Padloc

Padloc is a password manager developed in Germany. It can also store notes, credit cards and documents.

Minimum requirements

:white_check_mark: E2E encrypted
:white_check_mark: Must have thoroughly documented encryption and security practices (whitepaper)
:white_check_mark: Must have a published audit from a reputable, independent third-party (ROS and NCC)
:white_check_mark: All non-essential telemetry must be optional (yes? Not sure)
:white_check_mark: Must not collect more PII than is necessary for billing purposes. (yes, privacy policy)

Best case

:grey_question: Telemetry should be opt-in (disabled by default) or not collected at all (not sure)

:white_check_mark: Should be open-source and reasonably self-hostable (yes, Github)

I’m putting it here to know what you think about it and if it could be an interesting alternative to Bitwarden for a cloud based password manager : )

You can’t enable 2FA for your account without paying for premium.

According to their security whitepaper, they’re using PBKDF2. I couldn’t find any details about the iteration count. It also seems like the whitepaper itself is incomplete.

Disclosure: I am not a cybersecurity expert. I’m only concerned about the use of PBKDF2 after hearing about the LastPass situation, especially since 2FA isn’t even an option that’s available on the free plan.

3 Likes

A couple issues

  1. Letting users rotate the randomly generated master password because they “dont like it”, is a very bad idea. You’re limiting the range of possible words to only those which sound appealing, reducing entropy.

  1. Four words is not enough in my opinion for a master password, the default seems a bit weak, though they do let you pick a custom password at least.

  2. Paywalling 2FA is also a very bad idea, especially considering how this is a password manager…

Other than that, this does look very interesting, the interfaces look very polished and well-made, i might selfhost it and switch to it from vaultwarden.

Edit: There doesn’t appear to be an option in the apps to customise the server url. They’re hardcoded to the public padloc server, meaning if i selfhost i’ll probably have to just stick to the web interface which is a shame…

2 Likes

All passwords managers (I had tested) allow you to do this. I don’t see the harm as long as you are not cherry picking each word

1 Like

Then this happens.

https://ambiso.github.io/bitwarden-pin/

For that I prefer to use biometrics, but you may get paranoid arguments against it

1 Like