password manager in another way

[Svenrip]

Hi everybody I'm new in this forum , hope my post is in the right section :)
I' ve started a program with the idea to create a simply password manager , using just files .txt to store the data but now I've realized that is useless, cose everyone using the pc can see those files where usernames and passwords are stored just opening them. So I was thinking a solution for the security of those files , anyone can give me an idea ? (even a different way to do a password manager) I know that one solution can be the use of a DB but I think I'm not ready to use them ..thanks

[ianyappy]

I suppose one simple method would be to use some hash function to hash the password (E.g. MD5 or SHA1). You then store the hash together with the username. When the user enters the password, just run the hash on the password to see if it matches the one in the text file.

[Svenrip]

your solution is about the security inside the program , I was talking about the security outside the program . For example a person using my laptop that search for .txt files can find the data where the pass are stored , just opening those .txt files crated by my program .... is that more clear? :confused:

[ianyappy]

Well actually, your text file would keep only the hashed version of the password (together with the username). It should not be possible to recover the actual password from the hash. When you run the program, it should hash the password that the user inputs and compare it with the stored version of the hash. Thus you never store the password in its "plaintext" form.

Hope that makes sense. :)

[Zack]

I suppose one simple method would be to use some hash function to hash the password (E.g. MD5 or SHA1). You then store the hash together with the username. When the user enters the password, just run the hash on the password to see if it matches the one in the text file.

It's a password manager, which means the hash has to be decryptable (so that when you provide a website, or whatnot, it can fetch the username and password for the user). MD5 and SHA1 are not. The OP would probably want to come up with his own encryption method for this reason.

[ianyappy]

Oh, oops haha OK, my bad :)

[ianyappy]

Oh, well then I suppose one could encrypt the text file (maybe using gpg --symmetric?) with a master password. Then when one needs to retrieve the text file, just decrypt it with the master password.

[Svenrip]

I had a look to gpg --symmetric you mentioned and it seems to be something external to the program.The solution is good for myself but what if I give the program to a friend ? He have to use gpg with my program isn't it ? :confused: If the solution using .txt files is too hard any other idea how to store my passw will be appreciated, when I was starting the program somebody advice me to use XML is that a good idea ? I dont have used XML before so I don t know if is good or not for my passw menager..

[JosAH]

It's a password manager, which means the hash has to be decryptable (so that when you provide a website, or whatnot, it can fetch the username and password for the user). MD5 and SHA1 are not. The OP would probably want to come up with his own encryption method for this reason.

That's not needed; a one-way-hash function can also do the job adequately; as long as a password hashes to the same hash value it is accepted as the correct password. That's the way Unix does it.

kind regards,

Jos

[ianyappy]

I had a look to gpg --symmetric you mentioned and it seems to be something external to the program.The solution is good for myself but what if I give the program to a friend ? He have to use gpg with my program isn't it ? :confused: If the solution using .txt files is too hard any other idea how to store my passw will be appreciated, when I was starting the program somebody advice me to use XML is that a good idea ? I dont have used XML before so I don t know if is good or not for my passw menager..

I'm actually not too familiar with Java but a little familiar with crypto.. But how about this example code:
http://www.example-code.com/java/fileEncryption.asp
I think it suits your purpose for embedding some encryption within your program without focusing on the details of the encryption. Hope it helps :)

[Svenrip]

mmh look like a bit advanced for me but I will try to implement it and I will let you know , thanks
If anyone has another idea I will consider it too