Throwpass allows you to securely and conveniently transport passwords from the password database on your phone to a shared computer. For example you want to log into a website on a library computer, you can transport your website password from your phone to the library computer.
No. Your browser generates a public key/private key pair, and displays the public key in the QR Code. The app reads this and encrypts your password using the browser's public key. This allows end to end encryption from your phone to your browser. The server never knows the key.
It uses NaCl, specifically TweetNaCl.js in the browser and jnacl in the app. https is also used between the app and server, and between the server and browser, but this is mostly for authentication, not confidentiality.
If the server was evil, it could serve you bad javascript that would steal your website password. If the shared computer has malware it could also steal your password. Also if the certificate authority issued a bad certificate, a MITM could serve bad javascript.
Also anyone who can view the screen could send a different password to you which would be a denial of service. If this happened while you were setting a password, it would allow the attacker to change your password. So Throwpass is only safe for logging in, not for setting passwords.
If you have a password database on your phone, previously there were two options to log into a shared computer: copy it by sight, or open the database on the computer.
To copy by sight you need to display the password on the phone's screen then manually type it into the computer. This is time consuming especially with a long random password, and a lot of times there are typos. And anyone nearby or any security cameras can see your password. This is what I used to do and it was extremely annoying.
To open the database on the computer, you need to get the database and the database software onto the computer. This could be from a flash drive or from a dropbox account. But to log into your dropbox account you need the password from your database! Also to run the database, it needs to be compatible with the shared computer's OS. And what if it needs administrator privilege or something? But the worst part is that if there is malware on the computer, it can steal your password database and your master password. I have over 500 accounts in my database, so it would steal all 500. But with Throwpass, even if the computer has malware it only will steal your one account.
The website code is available on Github and is released under the ISC license.
The Android code has not been released yet, but I plan to.
