Back in 2015, I used to use the same password everywhere, it was a complex one, and I wasn't really worried about someone else finding him. But sadly this was about to change...
In late 2016 a huge list of email address and password pairs appeared in a "combo list" referred to as "Exploit.In". The list contained 593 million unique email addresses, many with multiple different passwords hacked from various online systems. The list was broadly circulated and used for "credential stuffing", that is attackers employ it in an attempt to identify other online systems where the account owner had reused their password. And as you know it was my case, so I have lost access to several accounts such as my Minecraft one...
How I have reacted
I have then decided to use a password manager named as Dashlane. It was very cool for the first time, but I have soon ecountered a problem: there was no sync between devices for the free subscription. And It was a real problem for me. That's why after some months, I have copied all my passwords in a excel sheet (not in full plain text, more a bit obfuscated) on a Google Sheet... I know this is bad, please forgive me.
The birth of my passwords space
In 2018 i was really bored of dashlane and I have decied to make my own password management solution. I wanted to make something available online, but really secure. And after several month of research I have come up with my own solution.
How it works
My Passwords Space is a tier 3 application composed of
- one frontend application
- one backend application used as an API
- and a database as persistence unit
The user authenticate against the API
The user supply an username/password couple (please note that this password is only used to authenticate against the API, not to crypt the password). If the credentials are valid the user will receive a JWT token to be used for later request
The user list his credentials
There is dedicated endpoints on the API to return user credentials based on JWT details.
The user decrypt one of his credentials
There is dedicated endpoint to retrieve password hash for specific credentials, then the decryption is done on client side: no password are transmitted to the API to increase security.