Comments (6)
It's impossible to have this feature if all designs are implemented correctly. You can actually prove this.(1) And by the proof, you can know your passwords in all password managers that can be automatically upgraded are also accessible to the website admin.(2)
Proof of (1): Suppose we have such routine which maps old password R into new password H. And our raw password is P. We know R=AES(f(P),sk); H=AES(g(P),sk). Thus the map p: R->H would be:
p=AES(g(f^(-1)AES^(-1)(R)))=AES_g_f^(-1)_AES^(-1), p(R)=H
Our assumption here is that you can't solve AES and you don't know P (actually, you don't know g and f inverse as well without sk). It's obvious that g_f^(-1) won't give an identity map, and the elements in the function composition are not commutative. So you have no way to cancel AES and AES^(-1). Thus, you can't have such map p in explicit format. Actually, even if you can solve AES, the confusion algorithm is still unsolvable without conf_key.
Proof of (2): On the other hand, suppose we have a password manager that can upgrade algorithm without the involvement of users. let's say, the old algorithm gives map f, and the new one gives map g. Now let the new map be e (identity map), and upgrade. Since e(a)=a, you have all passwords in plaintext in your database.
from password-manager.
We could save the version number of the data for every user.
Then on login we could check this and offer the user to upgrade in his browser.
If you don't change the algorithm upgrading without user action should be possible(as it was when I implemented tags).
from password-manager.
It's like writing a decrypter JS and encrypter JS for each version, use the
old version decrypter gives you P and new encrypter gives you H.
Is it really different from keeping old versions (use new database for new
version) and asking users to export from old version and import to new
version? (I.e backup -> extract raw->import)
On Tuesday, 23 February 2016, Benjamin Häublein <[email protected]
javascript:_e(%7B%7D,'cvml','[email protected]');> wrote:
We could save the version number of the data for every user.
Then on login we could check this and offer the user to upgrade in his
browser.If you don't change the algorithm upgrading without user action should be
possible(as it was when I implemented tags).—
Reply to this email directly or view it on GitHub
#19 (comment)
.
from password-manager.
Yes, because this way the admin has to keep the old version until everybody did the backup. And there is no way of knowing whether everybody has done it.
from password-manager.
Ok. I'll think about implementing it in next algorithm update
On Tuesday, 23 February 2016, Benjamin Häublein [email protected]
wrote:
Yes, because this way the admin has to keep the old version until
everybody did the backup. And there is no way of knowing whether everybody
has done it.—
Reply to this email directly or view it on GitHub
#19 (comment)
.
from password-manager.
I think the password manager is mature now. I don't have further plan to upgrade the algorithm (at least in near future...) Though I'll still implement the history track, IP block and fields customization. So I'll close this issue for now.
from password-manager.
Related Issues (20)
- Enable Group by Tags default HOT 2
- sort by name HOT 2
- random_login_stamp HOT 7
- Positive comment and thank you HOT 3
- Extra table td before username HOT 6
- Import problem with Username filed HOT 1
- Is this still active and mainteined? HOT 6
- Complete rework HOT 1
- Import CSV failed. HOT 4
- Replace SHA512 with SHA3-512 HOT 3
- Move to maintainance mode HOT 2
- Upgrade plugin to support v11.00 HOT 4
- PIN doesn't work on newest version HOT 5
- Cannot read property 'importKey' of undefined HOT 2
- TypeError: Cannot convert undefined or null to object AFTER LOGIN HOT 4
- New Implementation is ready HOT 1
- what is the password HOT 6
- Cannot run version 11: error 'sorry-update-your-browser' or am I not meeting the minimum requirements? HOT 1
- Can no longer copy password to clipboard without revealing it? HOT 2
- Current web browser doesn't support the technologies in Android 8.1 HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from password-manager.