Next we have Remy Bertot with PassBolt open source password manager for teams.
Thanks everyone.
I just wanted to maybe we could give a little round of applause to Elina and David who has
been running this room.
Thanks a lot for volunteering and organizing this.
It's really nice for me.
So I'm Remy Bertot.
You may remember me from other open source projects, minor and horrible contributions
to mail-village, open social and some other events that we do.
But here today I'm here to reprise my role as the co-founder of PassBolt.
Before we start I just wanted to show you this picture which was taken 20 years ago.
I think we can appreciate the amount of swag in this picture.
If they are GenZ in the room, 20 years ago Facebook didn't exist so we didn't know that
this picture will come back to us.
So is anyone not using a password manager at work?
Can you raise your hand?
Okay, I can see the PassBolt developer raising their hand.
We need to have a little talk about this after.
But for the other ones that raised their hands, I would like you to meet with me after because
I want to learn how you do to live without fear.
So this is what we did.
We built an open source password manager that is designed for collaboration.
So you can share secrets with your teams.
So you have granular access and permissions to every single resources and folders.
It's available by default in the browsers.
So it's designed specifically for collaboration.
So as many password managers, we also have a quick access so you can basically see this
little annoying icon in every single form when you browse the web.
We also have Android and iOS applications.
So it works with biometrics and you also have multi-account.
So for example, if you have a personal account and a professional account on the same phone,
then you can basically use both.
They work with the autofill as well.
So it's like automatically fill the form for you based on the API that is available by the
phone.
And since you guys are most likely developers, we also offer command line interface and SDKs.
So if you have KERL and GPG, you can pretty much talk to Passbolt and like pipe the output
of the KERL request to GPG and decrypt the content.
So like it's pretty low footprint when it comes to like working with the API.
We also have like Ansible plugins and like tutorials on how to integrate this into your
GitLab pipelines.
So basically you can use it as a secret manager, not just as a password manager for your team.
You can also store like credentials for machine to machine authentication if you want.
We also provide, one of the goal of Passbolt is to make sure that administrator of a Passbolt
instance do not have to do a lot of work.
So like we provide native packages for Linux distribution, pretty much all major distributions.
And we keep adding some of them.
Like this year we did the end charts.
So if you're one of the cool kids and you use Kubernetes, you can basically get started
with Passbolt as well.
This really low maintenance, we have like people running Passbolt for years and not updating
them and then updating them to the last version with just one command.
So like we try to make your life easy.
Obviously, we are not the only password manager in the space.
So like a lot of people come to me and are like, oh, how are you different from this
and that.
So main difference with KeePass is like KeePass is a file.
So like we are like an API and we do user management.
So KeePass is great if you basically want offline access or if you don't want to share
data.
If you share with KeePass, you're going to have some issues with concurrent access and
versioning.
But it's great if you do not want to have any metadata and you just want a file and everything
is encrypted.
So like KeePass is really great there.
With compared to Vaultwarden and Bitwarden, we have like basically different security
properties like we use a completely random private key.
With Bitwarden, for example, the encryption strength is depending on the password that
is selected by the end user.
So there are other password managers like one password that use a private key, but basically
we are the only other one that does this.
We require the browser extension.
So this is also a key differentiator is that you must install Passbolt browser extension.
Why is in case the server is compromised, an attacker cannot change the application.
So they cannot change, for example, the cryptographic functions or like add some code to extract
the decrypted materials.
So this is one big difference.
So when you access a Passbolt instance, you feel like it's a website, but it's actually
not a website.
It's an iPhone that is inserted in the page and the server cannot basically access what
is in that iPhone.
So it's basically a change of architecture.
And we support, as I said, like nested folders with flexible permissions like in Bitwarden,
you basically create collections and you put items in them.
We basically support granular sharing and granular secret management.
So for example, the secrets in Passbolt are encrypted once per person so that, for example,
if somebody leaves the organization, we are able to provide a revocation.
So it's not like we order Password Manager, which will have like a symmetric key that
is shared with many users and they will not rotate that key for the collection.
So obviously Bitwarden supports features that we don't have.
So that's why people adopt Bitwarden.
But what happened in 2023?
So one of the major events of 2023 that we had is our site of the head of site reliability
management at Passbolt got married.
So we thought it will never happen, but like maybe we can give him a little round of applause
for getting hitched.
Well done, Diego.
Now seriously, this year we shipped a single sign-on with OpenID, Microsoft, and Google.
And I'm very pleased to announce that the OpenID connector will be soon available in
the community edition.
Both community edition and the Pro edition are completely open source.
So they are both under AGPL.
The Pro edition will require you to pay something, but obviously it's open source software, so
you can do as you please.
So we also shipped another interesting feature, which is like TOTP, which allows you to store
your TOTP code into Passbolt and share them.
So should you put your password and your TOTP code in the same application, it is up for
you to decide.
It's interesting, for example, if you want to share them, but if you don't want to put
all your eggs in the same basket, I will understand.
But the same way, like you need to look at all the risks, for example, if you use the
Google Authenticator, if you have the sync enabled across device, your TOTP code are
not end to end encrypted, so you might want to have that as well.
We did also Passbolt.exe.
It's not like my pet project, but like the 80% of the users of Passbolt are on Windows,
so obviously this is something that they wanted.
We plan to support more OS in the future, but we started with the biggest chunk.
So it's a native app.
It's not like a JavaScript application, these guys as an app.
It's a native app.
We did that for security reasons, because there are some properties when you use Electron
that are not so great, so we basically spend a lot of time building that app last year.
We did also a lot of other things.
So we did some performance improvement.
We changed the grid so you can select which columns are there or not.
We introduced some role-based access control for UI.
So for example, if you want your users to have less features, then you can just remove
everything and feel like it's 2005 again.
Then we have also suspend user.
So you can, for example, if Diego is going on Honeymoon and you want to disable his access,
then you can do that.
And we have a lot of policies that were rolled out.
So you can control what is the strength of a password by default, how long should the
passphrase protect the private key, that sort of thing.
So we also had four security audits, one on LDAP, one on SSO, one on our network, and
one on our internal controls and processes.
So we didn't have any major issues, but if you are curious, the reports are available
on our incident page.
And all the audits were made by QoP53, so basically it's legit.
So what's cooking for 2024?
I mean, it was supposed to be released in 2023, so this is coming next week.
It's password expiry.
So when somebody, for example, leave an organization or leave a group, or if you remove a permission
on somebody's access to a secret, then this feature will mark automatically a password
as needed to be rotated.
So this way, as people come and go and access systems, you know which credentials needs
to be rotated.
I think it's a pretty interesting feature when it comes to security.
And for organizations that are like masochists, you can also set policies and, for example,
say, I want all my credentials to be rotated every 40 days and make my employees life a
nightmare.
You can do that.
We also redesigned the admin panel.
So, well, I mean, it's not like a lot of work, but I still think it's neat.
And we have a lot of stuff coming.
Also in the 4.6, we have SSO with ADFS, again, like Microsoft.
But all right.
And then we have a bunch of performance improvements.
So we have people telling us, OK, I have 100, I have 12,000 secrets that are shared with
200 people, and it's slow.
All right.
At this point, is it really a secret?
I don't know.
But yeah, we're going to try to make your life a little less miserable.
And we're going to have icons, custom fields, a bunch of other things that are missing in
the software right now, like file attachment and nodes.
And we have seven babies scheduled.
So for a team of 40, we have like, I don't know what happened last year.
I think like the summer of love of Passbolt.
What is it made of?
So the secret ingredient is love.
I'm not going to spend a lot of time, but it's basically a simple PHP LAMP stack and
with a web extension on top.
So the application is split into multiple projects.
The Passbolt API, which is based in PHP.
Why PHP is because any administrator in their life have hosted some PHP, so it's pretty
easy to use and like low maintenance is very stable.
And we have the web extension on top, which is like split into two.
We have a React app, which controls the UI.
And we have what we call the background page, which is a separate application.
And the front end and the back end to talk through a series of API.
This is to make sure that anything phishing and happening on the front end can be controlled.
So we have like a choke point where we can define like, is it normal for the front end
to do these kind of things?
So if you want to look at the JSON API, we have basically documentation online.
And if you want to look at the style guide, it's based on storybook.
So basically you can add or customize your teams without having to build the entire thing.
And this is how we split the work.
We have people working on the front end and we have people working on the back end as well.
So I'm not going to take questions.
But one of the things I wanted to tell you is that at 2 o'clock, we will be next to the
bar and we will be like spinning the wheel like we did last year.
And this year, the price is a picture of Mackey, which is our office dog.
It's my price position.
So if you want to come get it, it's at 2 in front of the bar.
Thank you very much.