I’ve just discovered this new password manager called PearPass. As I understand it, it’s created by the team behind the Tether stablecoin. I haven’t read all too far into the documentation yet; however, it appears quite interesting to me as it fully relies on P2P syncing and completely avoids cloud storage.
Without a published security whitepaper, I cannot determine:
Encryption layering: Is the vault encrypted locally with symmetric crypto derived purely from the master password before transmission? Or does asymmetric crypto play a role in vault encryption?
Key material exposure: What key material transits the P2P network? If breaking transport encryption only yields ciphertext that still requires the master password to decrypt, the practical impact is reduced.
Metadata exposure: What can a passive observer learn from DHT queries and connection patterns, independent of payload decryption?
My own thoughts:
Whether or not the ticket is AI created, I also struggled hard trying to find documentation about how the system generates master password, what size salt is used, what password hashing function is used, what key derivation parameters there are, how does the system measure password strength etc. Poor documentation for cryptographic implementation is anything but ideal.
As per the GitHub ticket, the program apparently syncs password over X25519-XChaCha20-Poly1305, with X25519 being the first domino brick to tumble when quantum computers grow. This isn’t a massive issue by any means, but good to know.
Finally, a lot of it is written in JavaScript of all things. Type safety (or at least type annotations) would probably the first thing security-critical application should have. EDIT: Apparently JS Docs can be used in type linters too.
At least they seem to have some unit tests but given the poorly documented code (comments/docstrings, and separate documentation) I’m inclined to stick with KeepassXC.
EDIT: Modified heavily to emphasize my own thoughts and separate them from the possibly AI slop GitHub ticket I quoted.
Even if it was written in TS, this is a client code repo, so there’s no guarantee that the types will match the server. Types would provide a better developer experience and maintainability (eg. updating libs that export their own types). Tbf most of the repo code actually is typed via js doc annotation.
The point of tests is long term maintainability, but this project only has a single real contributor and is too young to really need them. Tests can carry the same bias as the developers and do not prove the correctness of the system.
One just started playing with this a week or so ago. Nothing important is in there yet.
I like it on the face of it. It’s very clean and holds lots of options. I like the fact it’s offline, but can sync p2p.
It uses “vaults”, and anyone can in theory share a vault with you as long as you allow them to scan a qr code you generate. This may be of use for some in terms of family or spouses. The browser extension is set up in a. Similar way too.