image provider

Password Protector


Disclaimer

This essay does not describe an existing computer program, just one that should exist. This essay is about a suggested student project in Java programming. This essay gives a rough overview of how it might work. I have no source, object, specifications, file layouts or anything else useful to implementing this project. Everything I have prepared to help you is right here.

This project outline is not like the artificial, tidy little problems you are spoon-fed in school, when all the facts you need are included, nothing extraneous is mentioned, the answer is fully specified, along with hints to nudge you toward a single expected canonical solution. This project is much more like the real world of messy problems where it is up to you to fully the define the end point, or a series of ever more difficult versions of this project and research the information yourself to solve them.

Everything I have to say to help you with this project is written below. I am not prepared to help you implement it; or give you any additional materials. I have too many other projects of my own.

Though I am a programmer by profession, I don’t do people’s homework for them. That just robs them of an education.

You have my full permission to implement this project in any way you please and to keep all the profits from your endeavour.

Please do not email me about this project without reading the disclaimer above.

This is a sort of software wallet for passwords. I have dozens of passwords and CD-keys. There is no way I can remember them all. It is not wise to have them all recorded in a flat file anyone could snoop at, or on a piece of paper in a desk drawer. This program remembers your passwords and stores them in a secure encrypted way.

This way the user needs to remember only one password or pass phrase. You can record a hint to help him remember it if he forgets. If he forgets he loses everything.

The program has two types of entry: regular and secure. In regular mode the passwords/CD-keys are displayed. You never have to type blind. In secure mode, password/CD-keys are never displayed on the screen, even when you are typing them. You have to type passwords twice to be sure you typed correctly. Every field has its own radio button to determine type.

It works like this. You make up a new entry: give it a label, say Sun Developer Site Access Then you can create additional fields and name them, e.g. login, password and fill in the blanks. You can select the most common types of field by radio button: login-id, password, CD-KEY. Beside each field is a radio button for selecting display/hide i.e. regular/secure.

You can click on an entry and have it sucked up into the clipboard for pasting elsewhere. See the ISBN amanuensis for sample code to examine and set the clipboard. Ideally you would coordinate with Clipmate, or use a hot key, or do something very clever so that you could have a PowerPaste, paste each field of the entry in succession.

The program encrypts the entire password file and makes sure no unencrypted copy of it is ever left unwiped on disk. You gain access to the file with a common pass phrase. If you forget the passphrase there is an optional hint, hopefully composed cleverly to help you remember, but not enough to give a snoop any assistance.

Note that the passphrase or its HashCode is never recorded anywhere in the file. To ensure snoops cannot scavenge, remember to wipe (clear to 0) any array or temporary file containing unencrypted data or the passphrase before exiting, or after a time delay of inactivity.

Protecting the passwords file is not the same problem as having a file of digests that can verify if a password typed is correct, as is commonly done in Linux/Unix. You need to store and protect the actual passwords.

How do you do the encryption? I propose three possible techniques. You might like to think up others:

  1. Weak encryption: Take the HashCode of the passphrase and use it to seed the random number generator. Use the random generator to generate a stream of bytes. XOR (exclusive OR) these with the file to either encode or decode it. See Random Numbers.
  2. Stronger encryption: Bone up on the PGP (Pretty Good Privacy) private/ public key algorithm. Use the PGP public key to encrypt the file and the private one to decrypt it. There may be an API (Application Programming Interface) for the code in PGP itself. Do some digging.
  3. Read up the security entry in the Java & Internet Glossary. Use one of the more advanced encryption techniques such as DES (Data Encryption Standard), Blowfish, whatever you can find code for. You might find an API for PGP, or in a pinch you could use the exec interface.
  4. See digital signatures. The primarily talk about asymmetric public/private key algorithms which tend to be quite slow. You probably want some faster symmetric technique.
  5. Check out JCE (Java Cryptography Extension) API spec from SUN (Stanford University Network), with implementation for the USA from SUN and one for the rest of the world from ABA (Australian Business Access).
  6. The open source Password Safe from Counterpane Labs uses the Blowfish cipher. You might do likewise.
The program would have a simple integrated backup/restore that does nothing more elaborate than copy the encrypted file to or from floppy.

If you have access to a Java powered hand-held unit, aka a cellphone, you might develop this as an application for it. Ideally it could send the codes into apps via a special keyboard intercept attachment or an IR beam. It might even form the basis of a general lock system to handle all IR activated locks. You could invent a cheap IR lock that sends a challenge phrase that needs to be encrypted and sent back. The handheld unit contains all the public and private keys necessary to deal with all the locks in your life. It might even be useful to simulate something like a car remote to prevent children playing with the remote from accidentally starting the car in a closed space and gassing the family to death.

See Gator, a commercial program that remembers your passwords and inserts them for you automatically while your are browsing. It optionally require you to key a password to access your passwords. It works only inside Internet Explorer. It is not suitable for remembering general passwords. See PassSafe on opensource password protector.

Once you have solved this, you can make it obsolete by talking sites into using your password eliminator.

KeePass

This page is posted
on the web at:

http://mindprod.com/project/passwordprotector.html

Optional Replicator mirror
of mindprod.com
on local hard disk J:

J:\mindprod\project\passwordprotector.html
logo
Please the feedback from other visitors, or your own feedback about the site.
Contact Roedy. Please feel free to link to this page without explicit permission.

IP:[65.110.21.43]
Your face IP:[54.204.198.71]
You are visitor number