Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I\'m kind of tired of the password managers that are available around... I need

ID: 660874 • Letter: I

Question

I'm kind of tired of the password managers that are available around... I need one that's open source, that works on OSX, that lets me store .pem files and that I can trust.

As I haven't found one, I thought it could be an interesting project for me to work on. I'm going to use AngularJS just b/c it's a technology that I want to start using and this project seems like a good fit.

My idea would be to have a dumb backend that took care of the login / registration and CRUD operations of the passwords (with tags to make the search easier)... but all the encryption / decryption should be performed by the browser.

The only thing that I'm not quite sure is how safe the private key is on the browser... Can different plugins / addons access to it when I load it into OpenPGP? is the private key stored as is on memory when OpenPGP is using it?

I've seen there are quite some other plugins using this, but I'm not exactly sure how good this would be.

I guess I could just have a different profile, or a browser I don't use with this... how good of an idea is it?

Explanation / Answer

[Disclosure: I, too, work for a password manager company]

Long ago, I tried to develop my own password management solution using PGP/GnuPG. As I thought more about it, I found it unsatisfactory and eventually switched to the one that I have now come to work for.

Here are some things you should consider before trying to roll your own password management system:

What is your source of randomness for key and password generation?

Do you know how to use a cryptographically secure random number generator and why it works the way it does

What is your key derivation function?

Does it use something like PBKDF2 to resist password cracking attempts against your master password?

Do you know how all of the choices in your KDF interact and stand up against current and foreseeable attacks?

How much sensitive data remains decrypted at any one time?

If you decrypt an entire file, then all of that decrypted data will need to reside in memory or virtual memory on your computer, leaving it potentially exposed after a crash, in memory, in automatic backup files, or in system swap files

What measures does the system have to prevent data loss?

Does the (automatic) back up system perform any integrity checks on the data prior to making a backup?

How is memory of sensitive data cleared when it is no longer needed?

Are there obfuscation techniques for sensitive data (such as decryption keys) that may need to reside in the app

Related Questions

I\'m interested in 3SAT and querying an oracle. Suppose we had an oracle that ca
Question #647054
I\'m interested in 3SAT and querying an oracle. Suppose we had an oracle that ca
Question #647393
I\'m interested in building a model that predicts the Fair Market Value (in thou
Question #3268985
I\'m interested in building a model that predicts the Fair Market Value (in thou
Question #3295603
I\'m interested in building an AI algorithm to play a board game. This is a sequ
Question #650730
I\'m interested in characterizing the behaviour of measures of quantum informati
Question #2284103
I\'m interested in creating web modules that are encapsulated by a div element i
Question #648219
I\'m interested in doing simulations with large numbers of particles and need a
Question #2288344
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
I\'m kind of stucking with this question. Please help me, the time is runing out
Next
I\'m kinda confused about these questions, could anyone explain to me? thanks! 1

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.