When changing master password allow selecting or generating of a keyfile #256
Comments
hpoul
added
help wanted
|
Would love to work on this @hpoul Could you elaborate on this a little more.
|
|
@uV3301 that would be great. Take a look at https://keepass.info/help/base/keys.html#keyfiles which describes the keyfile. AuthPass already supports reading of the keyfile in those formats. When creating a new keyfile we should probably also create a XML file similar to the one from Keepass. You can just try to create one with Keepass.
No idea what you mean by that. The password is only used as the encryption key itself. The only thing which might make sense would be to not have the password in memory, but only calculate the hash necessary for decryption. But I don't see a big security advantage in that anyway. (it is never stored on disk, only in memory.. and for quick unlock it's already only the hash that is stored) |
|
@hpoul Yeah alright. I will check that.
Yeah I was thinking like such. |
@uV3301 no, it only contains some bytes which are used as master key.. (i think the keepass article explains it pretty good). This is an example file: https://github.com/authpass/kdbx.dart/blob/master/test/keyfile/keyfilev2.keyx
sure, i'm on discord.. although i think I would prefer the forum for most things https://forum.authpass.app/ .. just post something in the contributors category for discussions/questions. I think it's easier to search, discover and reference.. |
|
@hpoul cool man. Thanks for keeping the updates. |
|
Hey @hpoul You told that the master password is stored in memory right. Could you show me how can one access it ? Thanks |
|
hmm? it's stored in the |
|
Oh okay I see. To keep things uniform, we should only generate the keyfile with password right. Is it possible to first convert back to the password with that hash ? |
Just discovered this project, it's great and targets a bunch of use cases. I suggest adding some form of native hardware secured encryption, at least in the keyfile master decryption key context. I am going to study how you used the win32 api wrapper to the credstore and see if I can port a Windows TPM C++ API into Dart for starters. I think that the hardware protection could help improve security of any master key. The HSM/TPM can log and protect at the hardware level as a form of two factor auth. It has some admin reset options that can be secured offline, logs, etc. My goal by using the TPM would be to enable the passive encryption/decryption of more data and to enable hardware validated SSH or TLS authentication to multiple services all via passwords saved in an authpass vault. |
hpoul
changed the title
|
@datocrats-org the windows credstore is simply accessed using dart:ffi. (the interface itself was actually contributed to the win32 pub package). I don't have any experience with TPM. But I doubt it could be too useful. Even if it provides some form of 2nd factor, it would be bound to one specific machine (as far as i understand it), which is not really desirable in a world where everyone has at least another smartphone and maybe tablet, and other devices. The only thing which could make sense for 2nd factor might be implementing U2F/Fido support (ie. Yubikeys). |
@datocrats-org As I said, I have no idea about TPM, but this makes no sense to me. What do you mean with "hardware validated" in this case? To me this would only make sense if you would store the client certificates actually inside the hardware, and don't use passwords stored in AuthPass. Anything provided by AuthPass, can't be "hardware validated", as AuthPass does not run on TPM hardware 🤔️ |
When changing the master password users should be able to choose a keyfile.
We should also offer a way to generate a keyfile.
The text was updated successfully, but these errors were encountered: