开发者

Multi User Password Manager Security Strategy

I am considering creating my 开发者_JS百科own web based, multi user password management software.

The basic question that comes up is, what strategy will I use for secure storage and retrieval of passwords?

Obviously, I don't want to store information in clear text. Should I encrypt/decrypt on the database server, web server, client (javascript), or everywhere? Where will encryption keys live? Should I use a master password (pre shared key) for encryption/decryption?

Are there other questions that I should be asking myself?

I appreciate any suggestions.


A quick google search on "online password manager" revealed a number of results, including:

http://www.clipperz.com/

Can't comment to the quality of the site or their security, just responding to the first line of your post that says, "I am looking for web based, multi user password management software." It is certainly out there, and would save a lot of time versus building it yourself.


You should ask yourself "Can I, myself, obtain the actual password if I wanted to?". The answer should always be no. To achieve this, use a salted hash instead of encryption.

http://pbeblog.wordpress.com/2008/02/12/secure-hashes-in-php-using-salt/

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜