Marco's Blog

All content personal opinions or work.
en eo

Password Store Component

2007-03-27 3 min read Password Store Component marco

I decided I need to do something useful with my spare time, and instead of continuing with useless trial projects, I will create a component that is of general use: a note taking tool that allows for strong encryption, defines password areas, and uses its own authentication schem. It is meant to store user account information in a secure fashion.

Given the amount of security coding I do, I have a clear idea of what I want: the component will store per-user specific notes whose first line becomes the title of the note. The content will be split in two categories: sensitive and highly sensitive. Sensitive content will not be encrypted in the database (but fully protected by the component). Highly sensitive content (essentially, passwords) will be encrypted using a specific passphrase.

Users can search for a note, get the content, then enter the passphrase if they want to see the actual passwords.

In addition to the note text, the system will keep metadata such as note creation and note modification, as well as note last access time.

What are the requirements? Here a list:

Note List Page

The notes for a particular user need to be listed in the landing page. The note list page should contain a link per note (that lands on a note detail page), a checkbox next to each link (for deletion, etc.), and a search box to search through the full text of the note (minus the highly sensitive part). From the note list page, a user should be able to enter a new note.

The list page needs to support pagination. Notes will be sortable by title, creation, last modification date, and last access date.

Note Detail Page

The note detail page should contain the scrubbed version of the note – that is, the note with the highly sensitive material masked. By entering the correct passphrase, the note can be revealed with full information on display. From the note detail page, the user should be able to edit the note (provided the passphrase is entered).

Note Entering / Note Editing

Entering is essentially editing an empty note. Editing a note occurs in a text area. If the configuration is set to allow for rich text editing, then bold is used to mark highly sensitive information. If not, then a bold tag is used <b> … </b>. Users should be able to save and cancel from the editing tool. Canceling from entering returns to the note list page. Canceling from note editing and all saving returns to the note detail page.

Entering / Changing the Passphrase

On first use, each user is asked to provide and confirm a passphrase. If later on a user wants to change the passphrase, the old passphrase needs to be provided, as well as two copies of the new passphrase. All notes are re-encrypted.

Should the user have forgotten his or her passphrase and if an email address is registered, a security challenge question will be asked. If the user answers the security question correctly, a new passphrase will be sent to the user. On first access, the temporary passphrase will be disabled and a new permanent passphrase must be entered.

Notes Module

In addition to the component, there will be a module that fits the search box and the last n accessed notes. A link in the module will allow direct access to the list page.