LP Vault Manager: A Workflow for LastPass

[bachya]

Recently, I became frustrated how fluid/nice/elegant/etc. 1Password integration is within Alfred; being a LastPass user, the frustration arose because I wanted similar functionality for my beloved password manager.
 
Thus, I introduce LastPass Vault Manager!
 
Current Version: 4.2
 
DIRECT DOWNLOAD
PACKAL PAGE
 

 
Current functionality:

• log into and out of LastPass
• search a vault by query
• search a vault by your browser's front-most tab
• launch a vault URL in the default browser
• copy a vault item's username
• copy vault item's password
• inspect a vault item's fields (and copy their values)
• generate random passwords
• manage many different configuration options
• easy workflow updating
• much more!

History
 
Release v4.2 (2015-01-22)

• Fixed a bug where the full path to /usr/bin/python was not specified.
• Fixed a settings selection bug.
• Streamlined some verbiage within notifications.

Release v4.1 (2015-01-14)

• Implemented auto-updating.
• Fixed a few small path bugs.

Release v4.0 (2015-01-11)

• Added support for non-ASCII characters.
• Addresses slow Script Filter results via background updating.
• Modified documentation to warn against unicode characters in config file.
• Added ability to inspect a vault item's fields.
• Added ability to configure filepath to `lpass`.
• Added ability to toggle uppercase letter use in password generation.
• Added ability to toggle lowercase letter use in password generation.
• Added ability to toggle digit use in password generation.
• Added ability to toggle symbol use in password generation.
• Added ability to toggle ambiguous character avoidance in password generation.
• Modified field retrieval to use official `lpass` flags.
• Modified notifications to be more streamlined.
• Fixed a bug wherein password generation would fail.

Release v3.1 (2014-12-29)

• Added ability to login to LastPass.
• Added ability to logout from LastPass.
• Added ability to configure filepath to `lpass`.
• Added new (and slimmer) icons.
• Environment-proofed Python path in all scripts and Script Filters.

Release v3.0 (2014-12-29)

• Shifted from Ruby to Python.
• Implemented Alfred-Workflow (including fuzzy search, configuration management, and more).
• Added `lpbrowser` command to look up default browser's front-most tab's URL in the vault.
• Configuration management: cache timeout, default browser, number of generated password, and generated password length.
• Check for whether `lpass` is logged in.

Release v2.0 (2014-12-16)

• Added data caching
• Added command to force data caching
• Added ability to specify path to `lpass` executable
• Added fallback lookup for `lpass` executable
• Changed `lpvs` command to look at vault item name *andURL
• Major code refactoring

Release v1.0 (2014-12-16)

• Added ability to search a LastPass vault.
• Added ability to launch URL of LastPass item.
• Added ability to copy username of LastPass item.
• Added ability to copy password of LastPass item.
• Added ability to generate a random password.
• Created documentation.

How To Use
 
Usage instructions can be found on GitHub: https://github.com/bachya/lp-vault-manager – since I don't like duplicating that info all over the place, the repo will always be the authoritative source. Would love your feedback, feature requests, bug reports, etc. Thanks!

Edited January 22, 2015 by Aaron B.

[40-02]

It's going to be my favorite workflow! 

Thank you!!!

[40-02]

Is there any way to make it search items in url too? 
 

Now when I look for url it gives nothing. 

[bachya]

Is there any way to make it search items in url too? 

 

Now when I look for url it gives nothing.

So, you want the search to not only include the name, but URL as well?

[bachya]

Just finished v2.0 – still waiting for Packal to update itself, but in the meantime, you can always DIRECT DOWNLOAD.

 

Changelog for v2.0:

• Added data caching
• Added command to force data caching
• Added ability to specify path to `lpass` executable
• Added fallback lookup for `lpass` executable
• Changed lpvs command to look at vault item name *and* URL
• Major code refactoring

Edited December 18, 2014 by Aaron B.

[40-02]

So, you want the search to not only include the name, but URL as well?

I think so:)

[bachya]

I think so:)

 

Great! Check out my post above; the latest version implements this.

[nycreal]

I've been waiting for a LP workflow! Thanks!

 

However, I can't get it to work =(

 

When I type "lpvs amazon" as soon as I type anything after "lpvs " it defaults to a web search.

 

Is this a configuration issue on my end or a bug in the workflow? I successfully installed the Lastpass CLI and logged in, disabled the autologout and downloaded the LP data.

[bachya]

I've been waiting for a LP workflow! Thanks!

 

However, I can't get it to work =(

 

When I type "lpvs amazon" as soon as I type anything after "lpvs " it defaults to a web search.

 

Is this a configuration issue on my end or a bug in the workflow? I successfully installed the Lastpass CLI and logged in, disabled the autologout and downloaded the LP data.

 

Would you mind trying this beta and letting me know if it works?

 

https://www.dropbox.com/s/2xxq4qd5tpaidcf/LP%20Vault%20Manager%20beta2.1.alfredworkflow?dl=0

 

Make sure you run `lpdd` first. Let me know!

[lkngtn]

Hi Aaron, 

 

The beta appears to get past the previous error and does allow some searching but doesn't seem to pull up expected results if certain characters are present. (Many of my stored sites contain "." in the name and searching for something like xxxyy.zzz stops working as soon as the "." is pressed). 

 

Unfortunately I can't use this workflow because it pulls down your entire password vault and stores it in a plain text csv file--This feels incredibly insecure to me. Perhaps it makes more sense to cache searchable metadata and use that to query the password directly from lastpass when it is selected?

Edited December 23, 2014 by lkngtn

[bachya]

Hi Aaron, 

 

The beta appears to get past the previous error and does allow some searching but doesn't seem to pull up expected results if certain characters are present. (Many of my stored sites contain "." in the name and searching for something like xxxyy.zzz stops working as soon as the "." is pressed). 

 

Unfortunately I can't use this workflow because it pulls down your entire password vault and stores it in a plain text csv file--This feels incredibly insecure to me. Perhaps it makes more sense to cache searchable metadata and use that to query the password directly from lastpass when it is selected?

 

Interesting on the "." – I'll dig deeper.

 

RE: storing the data locally, I know – I hate it, too. Here's why I did it. Fortunately, Alfred 2.6 will make some changes that will allow me to not have to cache everything.

 

RE: caching "searchable metadata" – what would that include? URLs? Usernames? Everything except the passwords themselves? Thanks for your thoughts!

[wolph]

Is there any reason that the "lpvm.rb" file is not on Github? When it comes to lastpass I'm a bit careful of course

[bachya]

Is there any reason that the "lpvm.rb" file is not on Github? When it comes to lastpass I'm a bit careful of course

 

As you should be! To make it easier to get to the script, I've added all the workflow contents to the root of the GitHub repo.

 

lkngtn's comments really got me thinking last night: the speed gained by caching the entire output of `lpass export` isn't worth the insecurity of having unencrypted usernames/passwords sitting on the filesystem. So, I'm making a change: going forward, I'll only cache URLs and hostnames (and query the other data [and then throw it away] as needed).

 

This is part of some bigger work I'm doing, so I appreciate your patience. I will post back here when a build is ready.

Edited December 29, 2014 by Aaron B.

[wolph]

That indeed seems like a better idea, having all of the passwords in my lastpass stored as plain text doesn't sound like a good idea. Kind of beats the purpose of using lastpass

[turkeyphant]

Hi Aaron, 

 

The beta appears to get past the previous error and does allow some searching but doesn't seem to pull up expected results if certain characters are present. (Many of my stored sites contain "." in the name and searching for something like xxxyy.zzz stops working as soon as the "." is pressed). 

 

Unfortunately I can't use this workflow because it pulls down your entire password vault and stores it in a plain text csv file--This feels incredibly insecure to me. Perhaps it makes more sense to cache searchable metadata and use that to query the password directly from lastpass when it is selected?

 

I had exactly the same issue until I tried the beta.

 

However, it still has the "." issue and can't seem to handle passwords with character that need escaping.

 

Further, it would be nice for it to be able to grab the current tab's domain to input automatically...

[bachya]

Further, it would be nice for it to be able to grab the current tab's domain to input automatically...

 

What would this do? Check a browser for the current tab and search for that URL in the vault?

[turkeyphant]

Exactly. Preferably as few keystrokes as possible to get the password in clipboard.

[bachya]

Hi folks – thanks so much for your patience. I have another beta build for you to test: https://dl.dropboxusercontent.com/u/111722/LP%20Vault%20Manager%20beta2.2.alfredworkflow. I haven't posted this to GitHub yet; I would love you to hammer on it a bit before I make the source fully public.

 

Here's what I offer for your consideration!

 

First, several configuration options (sorry for the nutty keywords; open to suggestions).

• lpsetcache: sets the amount of time (in seconds) that data from LastPass should be cached (default is 300 seconds, or 5 minutes).
• lpsetbrowser: sets the desired browser (defaults to "Google Chrome"); primarily used for the `lpbrowser` command below.
• lpsetpwnum: sets the number of passwords that should be generated by the `lppg` command.
• lpsetpwlen: sets the length of the passwords generated by the `lppg` command.

Next, the commands:

• lpvs: searches your vault for URLs or Hostnames (e.g., "Personal/GitHub") for the provided query. Note that only URLs and Hostnames are cached; all additional lookups happen on the fly with no caching, which is much more secure.
  • Select an entry to launch it in your default browser.
  • Cmd-Select an entry to copy the password to your clipboard.
  • Shift-Select an entry to copy the username to your clipboard.
• lpbrowser: grabs the URL from the active tab in your desired browser and searches your vault for it.
  • Select an entry to launch it in your default browser.
  • Cmd-Select an entry to copy the password to your clipboard.
  • Shift-Select an entry to copy the username to your clipboard.
• lpdd: blows away cached data and re-downloads your vault's URL/Hostname data.
• lppg: generates several random passwords.

This is a big update. Everything works on my machine, but that's never a good test, so I'm anticipating some breakage. Let me know about it here and I'll get it addressed ASAP. Planning to update the GitHub repo with the new source in the next day or so.

Edited December 29, 2014 by Aaron B.

[lkngtn]

Tried out the new version this evening. Looks like tons of progress has been made!

 

I really appreciate the change to the caching behavior--which appears to work as expected. The issue with "." in searches seems to also be resolved. 

 

I tried some of the other functionality and I'm not sure if its working as intended. 

 

1. When I select and entry and use "cmd+select" I get an error copied to clipboard. <?xml version="1.0" encoding="utf-8"?>

<items><item valid="no"><title>Error in workflow 'com.bachya.lpvm'</title><subtitle>Command '['/usr/local/bin/lpass', 'show', u'xxx/yyyyyy']' returned non-zero exit status 1</subtitle><icon>/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertStopIcon.icns</icon></item></items>

 

This seems to also happen with "shift+select"

 

I replaced the actual site name with 'xxx/yyyyyyy' where xxx is a folder in lastpass and yyyyyy is a site name. I tested using the command line lpass tool to get the correct syntax for 'show' and the correct syntax would be to just pass yyyyyy so I expect that this may not come up if you don't have folders in you vault, but if you do then it should just be a matter of stripping everything before the "/" that is returned from the export command. 

 

2. Launching a credential entry brings up the url in my current browser but does not fill in the login (like it does if you select it from you vault in a browser). This might work okay with autofill populated for a site--but if you have multiple logins for a single url that approach doesn't work very well. I'm not sure if there is any easy solution to this since the command line tool doesn't seem to support logging in to a site. 

[wolph]

Although the new version looks a lot safer, leaving the lastpass command open and unprotected is too much of a security risk for me. Thanks for the great efforts though, it really does work nicely

[bachya]

1. When I select and entry and use "cmd+select" I get an error copied to clipboard. <?xml version="1.0" encoding="utf-8"?>

<items><item valid="no"><title>Error in workflow 'com.bachya.lpvm'</title><subtitle>Command '['/usr/local/bin/lpass', 'show', u'xxx/yyyyyy']' returned non-zero exit status 1</subtitle><icon>/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertStopIcon.icns</icon></item></items>

 

This seems to also happen with "shift+select"

 

I replaced the actual site name with 'xxx/yyyyyyy' where xxx is a folder in lastpass and yyyyyy is a site name. I tested using the command line lpass tool to get the correct syntax for 'show' and the correct syntax would be to just pass yyyyyy so I expect that this may not come up if you don't have folders in you vault, but if you do then it should just be a matter of stripping everything before the "/" that is returned from the export command.

 

I'm a bit confused by this one. The workflow should use as input the hostname that comes out of your vault; not sure how the workflow is getting xxx/yyyyyyy unless it already existed in your vault... In my case, passing a folder/name combination to lpass show works as expected.

 

If you run lpass export | grep -i 'xxx/yyyyyyy' from the command line, does an entry show up?

 

Additionally, can you guarantee that you are logged in (i.e., have run lpass login <USERNAME> from the command line)? The output you are receiving can appear when you haven't logged in (I'm working on a more proactive notification).

 

2. Launching a credential entry brings up the url in my current browser but does not fill in the login (like it does if you select it from you vault in a browser). This might work okay with autofill populated for a site--but if you have multiple logins for a single url that approach doesn't work very well. I'm not sure if there is any easy solution to this since the command line tool doesn't seem to support logging in to a site.

 

I'm right there with you: this would be nice, but it doesn't appear that lpass supports a mechanism to do this. I'll keep digging, though!

 

Although the new version looks a lot safer, leaving the lastpass command open and unprotected is too much of a security risk for me. Thanks for the great efforts though, it really does work nicely

Is it the fact that I don't force you to run lpass login <USERNAME> every so often (or every time)? If I could figure out a way to address this (or point the user toward it) in the workflow, would that help?

Edited December 29, 2014 by Aaron B.

[lkngtn]

Aaron, with regards to the first issue I'm getting that error despite definitely being logged into the command line tool. I do see 'xxx/yyyyyy' when doing the export "lpass export | grep -i 'xxx/yyyyyyy'" but I also see just yyyyyy on that line. When I run lpass show from the command line with 'xxx/yyyyyyy' it does not find a result but it does if I do lpass show 'yyyyyy'.

 

Wolph, What concerns you about the agent running in the background? You can set whether the agent is used and how long it runs before timing out. Here is the relevant part of the lpass manual:

 

 

  Agent

       An agent process will be spawned in the background on a first successful command, and all subsequent commands will

       use the agent for decryption, instead of asking a user for a password. The agent will quit after one hour, unless

       the LPASS_AGENT_TIMEOUT environment variable is set to an alternative number of seconds in which to quit, or 0 to

       never quit. If the environment variable LPASS_AGENT_DISABLE is set to 1, the agent will not be used.

 

I personally don't see an issue with having it set to a reasonable timeout--since the behavior I use for the browser extensions is to keep me logged in as long as the browser session is active--but I'd be curious to hear your reasoning. 

 

It would be kind of handy to support logging out via alfred (easy I think) and logging in (which might require not using the pin entry program). 

Edited December 29, 2014 by lkngtn

[bachya]

Aaron, with regards to the first issue I'm getting that error despite definitely being logged into the command line tool. I do see 'xxx/yyyyyy' when doing the export "lpass export | grep -i 'xxx/yyyyyyy'" but I also see just yyyyyy on that line. When I run lpass show from the command line with 'xxx/yyyyyyy' it does not find a result but it does if I do lpass show 'yyyyyy'.

 

Very interesting! Would you mind PM'ing me and sharing with me the full hostname that is causing this issue?

 

It would be kind of handy to support logging out via alfred (easy I think) and logging in (which might require not using the pin entry program).

Another great idea! As you note, logging out is easy, while logging in isn't, but I'll add both to my roadmap.

Edited December 29, 2014 by Aaron B.

[bachya]

FYI all, the current beta (plus a few bug fixes) has been published as v3.0!

 

DIRECT DOWNLOAD

GITHUB REPO

PACKAL PAGE

 

FYI, I'm going to be deleting all previous beta files (and will do so whenever I publish a release).

Edited December 29, 2014 by Aaron B.

[wolph]

Is it the fact that I don't force you to run lpass login <USERNAME> every so often (or every time)? If I could figure out a way to address this (or point the user toward it) in the workflow, would that help?

Yes, that would help a bit.

The thing is that I don't want my passwords to be available straight away. And the "special" passwords which normally require an extra password/security input should require the entering of the master password again. I'll check the lastpass cli to see if I can add some extra security measures (i.e. small activation code for every password like the lastpass android app does).

I'm just a tad paranoid

Wolph, What concerns you about the agent running in the background? You can set whether the agent is used and how long it runs before timing out.

Well... the thing that concerns me mostly is that any app/script/whatever could read the passwords from lastpass as long as it's active. The odds of exploiting this are slim but it's a bit scary to me. Especially since it (I assume) runs in user space. If it was root memory where only specific apps were allowed to read it, it would be different.