Building a password manager platform for my school project

In the modern-day age, people often opt to manage a large sum of keys in light of the vastly growing numbers of platforms emerging daily. It usually becomes daunting to come up with a strong secure password, let alone remember them all simultaneously. Modern password managers that are trustable and use modern, secure standards are also deemed impractical for purchase by people who cannot afford the monthly fees thrown on them.

I speak all this for not only others but also from a point of experience. This results in most of us recording the passwords on any available material like cardboard(my previous option), paper, you name it that are at risk of exposure to unrestricted person, damage, or even loss as a result of carelessness or just normal human factors. This resulted in me formulating a simple and secure way to handle this dispute at large.

Keynga is a platform that ensures a user's passwords are stored and managed in a secure and orderly manner with the help of a single master password. A user has to register with a master password that will be used for three purposes:

• Register and Authenticate through the use of the hash equivalent of the master password

• Provide the user's vault on successful validation during login.

• Generate a user key that will be used to encrypt the passwords using a symmetric block cipher encryption namely Advanced Encryption Standard (AES).

The major purpose of the application is to ensure that users are well and securely authenticated, and passwords for users are all encrypted and stored in an orderly and manageable fashion. Even when the users' credentials are exposed, the files that store a user are ideally of no use unless the attacker has access to the user's master password.

It is tailored for both personal and industrial use across organizations where security for platforms is key.

My focus was to engineer the logic and algorithms that will be used to ensure all operations are working correctly and diligently, from the research of modern secure practices in cryptography to a robust structure that ensures no point of entry within the system.

The whole application was designed with a sum of technologies namely:

• HTML, CSS, and javascript to ensure a firm grasp of frontend fundamentals

• Bcrypt to ensure the generation of secure hashes that are generally irreversible

• Python do as to gets the whole concept of classes, data structures and algorithms, data encapsulation, and hiding among other Pythonic concepts

Some key features I would like to shine some light on include:

User Auth using the bcrypt library

Bycrypt is a node.js library used within my application to ensure passwords are hashed accordingly and efficiently. All passwords are stored as hash values instead of plaintext and I rely on the library to compare the input password during login to the stored hash digest value for the same user

The major use for the library is its slow mode of operation. Platforms generally are prone to malicious attacks such as brute force, dictionary attacks, and rainbow attacks, amongst many more. Bcrypt is intentionally engineered to make slow execution thus reducing the number of attempts to crack passwords

Password generation

The platform has the capability of generating passwords apart from storing them. A function is present that allows the system to generate a user's password for a platform of interest to a string password entailing some required set of characters for at least a firm state of password strength.

Login manager

A login manager is present to assist in user management when logging in to the system. It serves a great deal of security to ensure that at no instance do users access the system and find possible loopholes to cause malfunction or illegal access to other user profiles

Of course, there is never a lack of challenges when one seems to venture into foreign endeavors by nature. I got engagements with technical challenges, from the formulation of the overall architecture to rendering secure strategies, but the most cumbersome task was dealing with user authentication and consistent access to user data and their vaults.

I chose to go with the system file storage for the Linux environment from the database mechanism. That was a great ordeal as I had to personally ensure that all user sessions were safely managed and didn't collide at any moment as a result of multithreading if multiple users operated on the system.

Unfortunately, my current mode of authentication ensures that whenever a user is logged in, his vault has to be generated and sent, and this needs the master password as well. This was a major roadblock since I was not at any point to store the password at any point in time. Eventually, I opted to store it in a session cookie which poses a great risk in the event of cross-site scripting (XSS) if a hacker is successful. Nonetheless, it is a sufficient implementation that I will seek help from other engineers

In general, this was a good project that acts as a stepping stone to understanding modern cryptography patterns and implementations. My sole aim as an engineer is not only to build solutions but to build them securely. As I work day in and day out to learn cyber security, I am working towards also accomplishing my goal to master pen testing to use my content-rich information in both fields to make our cyberspace a safer and malicious-free environment for the better tomorrow.

For further inquiry or a link to the project, you can refer to the links below:

PROJECT REPOSITORY: https://github.com/CollinsDv/project_keynga

PROJECT LANDING PAGE: https://collinsdv.github.io/project_keynga/

LINKEDIN: https://github.com/CollinsDv