Turaku

A simple, secure & open-source team password manager.

© 2018 Hari Gopal.

Why Turaku, a new password manager?

Introducing Turaku, a new team password manager

Password managers are a necessary evil. It is inevitable that as users of internet services, we'll register dozens, if not hundreds, of accounts. From past data breaches, we know that using the same password everywhere is just inviting trouble. So, you have to use different, strong passwords for every website.

Thankfully, for personal use, doing so is pretty easy these days.

If you're using web browsers to register accounts, modern ones like Chrome and Safari will offer to create strong passwords, and keep them encrypted and saved along with your account. In most cases, this feature works within their respective app ecosystems as well. If this is insufficient, there are a number of free, cross-platform, and open-source password managers that don't require you have another account. My favourite, at the moment, is KeeWeb. It's light-weight, runs on desktop, and offers all of the features that I look for in a password manager.

Why Turaku? Well, because there's nothing similar for teams. Let's go through my essential checklist for a password manager, in no particular order:

  1. Must be open-source.
  2. Be able to store information other than passwords.
  3. Allow offline access to passwords.
  4. Have configurable auto-generation of strong passwords.
  5. Able to generate One-time passwords (TOTP).
  6. Have a method of grouping, or organizing entries.
  7. Must be simple to set up and use.

And additionally, a team password manager...

  1. Must never transmit or store unencrypted user data.
  2. Have a robust permissions management system.

Insist on Open-source

Why should you trust your passwords to a service that doesn't reveal how it stores or transmits your data? How can you?

Store secrets, not just passwords

Think product keys, credit card numbers, passcodes to offline services, etc. A password manager should be flexible in allowing users to store (textual) data other than conventional credentials.

Offline access to passwords

Because internet access isn't guaranteed, whereas your password store could contain information other than passwords.

Configurable auto-generation of passwords

Lots of web services mandate that passwords have a minimum length. Totally sensible. Some even insist that special characters must be included. Annoying, but still acceptable. However some misguided web services go the extra mile to inconvenience you.

I have a bank account that insists that spaces are not allowed in passwords, and while special characters are required, only ones from a select list are allowed. Sigh.

There's never a good reason for such rules to exist. Sadly, many websites that enforce such limitations do, so a password manager must be able to generate passwords for them.

Support for One-Time Passwords (TOTP)

Time-based one-time passwords are the kind that you're asked to set up using Google Authenticator, or Authy. You might be thinking that this sounds a bit daft, given that OTP-s are usually added as a second factor of authentication. So why is it a good idea to store it alongside the password?

That's because the main advantage of an OTP is that it isn't vulnerable to replay attacks (read about it on Wikipedia). Unlike passwords that are static, OTP-s change, and so can't be reused. This means that they're still perfectly useful, even when access to the OTP generator is shared.

Simplicity as a feature

Passwords managers, as I'd mentioned at the beginning of this article, are a necessary evil. The step of authenticating yourself is something that delays your access to a service. So making the process of granting access as quick and simple as possible is a primary goal for any password manager.

Never transmit or store unencrypted user data

When sharing passwords with others, it is inevitable that data will be transmitted, and most often it will be stored for ease-of-use. In both situations, it should be impossible for a third party (including the service provider) to decrypt the information on their own.

Sensible permissions management

When sharing passwords among teams, you'll need some method to set rules that define who has access to what. Blanket access is generally insufficient, whereas overly complicated solutions simply deter use. Password managers must strike a balance.

So, why Turaku?

All available team password managers fail to satisfy at least some of these requirements. Turaku is being built to solve that.

Oh, and in Malayalam, തുറക്ക് means “open”.


Credits

Art by Rekha Soman: www.rekhasoman.com