When I started this blog, the goal was to demonstrate some of my programming and design work.  Part of that comes from my portfolio, but I also wanted to work on some small projects and host them on this site.

This is the first such project.  I recently decided that I need to mix up the passwords I use online but I really struggle remembering that type of thing.  There are already tools out there to securely store passwords online, but this seemed like as good a project as any, so I decided to build a tool myself.

So here's the deal.  Anyone with an account on this here website has access to their own "Password Bank".  You can create an account if you want to check it out (just click "Sign Up" at the top of the page).  Basically you can store username/password combos or any other type of sensitive information you want.  This is encrypted and stored securely and then you can log back in and see it whenever you want.  I don't really expect anyone to use this, but you can go play around with it if you're curious.

How it works

I want to go over how this works.  If you're computer science inclined, let me know what you would have done differently.  If you're not computer science inclined, this will be boring.

The main focus here obviously has to be security.  I needed to make sure that if someone can get their hands on all my passwords and data, they still won't be able to see any of your sensitive information.

So the first level of security is obviously the main password when you set up the account.  This will potentially be used to access all kinds of different applications, so I want a more secure password for the password bank.  Because of this, I have each user enter a Master Password when they first go into their password bank.  A hashed version of the master password is stored, but this is only for account validation and it can't be used access any data.

When a user first enters the password bank, they type in their master password.  This is first hashed and matched with what I saved in the database to make sure this this is the correct password.  Then the master password is hashed using a different algorithm  (so it doesn't match the password I store in the database) and this is used as the key for all future encryption and decryption.  The idea here is that I can validate the master password without ever actually storing anything useful in the database.

Once the master password is entered, the user can enter as many username/password/notes combinations as they want.  This is all encrypted using a pretty standard 2-way algorithm with the hashed version of the master password as the key.  You see a list of all the information you've entered without any of the sensitive stuff displayed by default.  you can click a link to show the sensitive info for each specific entry.

I'm working on getting an SSL certificate for this site but GoDaddy is (of course) tripping over their own feet and causing me much distress.  For now I'll only be accessing this from networks I trust (work and home).

So yeah, hopefully this made sense to at least a couple of you.  It was a very simple project, but it's a nice way to start the tylerking.net random application platform.  Let me know your thoughts.