PfP: Pain-free Passwords 2.0.0
This is the first release under the new name “PfP: Pain-free Passwords,” previous releases went as “Easy Passwords.” This release also introduces significant updates to the cryptography powering the extension:
- All metadata saved by the extension as well as backups are now encrypted (issue #47).
- Password generation now uses scrypt algorithm rather than PBKDF2, making guessing the master password even harder (issue #58).
- AES-GCM algorithm is used for encryption rather than AES-CBC (issue #47).
What this means for users
There will be a six months transitional period:
- Passwords generated with the old algorithm are still supported, you have to check “Easy Passwords 1.x password” when recreating them however. Once the transitional period is over, these passwords will be converted into stored passwords, recreating them will no longer be possible.
- Unencrypted backups can still be imported. You should create new backups however, importing unencrypted backups will not be possible once the transitional period is over.
Side-effects of the cryptography update
- All Passwords page can no longer work without a master password and will ask for it if necessary.
- Password notes will now be displayed directly instead of the message “Notes encrypted and saved,” no separate decryption step necessary for notes. Showing them on the All Passwords page is optional (issue #65).
- Importing backups created with a different master passwords will fail completely rather than produce a bogus partial result.
- A better online version is now available, having most of the extension’s functionality.
- Terminology change: “legacy passwords” are called “stored passwords” now.
- All Passwords page will now contain a recovery code for stored passwords. It is safe to print and allows recovering the password if entered into PfP later, assuming that the same master password is still used (issue #64).
- LastPass export files can now be imported just like PfP’s own backups (issue #26).
- Added some explanation text to the All Passwords page (issue #66).
- Stored passwords can have revisions as well now, meaning that different passwords for the same username are possible.
- Import and export icons should be more obvious now (issue #49).
- Worked around a Firefox for Android bug, pop-up wasn’t being closed after filling in a password (issue #61).
- Fixed checkbox visuals in Firefox.
- Decryption errors will produce a more helpful error message (issue #68).