challenging and interesting features. I’d love to hear any feedback, suggestions for improvements (security, performance, UI/UX), or feature ideas that could help take it to the next level.

Key Features of PassManagerWeb

• AES 256 Encryption: Securely store and manage passwords with AES 256-bit encryption, ensuring top-tier security for sensitive information.
• Multi-Factor Authentication: Protect your account with your favorite authenticator app.
• Password Generator Tool: Built-in tool to generate strong, random passwords, with customizable options (length, character types).
• Password Health Monitoring: Built-in tool to check the strength and health of stored passwords, identifying weak, reused, or compromised passwords.
• Automatic Logout: Enhanced security with automatic logout after 15 minutes of inactivity or on browser close.
• Cloudflare CAPTCHA Verification: Protects against automated attacks by using CAPTCHA to verify human users.

→ Source code
→ Live demo
→ Screenshots
→ Purpose

For those interested, here’s a quick overview of what I’ve been working on lately:

• Hide pagination when items fit on a single page
• Enable users to export passwords as a CSV file
• Add support for importing passwords from CSV files
• Update layout & styling of items
• Update button sizes & styles in templates
• Make captcha flexible on registration form
• Remove captcha from authentication form
• Display created & last modified dates for items

Any feedback on features & fixes is welcome!

As you may have noticed, I will be adding comments on my implementations here going forward.

• Adjust field lengths in Item model
• Remove encryption from url field (Encryption in the url field doesn’t add significant value and actually outweighs the database storage efficiency.)
• Add session timeout management for users in UserChangeForm
• Fix warning in tests by using timezone-aware datetimes

Latest updates:

• Allow password checkup for all user accounts
• Add hover transition effect to feature cards on home page

→ Make 2FA configurable & optional for user accounts

This PR also includes:

• Separate 2FA from default login flow
• Remove OTP from registration view
• Update list display in users app admin
• Add tests for TwoFactorVerificationForm
• Update tests for CustomAuthenticationForm, CustomUserChangeForm, CustomUser model, account view

Highlights from the past week:

• Replace navbar with sidebar for large screens
• Disable dragging & selection on vault preview image
• Display message when user enables 2FA in settings
• Add tests for CustomLogin & TwoFactorVerification views

→ Implement per-user encryption for sensitive data

This PR also includes:

• Ensure encryption key is forgotten after use
• Update password_checkup, downlad_csv, upload_csv views to use model method for encryption & decryption
• Update master password with data re-encryption
• Update tests for new_item, edit_item, download_csv, upload_csv, password_checkup, account views
• Update tests for CustomUser & Item models
• Update admin & its tests

Highlights from the past week:

• Ensure consistent key usage on master password change
• Separate master password update from account settings
• Display message when no items are found in password checkup
• Remove deprecated line in tests
• Adjust items icon on vault page for small screens
• Add copyright notice to sidebar

Some things are deprecated as they’re unsuitable for a locally self hosted , non business application. Take a look:

→ Upgrade encryption to AES-256 GCM
→ Send email notification when master password is updated
→ Simplified and removed unnecessary tests without sacrificing important checks
→ Remove pagination from vault page
→ Make recipient list dynamic in new_user_registration email
→ Deprecate Cloudflare captcha verification in register form
→ Deprecate home & faq views
→ Deprecate clean-remote-db management command

You should definitely add it to Built with Django!

Latest updates:

→ Setup Docker for self-hosting
→ Resolve PermissionError for static files in Docker
→ Add restart policy for both services on docker-compose
→ Add toggle for account update & master password change email notifications
→ Remove redundant header from templates