Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
N
N
Nikita Bykov2012-11-10 11:21:34
PHP
Nikita Bykov, 2012-11-10 11:21:34

Password manager php + https?

Hello everybody!
I got tired of keeping passwords in a notepad.
I want to make an online password store. I’ll make a reservation right away that I don’t trust SaaS custodians for 2 reasons:
1) Such services are too tidbit for a hacker, compared to my cozy hamster, which 99.99999% won’t even think about and no one will purposefully touch, Accordingly, the chance that the database with my belongings will leak to the side or to the public tends to zero.
2) I remember passwords from my servers and type them with my eyes closed, so if my server went down, I can at least understand what to do with it, even if I’m in a cafe and I only have a jailbroken iPod touch with me, unlike if a site with such a custodian goes down...
Therefore, I decided I need it - I write it.
But I have a number of questions on the topic "how better".
1) Cryptocurrency on the server. It goes without saying that storing them in plain text in a database / file is nonsense. It is necessary to somehow encrypt them on the server, and it is desirable that the key to this good be somewhere else. Who has any ideas on data encryption on the server? Task: if by chance a database with this good somehow falls into the wrong hands, so that restoring information takes longer than changing passwords on all the resources that are there.
2) Is HTTPS self-sufficient or is there something better to insure on the way of "transit"?
3) Filtering by browsers. There is such an idea that only allowed from certain browsers. This is how key authorization works in ssh, similarly, write something in the browser. Some key for this particular browser. And to the browser without / with a different key, give a similar, but fake page. Is it realizable? If so, where to read on what topics?
4) If there is already something similar in php, I will be grateful for the links.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

8 answer(s)
Report
S
shsweb, 2012-11-10
@smarteq

Take a javascript encryption library like crypto-js and encrypt/decrypt directly in the browser. Accordingly, the data itself will be transmitted from you and to you already encrypted, i.e. even https is not particularly needed and everything is encrypted on the server in the database, so it's not scary if they steal it.

Report
E
Evgeny Elizarov, 2012-11-10
@KorP

In my opinion, you are reinventing the wheel, and even in PHP ...

Report
J
Jonh Doe, 2012-11-10
@CodeByZen

As shsweb said , it's worth encrypting via js locally. On the server, everything is stored in encrypted form (in fact, it is already sent there in this form).
Take 1password and export the vault to a web document, then look at it, you should like how the interface is designed.
From my own experience I will say that I would not even trust myself in this matter. There will be too many bottlenecks in your application. It is better to entrust it to specialists. And as an option, put on the same iPod touch 1password or another similar solution with the ability to synchronize.

Report
C
cronfy, 2012-11-10
@cronfy

You can also (to identify a specific browser) use a client certificate. And on nginx, depending on the presence / absence of a client certificate, give either one or the other.

Report
F
FilimoniC, 2012-11-10
@FilimoniC

1) Read about asymmetric encryption
2) What's wrong with Dropbox + KeePass?

Report
I
Igor, 2012-11-10
@shanker

1. Asymmetric encryption. Encrypt with the public key, decrypt with the private key. closed can be stored somewhere
2. In a good way, HTTPS should be used with a valid certificate. Then it is unlikely that someone will be able to carry out a man-in-the-middle attack without you noticing. But you need to spend money on a certificate
3. I already raised a similar idea in an article . In short: you give each browser your own cookies and that's how you recognize them. This will work even if they have the same User-Agent. Generate cookies based on browser type. If suddenly an attacker steals cookies from Chrome and puts them in his firelis, you will burn him.

Report
P
Pavel Galkin, 2012-11-12
@skurudo

Somewhat late, but the utility has already been written and a link to it ran here: TeamPass , Passwords Manager dedicated for managing passwords in a collaborative way on any server Apache, MySQL and PHP - www.teampass.net

Report
R
Roma, 2013-05-31
@Angel2S2

Some time ago used cpassman.org/

Similar questions
S
StayAtHome2015-04-01 12:24:02
How to distinguish a web request from a regular page from a request from the extension itself from a Chrome/Opera extension? 4Reply
A
Albert Zurabyan2016-06-24 14:55:21
How to hide some object ids from a site from a SQL query? 3Reply
M
MrFreeman2014-05-22 10:27:02
Where did the events from habrahabr go? 6Reply
A
Artem Gvozdev2018-11-28 11:53:31
Using the weather API? 3Reply
M
Matvey Bubenets2017-04-20 04:38:37
How to disable Remote Desktop Licensing? 6Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question