Page 1 of 1

Security to the Max!

Posted: Thu Jul 07, 2011 2:19 am
by shiznatix
Hi everyone,

Where I am working we have a bunch accounts with different companies/websites/everything. I advocate advanced security on even the most basic of things so you can imagine how appalled I was when I discovered a bunch of passwords and usernames were being stored in a word document that was routinely being shared among the staff and even put on private laptops and taken home. I have since started my crusade to fix this problem.

I have decided to make a website that will store all the usernames / passwords. I would like some input as to what you guys think should be done to make the encryption and security as air-tight as possible. My ideas so far:

1) SSL obviously
2) Encrypt all usernames/passwords with a manually entered master password and store those encrypted strings in the DB
3) User will enter the master password and that will be used to decrypt the passwords in the DB then displayed to the user

Easy breezy. The questions still remain though, what is the best way to carry the session in a very secure way? What is the best reversible encryption method? How much extra security is added if I require a login instead of just the master password? How would you solve this problem yourself?

Re: Security to the Max!

Posted: Thu Jul 07, 2011 7:06 am
by Apollo
It's good that you take things seriously, but first consider: do you REALLY need to store the actual passwords? (in violation of rule nr.1 in these security measurements)

Having said that, TrueCrypt offers excellent, easy to use yet extremely strong encryption for any data. Would that fit in your situation?

Re: Security to the Max!

Posted: Thu Jul 07, 2011 9:18 am
by shiznatix
Apollo wrote:It's good that you take things seriously, but first consider: do you REALLY need to store the actual passwords? (in violation of rule nr.1 in these security measurements)

Having said that, TrueCrypt offers excellent, easy to use yet extremely strong encryption for any data. Would that fit in your situation?
The first consideration, we do really need to store the passwords. Just, no other way sadly.

TrueCrypt: This is a good idea but we need something that would be accessible around the office and even in different countries so something web based seams to be the best fit.