[ArkPhaze]

If I'm understanding this correctly, "mysimplepassphrase" is used for both the encryption and decryption as the key, but for decryption, it checks against the hardcoded plaintext of the master password anyways to see if you have entered the master password as input, itself? :lol:

I would save that checking value as an SHA256 hash or something, then on decryption, check if $sha256_hash(value) is == the hardcoded value if you're going to hardcode anything.

Even better to include some kind of salt on top to add a bit of "zest". (Bake for 20 minutes, and then let stand for 5. lol)

No. The master password is never stored. "mysimplepassphrase" is not used as a key. It is a known plaintext. Not more or less. Let's rename it to "knownplaintext". The only purpose of "knownplaintext" is to know whether the decryption was successful.

Storing a hash like you want to do it, is more insecure and not necessary.

I shall change the pseudocode for more clarity:

This is encrypting:

Code:

masterpass = getUserInput("What is your master password?")

text = "knownplaintext\n" + logindata

encryptedText = text.encrypt(masterpass)

writeToFile(encryptedText)

This is decrypting:

Code:

masterpass = getUserInput("What is your master password?")

decryptedtext = file.decrypt(masterpass)

firstline = decryptedtext.readLine()

if(firstline ==  "knownplaintext") {
   #correct pass was used, because we could successfully decrypt the known plaintext
} else {
   #wrong pass, the text was decrypted to some glibberish
}

Also: SHA is not the best hash algorithm for passwords. There are better ones, which where solely designed for storing password hashes. Example: scrypt (>>link<<)

With the way I read what you posted, hashing the way I mentioned would have been more secure. I didn't get/understand what you originally posted though because this is not the way I imagined it.

scrypt is "for the truly paranoid" though lol. And in places where speed may be a consideration for performance, that's where the scale balances itself out as to what you should use. For one master password, I suppose that's irrelevant.

[Deque]

The pseudo code you gave above, I am confused with this line:

Code:

text = "knownplaintext\n" + logindata

That just tells you to write the known plain text into the first line, then make a newline (the \n) and afterwards write the logindata.
Example how the text looks like:

Code:

knownplaintext
user:pass
user:pass
user:pass

[noize]

How about a -t (tip) argument to define a suggestion given by the user?

Also, I would suggest having different levels of security. Let me show you a simple example of what I mean.

Code:

> add logon -p MYPASS -u RespectiveUsername -s 0

Where -s is secLevel, and when set to 0 it just stores RespectiveUsername:MYPASS:0 with no additional security measures.

I'd choose for a default of 1, encrypted with some simple algorithm and decrypted on demand.

Level 2: password-based password encryption. Example: I want to store the password W0rd.

Code:

> add password -p W0rd -k EncryptionKey -s 2

This way, the password is stored with some key-based encryption algorithm, and to retrieve W0rd I need to know EncryptionKey.

Level 3: password hashing. You'll say, what's the use? Well, you could set a suggestion, so that the user might get to guess what password he had set and check from the script itself whether it's the correct password or not.

You might also add a -h parameter (hidden), so that if I (e.g.) choose to view all stored passwords, hidden ones won't be listed. Those words can be seen only with the respective username (a username is needed if -h is set).

Also, I'd suggest you to change that ">>>" prompt with something nicer, like:

Code:

Ex094@Ex094-PC: ~ here I can type

Obviously, you should first gather the username and the computer name. Or maybe just a "$" would be better than ">>>". If you prefer angle brackets, I'd suggest to use only one (">").

P.S: please, note that this came to my mind like a bomb and that I have not checked out the code (I'm not even done with reading the OP, just wanted to post this before forgetting about it).

[Ex094]

@noize Thanks for the suggestion mate, I'll be keep the current interface intact but if it's bugger for someone then I'll change it asap.

For the security part, I'm having some hard time figuring out what to do first