0

So i tried to Programm a password manager in python that is able to be 100% secure even if the server got hacked. The passwords should be saved on the server side for multidevice use.

and that worked out fine except that everyone could delete the passwords of anyone else so I tried making a account system. (I can't make a Ip system since I want multidevice use)

I tried making the server save the username and the username encrypted with the password. If the user would then send the password the server could decrypt the username (encrypted with the password) and compare it to the original password.

Long story short with the encryption I'm using currently (I programmed it myself) I can find out the password if you have the username and the username encrypted with the password. (well not the exact password but at least something that has the same result as the Password) Does anyone of you know a Decryption method (that maybe isn't too complex so that I can implement it myself) with which you can't find out the password if you have the username and a combination of the username and the password?

Thx for reading this far and helping me out <3

Nichtdu
  • 1
  • I'm not convinced that this is possible, but either way you're better off sticking to the tried and tested method of [storing a hash](https://stackoverflow.com/questions/1054022/best-way-to-store-password-in-database). – Ari Cooper-Davis Sep 20 '21 at 21:40
  • 1
    A password manager cannot store a hash because it has to supply passwords for other sites. – President James K. Polk Sep 20 '21 at 21:43
  • Well, basically with a password manager you don't want to store keys server side. Rather, you want to derive a key from the user's data client side and then decrypt secrets client side, too. To avoid returning data to a rogue agent you would want to implement some kind of assertion service where you can establish that most likely this is a valid version of your application accessing said secret material. So while yes, if someone had the master password of your user + account id aka username they could decipher the secret, you would only return secret material to authorised entity. – zaitsman Sep 21 '21 at 01:08
  • Beyond that, you would enforce strict password policy such that the master password is long enough for the guessing to be computationally expensive and the actual encryption key would be derived via a slow algorithm such as bcrypt or PBKDF2 with large number of iterations – zaitsman Sep 21 '21 at 01:09
  • Please clarify your specific problem or provide additional details to highlight exactly what you need. As it's currently written, it's hard to tell exactly what you're asking. – Community Sep 28 '21 at 08:29

0 Answers0