Cobbler: simple local password manager

Cobbler is a local password manager for the Windows operating system that stores passwords and other data in encrypted databases.

When it comes to password managers, users have plenty of options. Most web browsers come with options to store passwords for instance. Then there are browse extensions, cloud-based password managers which usually provide access to add-ons, and local password managers with and without cloud saving options and browser integration.

Cobbler is a simple -- in regards to functionality -- password manager for Windows that tries to keep as low of an attack surface as possible.

While that is beneficial for security, it means that comfort features like browser integration or cloud storage are not supported by the application.

Cobbler

Cobbler is provided as a single executable file that you can run from any location. You are prompted to enter a master password on first run that will be used to secure the password database.

While there are no options right now to change the database using the UI, you may use the undocumented startup parameter cobbler.exe d:\example\data.dat to place it anywhere you like.

The interface itself resembles a text editor, as form fields are not used at all in the current version. You write the URL, login and password, and any other information you like anywhere you want.

This gives you a lot of flexibility, but requires that you use a system for that as you may run into overview issues later on otherwise.

Cobbler ships with search functionality that you can use once the password database has been loaded. Simply type some characters to have the program highlight all matching entries for you.

The only other option that you have currently is to disable editing. This sets the information to read only and prevents any editing of information.

Locate data file on the other hand opens the location the currently loaded password database is stored in (which is in the root users directory of the account, e.g. C:\Users\Martin\COBSTORE5.DAT). Cobbler remembers the database file of the last session automatically.

What about security?

Cobbler uses the ciphersuite is AES_128_CBC_SHA. The author states that it does not use plaintext temporary files or discloses metadata, and that it has a low attack surface because it runs locally only and without integration in browsers or other programs.

So, no Internet required at all to use the program, and no connections either.

The source code is kept lean according to the author, as Cobbler's current version has just 900 lines of code. That's 1% of the popular local password manager KeePass (which offers more features).

Closing Words

The author may describe Cobbler as a password manager, but it is not limited to that. Since you can add any textual information to databases, you may use it as a personal diary, and any other textual information that you want to protect.

This means however that there is little distinction between Cobbler and creating an encrypted container using encryption software like VeraCrypt or TruPax, and placing a text file inside.

Cobbler's setup is more convenient, and it is fully portable if you store the executable file and the database together. Also, traces of the opened plain text document may be stored in temp folders for instance, whereas that won't happen with Cobbler.

Now You: which password manager do you use, and why?