Diese Seite mit anderen teilen ...

Informationen zum Thema:
Forum:
WinDev Forum
Beiträge im Thema:
9
Erster Beitrag:
vor 1 Jahr
Letzter Beitrag:
vor 1 Jahr
Beteiligte Autoren:
Art Bonds, Fabrice Harari, Jose Antonio Garrido, KenKnight, Erik Schwarz, DerekM, Alexandre Leclerc

LastPass password manager

Startbeitrag von Art Bonds am 28.07.2016 12:02

I have never trusted commercial password managers because I figured they can be compromised easily. Recently it was shown that the LastPass password manager has a dangerous vulnerability that compromises user accounts if users visit a malicious website. Confirmation of my fears. So I try to keep all my different passwords in my head.
Now, remembering my passwords seem to get harder and harder each year, especially for sites that I visit once in a blue moon. The grey on top of my head comes from leaky grey matter. My barber has cut off more knowledge than I currently know. Having a password manager would be nice, but I can't trust the commercial versions.
So I am thinking about writing a password manager for my own use. Security by obscurity if nothing else. Anybody ever given any thought about the specifications for writing a password manager in WD? Is there a reason it could not be done?
Seems I would need either a way to determine what website I am on or (easier) maybe a drop down pick list or incremental search field on a table, an encrypted data file, and a master password. Maybe a way to recover that master password if that is forgotten (my Alzheimer's kicking up)... maybe allowing the user to create his/her own questions/answers (made up question by user: "What was my favorite dog when we lived in New York City"... answer "fido"). Selecting a password record in the dropdown would copy the UserField and PswdField to Notepad, where I can paste it into their respective fields (OK, that will require some thought on howto...).
If I do write one I would do like Fabrice Harari and Steven Sitas and release it as open source back to the community. But As-Is, no paid support... ;).
Thanks for any thoughts, encouragement or "you gotta be outta your mind, use xxxx instead".

Antworten:

Hello Art,

a few ideas :

1- you need to have your DB fully encrypted (duh)
2- in the spirit of "don't trust something you haven't coded yourself", you'll need to encrypt your data your self BEFORE putting it in the DB (so that's two different encryptions)
3- in order to avoid debuggers attacks, you'll need to use a security system like Francis Morel's http://www.softprotect.fr/UK/index.html
4- For the browser part (detecting the URL), AFAIK? you'll need to code an ADD-on for each supported browser, and that, I do not think it's possible in windev. THe add on could probably call your windev program, but that's all.
5- Remember that "Security by obscurity if nothing else" is going against the idea of publishing your sources...

Personally, I have my own utility for that (in windev, of course), but I never tried part 4 above, and I'm happy doing it manually.

Best regards

von Fabrice Harari - am 28.07.2016 12:33
I use a little black book :)

von DerekM - am 29.07.2016 03:35
Hi,

if I remember, some time ago, there was a discussion on this Forum about cracking windev applications. I have in mind somebody stated that the p-code which is used by windev would be very hard to debug if you don't have the sources.

So, what can a hacker see when using a Debugger on the exe-file. Just the machinecode or anything on higher Level?

How does a Password hack goes on? Is a weak Password like '123' just hacked easily by testing all combinations compared to a 30-character Password? I think, if the code is hacked, then the length and use of upper/lower case characters,... could have no effect. And what, if after 3 failures the app is blocked for some minutes, hours, ...?

I am using Passwords which change every second (by using datetime inside an algorithm). Okay, that is no solution for the customers, but for me and my Special interest in accessing secret data it's not that hard to calculate the actual Password before.

What's the opinion around about that ideas?

Erik

von Erik Schwarz - am 29.07.2016 06:22
Hi Erik,

it would be very hard to reconstruct the wlanguage code, that part is true...

However, using a debugger to check in assembly what is done at your password checkpoint is a piece of cake, and it doesn't matter what language you originally used... It all comes down to :
is this value = to that value...

So if you are not protecting your exe against debogers, as I was stating before, you are only protecting it against script kiddies, not against real hackers. Have a look at Francis Morel's web site, there are a lot of explanations on the subject available there.

Best regards

von Fabrice Harari - am 29.07.2016 19:48
Hi Arts,

You can use an opensource password manager if you want and avoid making the wheel again. http://keepass.info/ There is so many plugins, integration with browser, sync with the cloud-based drive that you want, etc.

Best regards,
Alexandre Leclerc

von Alexandre Leclerc - am 01.08.2016 13:58
The password is not to bypass some application protection, but to decrypt the information. So i don't know if it would make any sense for hacker to debug the application.
To integrate with browser you can use the free version of Imacros. The "macros" are stored in plain text files, so you only have to update a file, or part of the file, or create a new file.
For me is sufficient with a third party software to encrypt sensitive data, and with chrome feature to save passwords.

Regards,
José Antonio.

von Jose Antonio Garrido - am 02.08.2016 09:25
Hi Art,

I wrote one in WinDev years ago that I still use to this day. I call it PasswordBuddy.

o Runs in the icon tray
o Uses DB encryption and prompts for password upon initial startup and re-prompts after inactivity.
o hierarchical treeview based
o full search
o copy to clipboard (although some might argue safety of this)
o configurable password generator (which I believe I originally got from an example)

Anyway, main point here is it is very doable in short order. I'd bet I don't have a day tied up in this thing.

Cheers!
Ken

von KenKnight - am 03.08.2016 12:22
Quote
DerekM
I use a little black book :)


My wife confiscated my little black book years ago... :joke:

von Art Bonds - am 04.08.2016 15:11
Zur Information:
MySnip.de hat keinen Einfluss auf die Inhalte der Beiträge. Bitte kontaktieren Sie den Administrator des Forums bei Problemen oder Löschforderungen über die Kontaktseite.
Falls die Kontaktaufnahme mit dem Administrator des Forums fehlschlägt, kontaktieren Sie uns bitte über die in unserem Impressum angegebenen Daten.