Feedback - Security concerns
Created by: LiljebergXYZ
After having gone through several password managers, looking through sources to see if anything is feasible I came across this application that quite frankly is the most insecure out of all the bunch I have seen.
You should never send a plain text passwords over the internet as you are currently and all encryption and decryption of passwords should happen on the client-side, where the server should not have any knowledge of the master password as this completely breaks the security. You're not safe from this issue simply because you're using HTTPS as that could still easily be compromised.
Encrypt function example /src/PASSY/Passwords.php Line #41
Contains a regular post form: /page/page_password_list.inc.php
Therefor no one who cares about there passwords should be using this, and if they do, or have, they should consider all their passwords leaked and change them immediately.
The simplest way to store passwords in this scenario would be:
- Client encrypts password with their master key (possibly even username/url/etc as to not leak any information)
- Client sends encrypted data to server
- Server encrypts clients data with their own secret key
- Server stores data in database
For retrieving passwords you do the same in reverse
- Client requests passwords
- Server decrypts password with own secret
- Server sends clients encrypted data to client
- Client decrypts using master key locally
For encryption and decryption on the client side this library is a good start: https://github.com/ricmoo/aes-js
The use of AES256 is definitely encouraged as you're currently using an un-auditied encryption library that could be very unsafe and may not have a JS implementation.
Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.