Cobbler

Discussion in 'other software & services' started by svenfaw, Feb 8, 2017.

  1. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    199
    The first edition of Cobbler ("Mono") is now available.

    Cobbler looks just like a standard text editor, but it safely stores sensitive notes in a tiny fixed-size encrypted and authenticated container. Examples of sensitive information include personal passwords, pincodes, private keys, secret formulas, etc.

    Untitled.png

    There is NO browser integration and very few bells and whistles, as the focus is on the essentials:
    • bank-grade encryption (AES_128_CBC)
    • low attack surface (lean codebase, industry-standard algorithms)
    • tamper detection (HMAC_SHA)
    • freeform content
    • no metadata disclosure
    • high bruteforce resistance
    • no plaintext temporary files

    I wrote Cobbler as I did not feel comfortable with either existing secure note desktop applications, or overly complex password managers

    Several different editions of Cobbler will be available in a later stage.

    More details will follow.


    Feel free to give it a try. Feedback welcome!

    https://www.trustprobe.com/fs1/apps.html

    Standard disclaimer: Use at your own risk and keep backups.
     
    Last edited: Mar 1, 2017
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,869
    Location:
    The Netherlands
    Interesting tool, so it's meant to be mostly a password manager? And can you also copy username and passwords to the clipboard automatically?
     
  3. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,034
    For me it wasn't clear where the file was stored, but "i could find it" after some searching.
    It's stored in the Profile-directory c:\users\user\COBSTORE.DAT
    Can the full path be displayed ín a future version?

    Btw.: the "Choose Master Password"-dialog of Cobbler looks like this:
    Cobbler_Master-Password.png
    After entering the password, the user doesn't have to confirm the previously entered password.
    Maybe it's better to add a confirmation dialog, so it has to entered again. :cautious:
     
  4. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    199
    It's a little closer to the encrypted flat text file paradigm than featureful password managers.
    Both approaches have their pros and cons - It's the classic tradeoff between security and convenience.

    So no, Cobbler will not send credentials to the clipboard automatically, although I'm working on ways of improving the process without sacrificing security.
     
  5. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    199
    Clicking the Locate Data File button on the main window should help find it. :)
    Also you can use the CTRL-T keyboard shortcut to view the master password when configuring it.

    That said the GUI is still evolving quite a bit, so things may change in later versions.
     
  6. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    199
    Version 1,0,009,154 has been posted. Changes:

    - minor UI enhancements
    - HMAC verification made transparent
     
  7. majoMo

    majoMo Registered Member

    Joined:
    Aug 31, 2007
    Posts:
    957
    To allow user to change the location where the file is stored, seems adviced.
     
  8. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    199
    It is not documented yet, but the file location can be specified as a command-line parameter, as follows:

    Code:
    cobbler.exe d:\example\data.dat
    
     
  9. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,034
    Good, there is now a distinction between the master password dialog for "new container files" (blue) and opening of an existing file.
    New Container:
    Cobbler_new-container.png
    Existing Container:
    Cobbler_existing_container.png
    And for opening of container files, the password dialog is now displayed again after entering the wrong password :thumb:
    This was not the case with the previous version.
    Good to know :thumb:
     
  10. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,353
    Location:
    West Yorkshire, UK
  11. Zero3K

    Zero3K Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    361
    Location:
    Louisville, KY
    How about detecting the text fields in a browser automatically and filling them in? Or is that too much work?
     
  12. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    199
    Version 1,0,009,159 has been posted. Changes:

    - enhanced key stretching
    - minor UI enhancements
     
  13. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    199
    By design this type of functionality will not be included, as it adds too much attack surface and has proven to be a security minefield (see LastPass critical vulnerabilities last year).
     
  14. Zero3K

    Zero3K Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    361
    Location:
    Louisville, KY
    Not even if you just scan its window for them?
     
  15. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    199
    If you need that level of convenience, I think Keepass or Bruce Schneier's Password Safe would be a better fit.
    For security reasons, I prefer to keep Cobbler's codebase as small as possible, making future code audits much easier - and cheaper.
    Just to give you an idea, Cobbler Mono (the vanilla edition) has less than 900 lines of code, compared to about 90,000 in Keepass.

    However I do plan to implement a few more simple shortcuts to speed up common tasks a little.
     
  16. Techwiz

    Techwiz Registered Member

    Joined:
    Jan 5, 2012
    Posts:
    541
    Location:
    United States
    I feel the same way. The cloud may be trending, but it doesn't mean we have to trust it with your passwords. Giving it a test drive.

    :thumb: keep it stupid simple
     
  17. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,097
    Location:
    UK
  18. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    199
    Good review, except calling Cobbler a "password manager" is probably not the best description. It's primarily a desktop-based secure notes application, with a focus on strong security and data integrity. One use case among others is to store website passwords in it (which I personally do, as explained earlier), but it does not have all the features found in typical password managers - nor is it intended to.
     
    Last edited: Feb 16, 2017
  19. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    199
    New version: 1.009 (build 193)
    SHA1: 4b8a9d27fee69a16f357c10847b2b6bd732f2ced

    Changelog:
    • New: Command-line support for arbitrary keyfiles: cobbler.exe /K [keyfile path]
    • New: CTRL-1, CTRL-2, CTRL-3 keyboard shortcuts to quickly copy fields from the current line to the clipboard
      (Fields must be either comma or whitespace separated. Useful when using Cobbler as a password vault.)
    • Changed: Custom data file path should now be specified as follows: cobbler.exe /F [data file path]
     
    Last edited: Feb 17, 2017
  20. Spectre208

    Spectre208 Registered Member

    Joined:
    Feb 17, 2017
    Posts:
    1
    Location:
    Netherlands
    I started toying around with Cobbler a few days ago and I am honestly a little saddened by this change, as the following now doesn't work anymore:

    Although I understand the necessity of adding argument switches, it would be nice if te previous file-path argument could somehow stay.

    When opening a file in Windows, its file-path gets passed to the program as argument. This mechanic allowed the user to drag a .dat file onto cobbler.exe to open in instantly. Or even better, the user could register cobbler.exe as default program to open .dat files (or any extension, really).
     
  21. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    199
    @Spectre208

    I also find that annoying. :)

    I will look into adapting the parsing logic, so that if there is only one argument (a file path), it acts as previously.
     
    Last edited: Feb 17, 2017
  22. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    199
    New version: 1.009 - build 198
    SHA1: b365ce6cb573f3c546446d89687826984959a37c

    Changelog:
    • Changed: Made "/F" optional in case only one command-line argument is passed.
    • New: Ctrl+G at the New Container prompt generates a strong random passphrase that is both high entropy and reasonably easy to remember. It is generally a much safer option than choosing your own password.
    • New: application icon (might still change soon, though.)
     
    Last edited: Feb 19, 2017
  23. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    199
    New version: 1.009 - build 201
    SHA1: 230411769705591eeca5938e64789c4df49f0bc9
    SHA256: 0732fb9e0f7cd9979b7df5ff20d50dea2d238008826b095a4d4e7704c4920d0e

    Changelog:
    • Added quick help screen. (Press F1 to show or hide it)
    • Minor optimizations.
     
    Last edited: Feb 27, 2017
  24. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,034
    Cobbler_Application-icon.png
    Are you using the last icon for all coming versions now? Or will this change again :)
     
  25. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,429
    I noticed that, too. ;)

    Cobbler_versions_01.JPG