My password manager website details.
I don’t store user passwords in my website. Users have to upload and download the database from their google drive or their pc to my website to read their credentials.
How I encrypt user credentials?
Each user credentials are encrypted using aes 256 ctr mode and stored in JSON object. At last the JSON object is again encrypted with different password and made it available to download.
How I decrypt encrypted credentials?
User will press ‘Upload’ button and will be asked three inputs:
- two digit secret number. (used as counter for aes256 ctr mode )
- Master password. (Each credential will be encrypted using this password + 2 digit number from step 1.)
- Database password. (Whole JSON object will be encrypted using this password + 2 digit number from step 1.)
Whenever user wants to access their credentials they must enter 2-digit number, master password and database password. It will be frustrating to enter them again and again.
To make it easy I want to add mechanism like once the user enter 2-digit number, master password and database password. I encrypt them using same 2-digit number + some random password . That random password I divide in to two. Half of it I store in session cookie and half user must enter from the android or iphone app. What the website will do is it will use 2-digit code + half of random password from session cookie + half of random password form phone and decrypt the First stored master and database password in session cookie and decrypt the data when needed.
Will the above technique work or any other idea to make it easy for users like usint TOTP for decrypting user credentials.