2

I'm creating a password vault, which is consisted of a bunch of HTTP services, a web client, and Android application, and an iOS application.

There is a very simple table called Passwords that has these columns:

Id
UserId
Username
Password
Url
Notes

A user logs in via any client, adds passwords to this repository, and then has access to the list of his passwords.

In fact I'm creating KeePass, but in cloud.

Of course I need to make it as secure as possible. I've configured HTTPS for services, and only HTTPS calls are acceptable. I've also encrypted passwords in the Password column, but all with one key.

What options I can take to maximize the security of this system? Any suggestion, even physical tiering would be so welcomed.

Clarification: As users of modern world, life is getting very complicated for us. Our ancestors only had to deal with few concepts and all they had for security was their shields and spears. Today, each user probably has more than 100 accounts across the entire Internet. I've been the subject of a hack, and I truly lost some things. So I decided to use passwords more securely. KeePass is an outstanding option. But it's usage is offline, and can't be shared across devices. There are services out there, but they are all paid services. At least one free service should exist to help people with their password management problems. That's why I've decided to play my role as much as I can. I can't make this question more specific, as it's already very specified. I need to help people manage their passwords, and have access to it on any device, whenever they want, free. To get there, I need to make the system as secure as possible. Maybe this could become a collaborative effort, just like LetsEncrypt. We deserve to live in security and safety. But we need technology to help us. Now all I'm asking for is for people to give me hints on how to make this system more secure. This is totally objective, answerable as shown already, and relevant to this site as much as I read in help center.

Saeed Neamati
  • 145
  • 6
  • there are a lot of questions here about people making their own password vaults - you also do not explain what you mean by 'maximise security'. Once you include 'physical tiering', then this question becomes far too broad to answer – schroeder Oct 18 '17 at 10:56
  • 6
    Saving passwords in the cloud is one of the most demanding tasks you can do in cryptography, especially if you need to retrieve the passwords plaintext. So either you dive really deep into this topic, or it is supposedly better to use an existing proven software. For a starter, don't rely on a single key, let the user create his own password, derrive a key from it with a key-derivation-function and let the user enter this password whenever (s)he wants to read the passwords, don't store it anywhere. – martinstoeckli Oct 18 '17 at 10:57
  • 1
    I don't know why downvotes. From the first answer, and the second comment, I got as much answer is there needs to be, to understand the situation. Maximum security is an objective definition. Between simple HTTP and HTTPS, the second one is more close to maximum. Adding more bits of notes makes it get close to the maximum. – Saeed Neamati Oct 18 '17 at 12:47
  • 5
    @SaeedNeamati The downvotes might be from people who try to tell you that you are planning to do something really irresponsible. – Philipp Oct 18 '17 at 13:11
  • @SaeedNeamati I downvoted, for the reason Philipp explained. Read his great answer carefully and take the message to heart. (Have now removed my downvote because I think the answer shows that the question indeed was answerable.) – Anders Oct 18 '17 at 13:25
  • 1
    This question shows a lack of understanding about password managers, a lack of research about how KeePass works, a lack of research into how to use KeePass on multiple computers, a lack of research into cloud-based KeePass implementations which already exist, a lack of understanding of basic security practices surrounding password storage. How can you maximize the security of this system? Don't build it. Use an existing solution made and/or audited by people who actually know what they are doing. – Ben Oct 19 '17 at 03:03
  • 1
    KeePass can indeed work with an online storage repository, I already tried FTP and WebDav directories (WebDav is offered by many e-mail providers). Also I'm sharing the repository between my Windows PC and the Android smartphone. Give it a try. – martinstoeckli Oct 19 '17 at 07:31
  • 1
    I you can access your users passwords, then you're doing it wrong! Password Safe can also be used with online storage. No need to reinvent something which exists already. – Erwan Legrand Oct 19 '17 at 08:06

1 Answers1

9

Saving other people's passwords to other services is a very, very bad idea. It means that you now have the ability to steal every single password from your users, because you have the decryption key and your users only have your word that you won't use it. And even if you can convince your users that you are really a paragon of incorruptibility and would never do something like that (don't take it personally, but you certainly won't convince me), there is still the risk that someone will hack you. And considering how valuable you are as a target, many people will try their best to do that. You really can not expect any sane person to put that much trust into you and your operational security.

If you really have your user's best interest and privacy in mind, store their whole password database as a BLOB, encrypted with a key which is under the user's control. Do both the encryption and decryption of the password database on the client-side, so your server never sees the user's key or their data in cleartext. Your client-sided application can derive the key from the user's master-password (which you should not know either) using a key derivation algorithm like PBKDF2.

Problem: When the user forgets their master-password, they lose their whole password database. You can not help them, because by design you don't have the ability to decrypt it. There is no good workaround for that. Data security always requires some secret, and a secret known to a 3rd party is no secret anymore.

Philipp
  • 48,867
  • 8
  • 127
  • 157
  • So, is the solution proposed in this question good for password recovery? https://security.stackexchange.com/questions/153228/how-to-implement-reset-password-for-a-password-manager – Saeed Neamati Oct 18 '17 at 13:01
  • @SaeedNeamati That discussion should be held on the answers to that question. – Philipp Oct 18 '17 at 13:05