Page 1 of 1

Small Project - Password Vault

Posted: Tue Feb 19, 2008 1:03 am
by Benjamin
I have a TON of passwords. In fact I have a spreadsheet full of them and it's getting disorganized.

What I would like to do is create a small client/server web application that will store all usernames, passwords, urls and the type. The type would be email/instant messenger/website etc. I'd also like to build in support for categories.

So this is a fairly simple application. What I would like some help with from the community is nailing down the security aspect.

In my case the database would reside on my local machine so I'm not incredibly worried about security. But if I or someone else decided to throw a version onto a server I'd like to keep the passwords secure even over an unencrypted connection by never sending them over the wire in plain text.

I believe this can be accomplished with Javascript. Basically it would work like this..

Saving a password:
  • User enters in a master encryption key. (Master password or phrase)
  • User enters username, password, url and selects a category
  • User presses submit button to save data which fires a javascript event
  • Javascript code encrypts the password using the encryption key
  • Javascript code base64's the encrypted password to prevent sending of binary data
  • Javascript code creates a 1 way hash of the encryption key, possibly using a salt
  • Form is submitted to the server
  • Server verifies that the encryption key hash matches what was posted, in order to prevent lost passwords from mistyped encryption keys.
  • Server saves all data. The encrypted password will be saved in a text or blob field.
Retrieving a password:
  • User finds the account they need a password for and submits a password request.
  • Server responds by sending the username, url and base64'd encrypted password
  • User enters the master encryption key and presses submit
  • Javascript uses the key to decrypt the password and updates the existing webpage.
With this system neither the encryption key or the passwords ever leave the browser. They are never stored in sessions or cookies. I believe this would be pretty secure. It could also end up being a pretty cool little application with some ajax involved.

I have an encryption function (RC4) that I posted below. If anyone has ideas or would like to help that would be great.

Code: Select all

 
function encrypt($pwd, $data) {
    $pwd_length = strlen($pwd);
    $x = $Zcrypt = $j = $a = null;
    for ($i = 0; $i <= 255; $i++)
    {
          $key[$i] = ord(substr($pwd, ($i % $pwd_length)+1, 1));
          $counter[$i] = $i;
    }
 
    for ($i = 0; $i <= 255; $i++)
    {
        $x = ($x + $counter[$i] + $key[$i]) % 256;
        $temp_swap = $counter[$i];
        $counter[$i] = $counter[$x];
        $counter[$x] = $temp_swap;
    }
 
    for ($i = 0; $i < strlen($data); $i++)
    {
        $a = ($a + 1) % 256;
        $j = ($j + $counter[$a]) % 256;
        $temp = $counter[$a];
        $counter[$a] = $counter[$j];
        $counter[$j] = $temp;
        $k = $counter[(($counter[$a] + $counter[$j]) % 256)];
        $Zcipher = ord(substr($data, $i, 1)) ^ $k;
        $Zcrypt .= chr($Zcipher);
    }
 
    return $Zcrypt;
}
 

Re: Small Project - Password Vault

Posted: Tue Feb 19, 2008 2:36 am
by alex.barylski
Years ago I had a similar idea...initially it started as a BMO for Explorer which would auto-login...then the idea of offering the service as a web service sprouted...and I thought about it and decided against it - because I wouldn't use a service like that myself...

What I considered doing was allowing users to encrypt their own data use SQLite and Blowfish...that way no passwords were ever stored in plain text on the server...of course you would need to temporarily decrypt the SQLite database...

I dunno...as much I would like a service like this...I see it as extremely risky...imagine the attacks you would endure daily...

As an alternative, I just use the application KeePass - I followed the developer from day one when he first posted on CodeProject.com and it's become quite the little utility.

http://keepass.info/

Re: Small Project - Password Vault

Posted: Tue Feb 19, 2008 3:09 am
by Benjamin
Hockey, it's not a service, it's a little app for personal use.

Re: Small Project - Password Vault

Posted: Tue Feb 19, 2008 4:47 am
by piccoloprincipe
Well, I wonder why using Php for a personal use app.

Re: Small Project - Password Vault

Posted: Tue Feb 19, 2008 6:32 am
by Chris Corbyn
piccoloprincipe wrote:Well, I wonder why using Php for a personal use app.
Why not? I'm assuming you're suggesting he use Java or something which can run locally. At least a PHP app would be accessible from anywhere.

Re: Small Project - Password Vault

Posted: Tue Feb 19, 2008 8:28 am
by sike
i'll second hockeys recommendation of keepass. works like a charm for me (:
aside of that i would not want my passwords stored on a remote server.

chris

Re: Small Project - Password Vault

Posted: Tue Feb 19, 2008 2:53 pm
by nickvd
I TOO will vouch for keepass, I use it for everything and it's saved countless hours of pwd recovery from registrar's, hosts, etc... I would never use someone elses service to store my important passwords, they're just too important to trust to anyone but myself... That being said, I would use such a service for the less important passwords for various random sites/forums/misc accounts...

Re: Small Project - Password Vault

Posted: Tue Feb 19, 2008 3:22 pm
by Luke
I also use KeePass and it works great.

Re: Small Project - Password Vault

Posted: Tue Feb 19, 2008 3:33 pm
by Benjamin
I might as well just save myself some time and use that then. They do have a Linux version available so I'll give it a try.

It's frustrating that a few of you keep calling this a service. It would not be a service. It would be a small application similiar to keypass (except web-based) that would allow you to store your passwords encrypted either on local host or a remote server. Either way the passwords would be protected. The key is to ensure that even if someone has a database dump they still cannot access the passwords.

I was doing some more thinking about this and I realized that the Javascript could actually validate the encryption key, so not even the md5 of it would ever need to be sent or stored to the server. Also, you could prepend and append a random string to the encryption key which would make it even more secure. This would be something added to your local copy of the application in a javascript configuration variable.

Re: Small Project - Password Vault

Posted: Tue Feb 19, 2008 3:36 pm
by nickvd
astions wrote:I might as well just save myself some time and use that then. They do have a Linux version available so I'll give it a try.

It's frustrating that a few of you keep calling this a service. It would not be a service. It would be a small application similiar to keypass (except web-based) that would allow you to store your passwords encrypted either on local host or a remote server. Either way the passwords would be protected. The key is to ensure that even if someone has a database dump they still cannot access the passwords.

I was doing some more thinking about this and I realized that the Javascript could actually validate the encryption key, so not even the md5 of it would ever need to be sent or stored to the server. Also, you could prepend and append a random string to the encryption key which would make it even more secure. This would be something added to your local copy of the application in a javascript configuration variable.

As an application instead of a service, I think you have hit the nail on the head when it comes to security... While I am so very far away from being called a security expert, I can't see any obvious holes or problems in your setup.

Re: Small Project - Password Vault

Posted: Tue Feb 19, 2008 5:55 pm
by Benjamin
Thanks for recommending KeePass. It took me several hours to enter all my passwords, but that is much less time than it would have taken to create a password vault program.

I'm not sure it would be a bad idea to offer something like this as a service though. I know a few of you said that you would never use a service to store your passwords, but seriously, if the decryption key never left your browser I can't see how anyone could ever access your passwords. Even if the owner of the site received a subpoena there would be no way for him/her to decrypt your passwords.

Re: Small Project - Password Vault

Posted: Tue Feb 19, 2008 10:46 pm
by alex.barylski
I'm not sure it would be a bad idea to offer something like this as a service though
I've considered it in the past...I think most people would use it for non-critical passwords...like forums, web sites, etc. But the important passwords like Banks, Cellphones, etc. Anything that costs money - you'd be hard pressed to convince people to use such a service.

I think the idea of using a two way encryption, like Blowfish and a separate database file, such as SQLite to store organized passwords is a good idea...and infact...in theory it's as safe as the KeePass (it uses TwoFish I think)...the problem is...if your server was ever comprimised you could potentially leak a LOT of sensitive data.

I say service to mean...a service to customers not a web service.

I think the day that quantom encryption becomes common place is the day that hosted (better than service?) password storage applications will become successful or publically used web applications.

Cheers :)