Application:Encrypted Password Database [localised]

[collectordave]

Hi All

So many passwords so decided to create a small database to hold them all. The database stores the Service, UserName and Password. All passwords are stored in encrypted form so no clear text available to the casual browser. You can easily change the code to store Service and UserName in encrypted form as well if you wish.

The programme requires a password at startup to run.

Notes on use. You need a main password, this is set to "abc123" in the download, this can be changed using the password encryption programme in this post http://www.purebasic.fr/english/viewtop ... &hilit=key This one you must remember as no password is stored in clear text form anywhere in your programme.

I actualy keep the programme and database on a separate usb stick which I keep with me for extra security. You can as well change the main database password encryption to a different type for more security, I have used the same throughout in the example to ease writing and understanding.

The programme is localised for English, French, German and Italian let me know of any translation messes.

The code is available here:-https://github.com/collectordave/PureBa ... d-Database

Any problems post here.

Enjoy

cd

[doctorized]

I run the program. I give abc123 for password to continue. I write the info in the text boxes. Then, whatever I press, the "add" button, the "save edits" one, both of them, I never see the password with some way. Passwords.db file has the same CRC as before running the program.

EDIT: I took a look in ecryption procedure. The code runs only if password is <= 32 bytes length. If the users gives a bigger one, should be warned or the program should take care of the big password with some way.

[infratec]

Hi,

why you reinvent the wheel
Only a question, sometimes it makes sense, when you want to include it in an other program.

I use keepass (freeware) with many features inside, like
auto typing
cleaning the clipboard
ported also to android, linux, osx
...

http://keepass.info/

Bernd

[doctorized]

why you reinvent the wheel

This code could be part of a much bigger app that supports many things and a password management is needed.
I spend time with it because I wanted to see what type of encryption is used. I have a program of mine that uses already 256bit AES encryption and I wanted to see if I could find a better one.

[collectordave]

@infratech wrote

why you reinvent the wheel

After an admittedly quick search on the forum I could not find an example of using encryption with an sqlite database. So programmed one. So I do not see it as reinventing the wheel. It is also part of a larger programme. When all is said and done Notepad and separate USB stick is enough for personal passwords.

Main reason though is that I actually enjoy coding with PureBasic I believe others do too and finding examples written in PureBasic of things I would like to do for me is paramount. So I also post anything I do for others to browse and get ideas.

[collectordave]

Hi doctorised

My mistake somehow.

Line 266 of winmain.pb should be

Code: Select all

  Criteria = "INSERT INTO Service (PDBService,PDBUserName,PDBPassword) VALUES ('" + NewService + "','" + NewUserName + "','" + NewPassword + "');"

Missed username out of that part so no update.

Change that line then run. After adding one password etc it will be displayed. After two or more you can look through them as the navigation buttons are enabled.

regards

cd

[doctorized]

Line 266 of winmain.pb should be

Code: Select all

  Criteria = "INSERT INTO Service (PDBService,PDBUserName,PDBPassword) VALUES ('" + NewService + "','" + NewUserName + "','" + NewPassword + "');"

Now it works. In ClearGadgets(), SetGadgetText(#txtUserName,"") is missing.

[IdeasVacuum]

why you reinvent the wheel

Well, you surely do not want to trust your password store/management with freeware, whose developer you know nothing about? One day that app might phone home and hand-over all your details...........

[collectordave]

Thanks doctorized

Added code to main download including the cleartext bit.

Regards

cd

[infratec]

Off Topic:

Well, you surely do not want to trust your password store/management with freeware, whose developer you know nothing about? One day that app might phone home and hand-over all your details...........

Oh sh.. I use linux which stores my user account and it is freeware... and I never met Linus and the other GNU guys
But maybe it is better to use Windows, because then I know better what they are doing with my account settings, but I paid for it.

Ironic Off

Back to topic:

I wrote that it makes sense if you want to use it in an other program.
But for a standalone app (or better exe) to save my passwords it would be reinventing the wheel.
KeePas is also 'portable' and you can store the file on a USB stick or in your smartphone.

And if you want to be safe, you have also to clean the variables after usage, because else the encrypted stuff is in the memory and can be sniffed.

Bernd

[collectordave]

Updated for PB 5.6B6 same link as above.

Updated functionality as well.

Regards

cd

[Keya]

After logging into your app the cleartext password (default 'abc123') remains in memory, at least on my quick check in Windows (didn't check other OS). It is not in memory before logging in (it still requires somebody with the password to log in), but for example when a valid user has logged in and then walks away to take a phonecall and a corrupt/malicious employee inserts their USB stick to dump process memory.

[collectordave]

Cheers keya

I did not destroy or reassign the variable etc after a successfull login.

Fingers crossed it should be fixed now.

Regards

cd

[Keya]

I did not destroy or reassign the variable etc after a successfull login.

You're only overwriting the first 4 bytes though:

Code: Select all

If CheckPassword = MainPassword 
              CheckPassword = "Bye"

but your fussy customers demand:

Code: Select all

#MAXPASS=256  ;longest possible/allowed (so attacker cant learn length info)
OpenCryptRandom()
CryptRandomData(@CheckPassword, #MAXPASS)  ;overwrite buffer with secure random bytes

Fingers crossed it should be fixed now.

sorry dave we can't accept that response hehe, ill PM you shortly

[skywalk]

Yeah, I prefer homegrown apps for passwords and backup.
I have no doubt that keepass and others are way better than my code, but the same is true of hackers seeking honey pots like keepass/lastpass's hidden servers.

To that end, your critical passwords should never be stored anywhere.
Only save clues to solve them.