New Program I have written

Being one of the older guys here I keep forgetting passwords etc to websites. So I decided to write a password manager program. Now I know there are many out there but mine offers a few features over some of the others.

• Customisable column headings, tailor the program for other uses
• Semi portable, run it from your USB key or even in some cases mobile phone (Needs the .NET 2 Framework on any host computer it runs on)

Now before I go any further on about it I would appreciate NO posts
"sif use .NET" or similiar OR "Program xyz has all these features, people should use it"

Full details are here - http://www.realtime-systems.com/passvault.html

Some of the uses my testers suggested apart from password storage are

• Store software registration keys
• Point the URL column at a thumbnail pic of a household item and record the serial number of it

Anyway have a look at it if you think it might be useful and any intelligent suggestions welcome.

Jim

 

What sort of encryption does it use to protect that data and how strong is it? If you lose your USB stick, you would want it well encrypted. Otherwise, I doubt it would be hard to crack.

 

foxmulder881

Please feel free to give it a go and crack it

It uses the .NET TripleDESCryptoServiceProvider with an MD5 hash name.

Jim

 

That's okay mate. Just curious that's all. Seems secure enough though.

 

wwwww

Thanks ! Will look at it and see why it did that.

 

That is almost always due to not having .net framework installed.

Run windows update, that ought to install it.

Or get it here: http://www.microsoft.com/downloads/...cb-4362-4b0d-8edd-aab15c5e04f5&displaylang=en

~26mb

Edit:

Also jab where are you getting your icons from?

They look pretty good.

 

Style XP.....

 

I'm Making exactly the same sort of program atm as well, except the tools i'm using are quite different. I'm using flash8, zinc and mysql.
Its just a small personal side project while I learn zinc.

One feature I built into mine which you may have or not already is one click copy to the clipboard. easy enough to do, so you left click on the password field and the password gets put on the clipboard ready for pasting

 

wwwww
For the moment I have not packaged the program up into an installer so it assumes you do have the .NET 2 framework installed. I also think this is the problem.

Nitrov8
I have added to the main post the help screen. One of the "right-click" options is in fact copying the cell data to the clipboard
In lieu of a database I store the data encrypted in an XML file. That way it can easily be "re-constructed" from a printout.

f3n1x
I purchased a commercial set of icons for a number of developments, thanks.

 

post your encryption algorithm then people can give you some feedback about its security.

here are my criticisms

it uses the same IV each time it encrypts the file. this leaks information.

it derives the password using the same salt which makes it more vulnerable to offline attacks

 

I thought he already did?

 

Ravenclaw
So your saying it would be better to have say half a dozen keys and randomly choose one to encrypt the data with. Only thing I would have to do then is also embed into the encrypted data an indicator as to which key was used.

Jim

 

Click to view full-sized image!
Hosted by UGBox Image Store

Then when i clicked quit, the app hanged...

Have to exit through task manager

 

you are using a block cipher in CBC mode

one of the reasons for using CBC is so two identical plaintexts will never be encrypted to the same ciphertext

if two identical plaintexts are encrypted to the same ciphertext then you leak information

if you are encrypting multiple streams with CBC and the same key then you need to use a unique IV (initialization vector) for each one.

however, it should be good enough to use a random one. very unlikely that you will ever choose two 128bit values that are the same. you would have to encode 2^64 messages before you had a 50% chance of that happening.

you seem to be using all zeros as the initialization vector

you should also use a random salt as part of key derivation function

the reason for using a random salt is stop brute force dictionary attacks from being cheaper

at this point i will assume you are using a key derivation function that uses multiple iterations to try and stop brute force dictionary attacks

say i wanted to break into 1000 password databases, then i could simply perform the key derivation function on my dictionary, store the results and then use the keys to try and break into the databases. this increases my speed by around 1000x.

EDIT: ignore the bit below. this doesn't apply.

Spoiler

your implementation also has a more serious flaw because you are using constant IV and no salt and i'm guessing the first 16 characters in the XML file are always going to be the same (<?xml version="1 )

i can simply get my dictionary and calculate the first encrypted block for each password in the dictionary and store these blocks in a giant hashtable

i can then break a password database in one lookup operation assuming the password is in my dictionary. this attack is somewhat similar to this one for windows passwords.

the encryption in microsoft office was broken because it used the same IV every time. so these attacks are very real. but the office vulnerability is orders of magnitude worse.

ok guys. i totally missed the biggest problem with this password vault on my first analysis. i just decompiled one function and assumed the vault would be written similar to how i would write it but making novice mistakes. this is not the case. the password vault is backdoored (probably not deliberately). do not use it. if you want proof send me a file and i will decrypt it.

 

Jab : Whilst it's great you've written the program i wouldn't expect other people to use it when it's very easy for someone an insecure program. Personally if i was going to use one I'd use the one written by Bruce Schneider.

 

I use http://www.truecrypt.org/docs/ on all of My USB drives and also create a partition on my main drive.

All of my partitions/*.tc files have a hidden partition after a empty static parent parent with mixed encryption at all levels

Very secure.

Jab, Check out the encryption podcasts on GRC.com here: http://www.grc.com/securitynow/

 

Phew, Boy one really does learn from one's mistakes.

I have removed the download of PassVault from my website, it never to reappear.

The webpage will go in a few days.

Jim.

PS Ravenclaw, email me please what you found re backdoored. It was CERTAINLY not my intent.

 

After thinking about it for a little while I would likr to re-iterate in the most stongest manner I WOULD NEVER INTENTIONALLY BUILD IN A BACKDOOR TO ANY SOFTWARE I HAVE WRITTEN.

Even any suggestion of that could ruin my reputation of some 25+ years in the industry. I would like to think that possibly in the future I may post some other software (but doubtful now) I have on the go but this will effectively kill anybody's desire to look at anything I write.

Also my business, Realtime Systems reputation also hangs on this as well. From my early days as the first distributor in Australia of Corsair memory through my extensive work in government with database work and application system design I have tried to maintain an ethical business, totally.

I hope this is clear to all.

Jim.

 

I believe you Jab

but it does beg the question about security testing before releasing any type of software, surely there must be somewhere out there where you can say here is my program see if it has any holes.