Password Protector  Password Protector

home page up Google search web for more information on this topic jump to foot of page translate this page with Babelfish ©1996-2012 Roedy Green, Canadian Mind Products

This essay does not describe an existing computer program, just one that should exist. This essay is about a suggested student project in Java programming. This essay gives a rough overview of how it might work. I have no source, object, specifications, file layouts or anything else useful to implementing this project.

This project outline is not like the artificial, tidy little problems you are spoon-fed in school, when all the facts you need are included, nothing extraneous is mentioned, the answer is fully specified, along with hints to nudge you toward a single expected canonical solution. This project is much more like the real world of messy problems where it is up to you to fully the define the end point, or a series of ever more difficult versions of this project, and research the information yourself to solve them.

Everything I have to say to help you with this project is written below. I am not prepared to help you implement it; or give you any additional materials. I have too many other projects of my own.

Though I am a programmer, I don’t do people’s homework for them. That just robs them of an education.

You have my full permission to implement this project in any way you please and to keep all the profits from your endeavour.

Please do not email me about this project without reading the disclaimer above.

This is a sort of software wallet for passwords. I have dozens of passwords and CD-keys. There is no way I can remember them all. It is not wise to have them all recorded in a flat file anyone could snoop at, or on a piece of paper in a desk drawer. This program remembers your passwords, and stores them in a secure encrypted way.

This way the user needs to remember only one password or pass phrase. You can record a hint to help him remember it if he forgets. If he forgets he loses everything.

The program has two types of entry: regular, and secure. In regular mode the passwords/CD-keys are displayed. You never have to type blind. In secure mode, password/CD-keys are never displayed on the screen, even when you are typing them. You have to type passwords twice to be sure you typed correctly. Every field has its own radio button to determine type.

It works like this. You make up a new entry: give it a label, say "Sun Developer Site Access" Then you can create additional fields and name them, e.g. login, password, and fill in the blanks. You can select the most common types of field by radio button: login-id, password, CD-KEY. Beside each field is a radio button for selecting display/hide i.e. regular/secure.

You can click on an entry and have it sucked up into the clipboard for pasting elsewhere. See the ISBN amanuensis for sample code to examine and set the clipboard. Ideally you would coordinate with Clipmate, or use a hot key, or do something very clever so that you could have a PowerPaste, paste each field of the entry in succession.

The program encrypts the entire password file, and makes sure no unencrypted copy of it is ever left unwiped on disk. You gain access to the file with a common pass phrase. If you forget the passphrase there is an optional hint, hopefully composed cleverly to help you remember, but not enough to give a snoop any assistance.

Note that the passphrase or its HashCode is never recorded anywhere in the file. To ensure snoops cannot scavenge, remember to wipe (clear to 0) any array or temporary file containing unencrypted data or the passphrase before exiting, or after a time delay of inactivity.

Protecting the passwords file is not the same problem as having a file of digests that can verify if a password typed is correct, as is commonly done in Linux/Unix. You need to store and protect the actual passwords.

How do you do the encryption? I propose three possible techniques. You might like to think up others:

  1. Weak encryption: Take the HashCode of the passphrase and use it to seed the random number generator. Use the random generator to generate a stream of bytes. XOR (exclusive OR) these with the file to either encode or decode it. See Random Numbers.
  2. Stronger encryption: Bone up on the PGP (Pretty Good Privacy) private/ public key algorithm. Use the PGP public key to encrypt the file and the private one to decrypt it. There may be an API (Application Programming Interface) for the code in PGP itself. Do some digging.
  3. Read up the "security" entry in the Java & Internet Glossary. Use one of the more advanced encryption techniques such as DES (Data Encryption Standard), Blowfish, whatever you can find code for. You might find an API for PGP, or in a pinch you could use the exec interface.
  4. See digital signatures. The primarily talk about asymmetric public/private key algorithms which tend to be quite slow. You probably want some faster symmetric technique.
  5. Check out JCE (Java Cryptography Extension) API spec from SUN (Stanford University Network), with implementation for the USA from SUN and one for the rest of the world from ABA (Australian Business Access).
  6. The open source Password Safe from Counterpane Labs uses the Blowfish cipher. You might do likewise.
The program would have a simple integrated backup/restore that does nothing more elaborate than copy the encrypted file to or from floppy.

If you have access to a Java powered hand-held unit, aka a cell phone, you might develop this as an application for it. Ideally it could send the codes into apps via a special keyboard intercept attachment or an IR beam. It might even form the basis of a general lock system to handle all IR activated locks. You could invent a cheap IR lock that sends a challenge phrase that needs to be encrypted and sent back. The handheld unit contains all the public and private keys necessary to deal with all the locks in your life. It might even be useful to simulate something like a car remote to prevent children playing with the remote from accidentally starting the car in a closed space and gassing the family to death.

See Gator, a commercial program that remembers your passwords, and inserts them for you automatically while your are browsing. It optionally require you to key a password to access your passwords. It works only inside Internet Explorer. It is not suitable for remembering general passwords. See PassSafe on opensource password protector.

Once you have solved this, you can make it obsolete by talking sites into using your password eliminator.

KeePass
CMP homejump to top You can get the freshest copy of this page from: or possibly from your local J: drive (Java virtual drive/mindprod.com website mirror)
http://mindprod.com/project/passwordprotector.html J:\mindprod\project\passwordprotector.html
logo
Please email your , letters to the editor, errors, omissions, typos, formatting errors, ambiguities, unclear wording, broken/redirected link reports, suggestions to improve this page or comments to Roedy Green : feedback email. If you want your message, your name or email kept confidential, not considered for public posting, please explicitly specify that. Unless you state otherwise, I will treat your message as a letter to the editor that I may or may not publish in the feedback section. After that, it will be too late to retract it. If you disagree with something I said, please quote it and cite the web page where you found it, tell me why you think it is wrong, and, if possible, provide some supporting evidence. Threatening to kill me or spouting obscenities has yet to persuade me to change my mind.
mindprod.com IP:[65.110.21.43]
view BlogYour face IP:[38.107.179.211]
You are visitor number 16,218.