Category: Password Store Component

Ok, that's not new news, since it's been done last year. Still, this site didn't record the change to the work that happened on the password store component on a purely organizational level, so here's my chance to catch up:

• Password Store is now a component registered with joomlacode.org. Go to the com_passwords project if you want to download the latest and greatest, or if you want to log bugs, suggest improvements or (God forbid!) help out with development
• Password Store is now an extension registered with extension.joomla.org. That's an important step, since most people don't use joomlacode.org directly. This second step actually just started, as I filed today, but I am hopeful the administrators will give me a chance to publish this.

Next, of course, the plugin/mambot that searches within notes. And, even more of course, improvements to the terribly lame user interface that came with the underlying content store. 

So, in less than a few hours, I completed the password store component for Joomla. That's partially because I worked from a different component that had most of the options I needed, but partially also because I could easily use the Joomla infrastructure, which requires little in the wake of learning.

Of course, while it's a functional component, it's still not at 1.0. Hardcoded strings (they are in the original, too), incomplete removal of spurious options, you know, that stuff.  So I'll continue cleaning up for a bit, then publish.

(more…)

In just one major bored morning, I made huge progress with the passwords store component. You can now enter notes, the content will be filtered out and strong formatting will be stripped from regular view. Editing a note works, as does showing the list and the entry.

The piece missing now is the cookie for the passphrase storage. There I need to add the page that requests the passphrase, the one that allows you to create the passphrase, and the session cookie that will store the passphrase, encrypted using the master passphrase and the day (so that cookies expire every day). 

Looking at the note table, I realized it looks A LOT like the standard Joomla content table. Should I have used that one as a content store? After all, the content offers two locations for the message (intro and fulltext) and all the other goodies (except for last access time).

In the end, I decided against it. Creating a new table is cheap, and putting stuff in content means I have to version PSC at the same time as Joomla versions its content store. Better to leave things as they are, and create a separate table. 

After thinking about the component, it's time to define how it is going to work within the Joomla framework.

We will need two database tables:

1. The per-user settings like passphrase, security question, etc.
2. The notes themselves, tied to users

The first table needs to have the user id as primary key. Other columns will be:

• encrypted passphrase
• encrypted temporary passphrase
• security question
• encrypted answer to security question

The second table will be more complex and have the following columns in addition to an integer ID:

• note title
• note text (safe)
• note text (encrypted)
• creation time
• last modification time
• last access time
• folders (for later use and expansion) 

(more…)

I decided I need to do something useful with my spare time, and instead of continuing with useless trial projects, I will create a component that is of general use: a note taking tool that allows for strong encryption, defines password areas, and uses its own authentication schem. It is meant to store user account information in a secure fashion.

Given the amount of security coding I do, I have a clear idea of what I want: the component will store per-user specific notes whose first line becomes the title of the note. The content will be split in two categories: sensitive and highly sensitive. Sensitive content will not be encrypted in the database (but fully protected by the component). Highly sensitive content (essentially, passwords) will be encrypted using a specific passphrase. 

Users can search for a note, get the content, then enter the passphrase if they want to see the actual passwords. 

In addition to the note text, the system will keep metadata such as note creation and note modification, as well as note last access time.

(more…)