Passman is a full featured, open source password manager for Nextcloud.
Visit the βPassman General Talkβ Telegram Group to participate in all sorts of topical discussions about Passman and its apps!
- Features
- External apps
- Screenshots
- Database Compatibility
- Security
- API
- Docker
- Development
- Support Passman
- Contributing
- Multiple vaults
- Vault keys are never sent to the server
- 256-bit AES-encrypted credentials (see security)
- User-defined custom credentials fields
- Built-in OTP (One Time Password) generator
- Password analyzer
- Securely share passwords internally and via link
- Import from various password managers:
- KeePass
- LastPass
- DashLane
- ZOHO
- Clipperz.is
- EnPass
- ocPasswords
Try a Passman demo here.
Our native Passman Android app is available for download from the Google Play Store, IzzyOnDroid and F-Droid.
The legacy Firefox / Chrome extension is the "old-stable", but not maintained and no longer available in the Chrome Web Store since it's MV2 based.
A follow-up extension is in active development and currently considered unstable. It's available but in open beta / development phase.
More screenshots are available on the Nextcloud App Store and imgur.
| Supported | |
|---|---|
| SQLite | β’ |
| MySQL / MariaDB | β’ |
| PostgreSQL | β’ |
CI runs PHPUnit against SQLite on GitHub Actions.
Passman can generate passwords and measure their strength using zxcvbn.
Generate passwords as you like.
Passwords are generated using sjcl randomization.
All passwords are encrypted client side with sjcl using 256-bit AES. You supply a vault key which sjcl uses to encrypt your credentials. Your encrypted credentials are then sent to the server and encrypted yet again using the following routine:
- A key is generated using
passwordsaltandsecretfrom config.php (so back those up). - The key is stretched using Password-Based Key Derivation Function 2 (PBKDF2).
- Encrypt-then-MAC (EtM) is used to ensure encrypted data authenticity.
- Uses openssl with the
aes-256-cbccipher. - Initialization vector (IV) is hidden.
- Double Hash-based Message Authentication Code (HMAC) is applied for source data verification.
Passman allows users to share passwords. (Administrators may disable this feature.)
Passman offers a developer API. Unfortunately it is very outdated and not maintained. You're welcome to update it.
Passman Docker images are currently maintained in passman-dev-docker-build.
| Image | Docker Hub | Use for |
|---|---|---|
| Development | binsky/passman-dev | Local hacking: bind-mount your checkout, run grunt, try different Nextcloud/PHP stacks |
| Demo | binsky/passman-demo | Pre-baked instances (e.g. demo.passman.cc) without dev tooling |
Default login for all images: admin / admin.
Quick start (development):
docker run -d -p 8080:80 -p 8443:443 \
-v /path/to/passman:/var/www/html/apps/passman \
--name passman-dev \
binsky/passman-dev:latest
See the repository README for TLS setup, available tags, and SSH/sshfs mounting.
For production deployments, use the official Nextcloud Docker image and install Passman as an app.
Start from a passman-dev container, then work inside /var/www/html/apps/passman:
- Passman uses a single
.jsfile for templates which minimizes XHR template requests. - Our CSS is written in SASS.
templates.jsand the CSS are built withgrunt/grunt build.- Watch for changes using
grunt watch. - To run PHP unit tests in the running dev container, ...
- run on your host:
make test(full suite) ormake testNoDb(without DB group). Generate a Clover coverage report withmake test-coverage(requires pcov or xdebug in the container). Customize the container name withDOCKER_CONTAINER=passman-dev-nc34-85-testing make test. - or run in the container:
cd /var/www/html/apps/passman && composer run test - after switching branches or on cache-issues, run
cd /var/www/html/apps/passman && composer run test:clear-cache
- run on your host:
Passman is open source and lives from contributions like pull request, but weβll also gladly accept a Club Mate or pizza!
Please consider donating:
- Ko-Fi
Patreon(may come back soon)
Pull requests and issues are welcome. Fork the repo, make your changes, and open a pull request. Add your name to the contributors list below when you do.
Maintainers:
Contributors:
- Newhinton
- HolgerHees
Are you adding something to check if malicious code is executing on the browser? No, because malicious code can edit functions that check for malicious code.





