Passwords and Storage!

[Nikki]

We all have a passphrased ssh key (I hope)

I'd use the rsa key to encrypt an AES-256 key which is then used to encrypt the passwords. That's just me though, and there are probably better ways to do it.

 

[devonblzx]

openssl_encrypt() allows you to use various ciphers to encrypt data in 2-way encryption.  I would use the $password as the master password for that user. 

For storing their master password, you should use one-way encryption with a salt, require minimum security requirements, and you would also have to make note that if the user ever resets their password, you have to regenerate all the passwords in the database for that user (since it is using that password).

 

[MartinD]

^ That's the problem - it would mean storing the same passwords X times, where X is the number of users of the password manager. Seems like it would be counter productive?

I'm not a developer or a coder though so I'm coming from a sysadmin/user angle more than anything.

 

[devonblzx]

^ That's the problem - it would mean storing the same passwords X times, where X is the number of users of the password manager. Seems like it would be counter productive?

I'm not a developer or a coder though so I'm coming from a sysadmin/user angle more than anything.

I'm not sure I follow you.  You should be storing the master password in one table, and their other passwords in another table.  The master password would be the cipher password, but it wouldn't need to be stored more than once.  They would need to enter their master password to retrieve a password which is how most password managers work.

 

[Serveo]

Isn't a AES-256 a bit to easy? 

 

[perennate]

Isn't a AES-256 a bit to easy? 

No? Most symmetric encryption algorithms use 256-bit keys (Camellia too). AES-256 and Camellia-256 are widely used in SSL/TLS.

 

[splitice]

Personally I would use 512-bit, currently 256-bit is believed to be sufficient. However if history is taught us something its that CPU power is always increasing. Even if we cant fathom it right now, its possible we just need the right technology to facilitate it. Using 512-bit keys costs you little, gains you a decent benefit.

 

[perennate]

Personally I would use 512-bit, currently 256-bit is believed to be sufficient. However if history is taught us something its that CPU power is always increasing. Even if we cant fathom it right now, its possible we just need the right technology to facilitate it. Using 512-bit keys costs you little, gains you a decent benefit.

There's no AES-512... if you roll your own 512-bit scheme based on AES, you still can't just call it AES.

Edit: besides, you'd still be transfering your data over SSL/TLS, which is most likely going to be using 256-bit or shorter symmetric encryption keys.