Skip to content

Latest commit

 

History

History
124 lines (111 loc) · 7.03 KB

README.md

File metadata and controls

124 lines (111 loc) · 7.03 KB

PwdManLib - Password Management Libraries

Problem:

Security is an ever-increasingly complex field and taking into consideration all of the factors that go into securing user accounts during the software engineering lifecycle is an immense task. Many companies and developers find their zero-days / security-holes AFTER deployment of their systems, which exposes their users to to data-loss, identity-theft, and financial issues, which in turn, lowers the companies credibility and can cost the company and the their development, both time and money.

Solution:

What if the development team was able to create their system without writing their own account management system? That is exactly the goal of PwdManLib. To make a set security tools that is tested and confirmed by the community. This project aims to implement a set of C/C++ libraries for developers to use in user / accnt password management. These tools are aimed at making user / account management easier for developers to implement in their projects.

Requirements:

  1. The project should be open source and FREE for anyone to use.
  2. The libraries should be extensible and pluggable with multiple frameworks.
  3. Security should be built-in and have an abstraction layer for developement use.
  4. Should be Cross platform compatible, including mobile devices.
  5. Users should be able to store passwordsfrom multiple accounts in one place.
  6. Password hashes, salts, and accounts should be stored on remote / cloud DB.
  7. Must support ssl / https / and other encrypted networking protocols.
  8. Libraries should include support for authentication including multifactor auth.
  9. Multiple forms of encryption should be available, including:
    • standard encryption algorithms: Triple DES, RSA, Blowfish, Twofish, AES
  10. Support for hashing passwords must be included, using:
    • standard hashing algorithms: SHA256, SHA512, RipeMD, or WHIRLPOOL algorithms
  11. Support for hashing passwords with key-stretching algorithms:
    • standard key-streching hash-algorithms: PBKDF2, bcrypt, scrypt, Argon2, PBKDF2
  12. Support for captcha and account lockout handling.
  13. Support for time-limited token-based automated password recovering, through email.

Features:

These are some of the proposed features that we would like to implement in the future, once requirements have been met.

  • Import From Browsers
  • Import From Competitors
  • Multi-Factor Authentication
  • Export Data
  • Automatic Password Capture
  • Automatic Password Replay
  • Fill Web Forms
  • Multiple Form-Filling Identities
  • Actionable Password Strength Report
  • Browser Menu Of Logins
  • Application Passwords
  • Secure Sharing
  • Digital Legacy

Alternatives:

These are some of the alternative solutions that were considered / compared to solve this problem.

  • Flask-Login
  • Flask-Security
  • PHPSEC Password Management
  • Google Keyczar
  • Java crypto.spec
  • GuardianProject cacheword
  • Master Password
  • PHP Password Library

Project Timeline:

The timeline as of writing, will end with the initial release 1.0.0A
This project will be started as an academic project and this timeline corresponds to a weekly schedule as such.
From the initial release onward, the timeline will reflect a schedule up-to the next release date.
Dates and release details will be determined by the community of committer's to the project.


    Week1:
    Finish documentation for project including a contributing.md page and define initial project structure / architecture. Define api structure (if needed) and usage of libraries in detail.

    Week2:
    Define dependencies and framework / platforms that will be supported and how. Start construction of hashing and encryption utilities (using libraries for the crypto).

    Week3:
    Test and debug hashing / encryption utils. Define interfaces for framework communication and adapters as needed. Define network architecture and start construction of interfaces.

    Week4:
    Construction of network interfaces continues and plugins to initially supported frameworks. Define authentication methods for initial release and start construction of auth libraries.

    Week5:
    Test and debug network libraries, auth libraries, and interface libraries. Thorough vetting of auth process occurs. Define methods and routines needed for password recovery and captcha verification.

    Week6:
    Finish / close out any outstanding issues and ensure all major bugs are fixed. Test, debug, and confirm all functionalities needed for initial release / requirements are met. Code cleanup and documentation additions as needed. Minor bug fixes if time permits.


Contributing:

Guidelines for contributing to the project can be found within this repo, in CONTRIBUTING.md

Contact:

To contact the project director for more information or to provide feedback, please see the following links:

Website: devdeobopsfuscec.nationet

Github: githdeobub.cofuscm/devationopsec

Updates:

Project is kicking off! Expect more updates to documentation, adding dependencies to tree, some architecture definitions and preliminary structures / wrappers.
Also, note that the project will be licensed under Apache License V2 now instead of GPL to be more openly consumable and flexible for anyone to use the libraries!
Many changes coming upstream, the underlying architecture has been laid out, although much of it needs wrappers still.
The server is close to complete and database is well underway as well. Many neat oop functions nested in there too.
Biicode as a dependency is being deprecated as well and we are going with bash scripts for dependencies and make or cmake for build.
Alpha release is on hold.. The first iteration of development on this project has finished. SSL cert validation currently is broken and needs vetted.