My password management solution

My projects Jul 29, 2019

Back in 2015, I used to use the same password everywhere, it was a complex one, and I wasn't really worried about someone else finding him. But sadly this was about to change...

In late 2016 a huge list of email address and password pairs appeared in a "combo  list" referred to as "Exploit.In". The list contained 593 million unique  email addresses, many with multiple different passwords hacked from  various online systems. The list was broadly circulated and used for "credential stuffing", that  is attackers employ it in an attempt to identify other online systems  where the account owner had reused their password. And as you know it was my case, so I have lost access to several accounts such as my Minecraft one...

How I have reacted

I have then decided to use a password manager named as Dashlane. It was very cool for the first time, but I have soon ecountered a problem: there was no sync between devices for the free subscription. And It was a real problem for me. That's why after some months, I have copied all my passwords in a excel sheet (not in full plain text, more a bit obfuscated) on a Google Sheet... I know this is bad, please forgive me.

The birth of my passwords space

In 2018 i was really bored of dashlane and I have decied to make my own password management solution. I wanted to make something available online, but really secure. And after several month of research I have come up with my own solution.

How it works

My Passwords Space is a tier 3 application composed of

  • one frontend application
  • one backend application used as an API
  • and a database as persistence unit

The user authenticate against the API

The user supply an username/password couple (please note that this password is only used to authenticate against the API, not to crypt the password). If the credentials are valid the user will receive a JWT token to be used for later request

The user list his credentials

There is dedicated endpoints on the API to return user credentials based on JWT details.

The user decrypt one of his credentials

There is dedicated endpoint to retrieve password hash for specific credentials, then the decryption is done on client side: no password are transmitted to the API to increase security.

Aloïs Micard

You can contact me on: alois@micard.lu. PGP fingerprint: F733 E871 0859 FCD2