security - Dcrypt a password without asking for master password -

-

so know there other posts regarding password storage , encryption question different. bare me end.

i working on password manager website, fun. , wondering how secure idea had was.

so each password user stores encrypted using aes-256 master password key , randomly generated salt. master password encrypted using bcrypt, before hand hashed 100,000 times using whirlpool, increase strain when trying login.

if user decides doesn't want enter password every time he/she requests password site program cannot decrypt password , autofill because master password required decrypt stored passwords.

one idea had store password in users current session, that's not idea because trying make assuming attacker has breached server , downloading database , snooping around.

another though use 100,000 time hashed password key aes-256 encryption , store hash in session. that's better storing in plain text, still lets attacker able decrypt stored passwords if he/she can information session.

are there better ways around this, or lost battle of hope attacker doesn't in when i'm logged in?

if want full security, passwords should in stored in such way not server can decrypt them without user input, , master key ever stored clientside.

since don't want stored in session, store in cookie client side, bottom line is, if intruder has breached server , can modify code, in order site functional, definition must able passwords if decryption of passwords happens server side.

so if willing to, write javascript/client side application receive aes encrypted strings given user, , decrypt client side users entered master password. issue have have secondary piece of information before give user encrypted passwords, or have willing give everyone, elses encrypted passwords if request it. there additional hidden complexity here, if intruder able change code on server, in theory change running client side running server side , decrypted passwords, or modify client side javascript make ajax call decrypted passwords.

also master password encrypted using bcrypt, before hand hashed 100,000 times using whirlpool, increase strain when trying login

there no need that, increase bcrypt's strength parameter increase time when try login. bcrypt has key stretching built in.


Comments

Post a Comment

Popular posts from this blog

magento2 - Magento 2 admin grid add filter to collection -

-
i created grid in admin xml ui components. need filter collection via url parameter , dont know how achieve that. tried inject requestinterface collection, filter didnt work. di.xml <virtualtype name="slidelistingdataprovider" type="magento\framework\view\element\uicomponent\dataprovider\dataprovider"> <arguments> <argument name="collection" xsi:type="object" shared="false">xxx\xxx\model\resourcemodel\grid\slide\collection</argument> <argument name="filterpool" xsi:type="object" shared="false">slidelistingfilterpool</argument> <!-- define new object filters --> </arguments> </virtualtype> <virtualtype name="slidelistingfilterpool" type="magento\framework\view\element\uicomponent\dataprovider\filterpool"> <arguments> <argument name="applier...
Read more

Android volley - avoid multiple requests of the same kind to the server? -

-
i using volley upload list of images server. happens within service. once image uploaded remove list. problem arises when internet connection breaks. when internet connection breaks , comes again thinking of adding images yet uploaded request queue. this can result in more 1 copy of same image saved on server request same image might have gone through before getting rseponse. how can address scenario? i'm not quite sure why you're using service schedule requests volley automatically runs it's request in seperate thread. nevertheless can listen both request results, successful , unsuccessful adding listeners. you can remove image list schedule request using volley. if succeeds can carry on desired, if fails can add again list. public static request getimageuploadrequest(final string image) { response.listener<t> responselistener = new response.listener<t>() { @override public void onresponse(t response...
Read more

Combining PHP Registration and Login into one class with multiple functions in one PHP file -

-
i'm trying combine registration, activation , login scripts php website backend script front end developer can pass variables different forms to. my question whether appropriate approach this. don't want have lot of php files different pieces of application developing. far have written following 2 functions login, register , activate user front end developer can call: <?php /** * created phpstorm. * user: karl * date: 26/07/2016 * time: 02:25 */ class users { function register_user($email, $password, $user_name) { $server_name = "localhost"; $u_name = "root"; $db_password = "root"; $db_name = "betamath_graspe"; //email notification variable $from_address="info@slack.com"; //registration form $msg_reg_user='username taken. please choose different username'; $msg_reg_email='email registered'; $msg_reg_active=...
Read more