Small Project - Password Vault

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

Post Reply
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Small Project - Password Vault

Post by Benjamin »

I have a TON of passwords. In fact I have a spreadsheet full of them and it's getting disorganized.

What I would like to do is create a small client/server web application that will store all usernames, passwords, urls and the type. The type would be email/instant messenger/website etc. I'd also like to build in support for categories.

So this is a fairly simple application. What I would like some help with from the community is nailing down the security aspect.

In my case the database would reside on my local machine so I'm not incredibly worried about security. But if I or someone else decided to throw a version onto a server I'd like to keep the passwords secure even over an unencrypted connection by never sending them over the wire in plain text.

I believe this can be accomplished with Javascript. Basically it would work like this..

Saving a password:
  • User enters in a master encryption key. (Master password or phrase)
  • User enters username, password, url and selects a category
  • User presses submit button to save data which fires a javascript event
  • Javascript code encrypts the password using the encryption key
  • Javascript code base64's the encrypted password to prevent sending of binary data
  • Javascript code creates a 1 way hash of the encryption key, possibly using a salt
  • Form is submitted to the server
  • Server verifies that the encryption key hash matches what was posted, in order to prevent lost passwords from mistyped encryption keys.
  • Server saves all data. The encrypted password will be saved in a text or blob field.
Retrieving a password:
  • User finds the account they need a password for and submits a password request.
  • Server responds by sending the username, url and base64'd encrypted password
  • User enters the master encryption key and presses submit
  • Javascript uses the key to decrypt the password and updates the existing webpage.
With this system neither the encryption key or the passwords ever leave the browser. They are never stored in sessions or cookies. I believe this would be pretty secure. It could also end up being a pretty cool little application with some ajax involved.

I have an encryption function (RC4) that I posted below. If anyone has ideas or would like to help that would be great.

Code: Select all

 
function encrypt($pwd, $data) {
    $pwd_length = strlen($pwd);
    $x = $Zcrypt = $j = $a = null;
    for ($i = 0; $i <= 255; $i++)
    {
          $key[$i] = ord(substr($pwd, ($i % $pwd_length)+1, 1));
          $counter[$i] = $i;
    }
 
    for ($i = 0; $i <= 255; $i++)
    {
        $x = ($x + $counter[$i] + $key[$i]) % 256;
        $temp_swap = $counter[$i];
        $counter[$i] = $counter[$x];
        $counter[$x] = $temp_swap;
    }
 
    for ($i = 0; $i < strlen($data); $i++)
    {
        $a = ($a + 1) % 256;
        $j = ($j + $counter[$a]) % 256;
        $temp = $counter[$a];
        $counter[$a] = $counter[$j];
        $counter[$j] = $temp;
        $k = $counter[(($counter[$a] + $counter[$j]) % 256)];
        $Zcipher = ord(substr($data, $i, 1)) ^ $k;
        $Zcrypt .= chr($Zcipher);
    }
 
    return $Zcrypt;
}
 
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Small Project - Password Vault

Post by alex.barylski »

Years ago I had a similar idea...initially it started as a BMO for Explorer which would auto-login...then the idea of offering the service as a web service sprouted...and I thought about it and decided against it - because I wouldn't use a service like that myself...

What I considered doing was allowing users to encrypt their own data use SQLite and Blowfish...that way no passwords were ever stored in plain text on the server...of course you would need to temporarily decrypt the SQLite database...

I dunno...as much I would like a service like this...I see it as extremely risky...imagine the attacks you would endure daily...

As an alternative, I just use the application KeePass - I followed the developer from day one when he first posted on CodeProject.com and it's become quite the little utility.

http://keepass.info/
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: Small Project - Password Vault

Post by Benjamin »

Hockey, it's not a service, it's a little app for personal use.
piccoloprincipe
Forum Newbie
Posts: 12
Joined: Wed Jan 16, 2008 4:11 pm

Re: Small Project - Password Vault

Post by piccoloprincipe »

Well, I wonder why using Php for a personal use app.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Re: Small Project - Password Vault

Post by Chris Corbyn »

piccoloprincipe wrote:Well, I wonder why using Php for a personal use app.
Why not? I'm assuming you're suggesting he use Java or something which can run locally. At least a PHP app would be accessible from anywhere.
sike
Forum Commoner
Posts: 84
Joined: Wed Aug 02, 2006 8:33 am

Re: Small Project - Password Vault

Post by sike »

i'll second hockeys recommendation of keepass. works like a charm for me (:
aside of that i would not want my passwords stored on a remote server.

chris
nickvd
DevNet Resident
Posts: 1027
Joined: Thu Mar 10, 2005 5:27 pm
Location: Southern Ontario
Contact:

Re: Small Project - Password Vault

Post by nickvd »

I TOO will vouch for keepass, I use it for everything and it's saved countless hours of pwd recovery from registrar's, hosts, etc... I would never use someone elses service to store my important passwords, they're just too important to trust to anyone but myself... That being said, I would use such a service for the less important passwords for various random sites/forums/misc accounts...
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Re: Small Project - Password Vault

Post by Luke »

I also use KeePass and it works great.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: Small Project - Password Vault

Post by Benjamin »

I might as well just save myself some time and use that then. They do have a Linux version available so I'll give it a try.

It's frustrating that a few of you keep calling this a service. It would not be a service. It would be a small application similiar to keypass (except web-based) that would allow you to store your passwords encrypted either on local host or a remote server. Either way the passwords would be protected. The key is to ensure that even if someone has a database dump they still cannot access the passwords.

I was doing some more thinking about this and I realized that the Javascript could actually validate the encryption key, so not even the md5 of it would ever need to be sent or stored to the server. Also, you could prepend and append a random string to the encryption key which would make it even more secure. This would be something added to your local copy of the application in a javascript configuration variable.
nickvd
DevNet Resident
Posts: 1027
Joined: Thu Mar 10, 2005 5:27 pm
Location: Southern Ontario
Contact:

Re: Small Project - Password Vault

Post by nickvd »

astions wrote:I might as well just save myself some time and use that then. They do have a Linux version available so I'll give it a try.

It's frustrating that a few of you keep calling this a service. It would not be a service. It would be a small application similiar to keypass (except web-based) that would allow you to store your passwords encrypted either on local host or a remote server. Either way the passwords would be protected. The key is to ensure that even if someone has a database dump they still cannot access the passwords.

I was doing some more thinking about this and I realized that the Javascript could actually validate the encryption key, so not even the md5 of it would ever need to be sent or stored to the server. Also, you could prepend and append a random string to the encryption key which would make it even more secure. This would be something added to your local copy of the application in a javascript configuration variable.

As an application instead of a service, I think you have hit the nail on the head when it comes to security... While I am so very far away from being called a security expert, I can't see any obvious holes or problems in your setup.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: Small Project - Password Vault

Post by Benjamin »

Thanks for recommending KeePass. It took me several hours to enter all my passwords, but that is much less time than it would have taken to create a password vault program.

I'm not sure it would be a bad idea to offer something like this as a service though. I know a few of you said that you would never use a service to store your passwords, but seriously, if the decryption key never left your browser I can't see how anyone could ever access your passwords. Even if the owner of the site received a subpoena there would be no way for him/her to decrypt your passwords.
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Small Project - Password Vault

Post by alex.barylski »

I'm not sure it would be a bad idea to offer something like this as a service though
I've considered it in the past...I think most people would use it for non-critical passwords...like forums, web sites, etc. But the important passwords like Banks, Cellphones, etc. Anything that costs money - you'd be hard pressed to convince people to use such a service.

I think the idea of using a two way encryption, like Blowfish and a separate database file, such as SQLite to store organized passwords is a good idea...and infact...in theory it's as safe as the KeePass (it uses TwoFish I think)...the problem is...if your server was ever comprimised you could potentially leak a LOT of sensitive data.

I say service to mean...a service to customers not a web service.

I think the day that quantom encryption becomes common place is the day that hosted (better than service?) password storage applications will become successful or publically used web applications.

Cheers :)
Post Reply