At the moment, I am struggling on a question to which I have not found a good answer so far. I wan't to create a password manager, which will be used by a lot of people.
Used languages: PHP / Javascript (don't think JS should be used for any security-related things tho)
My concept so far:
- Only (Framework-)Admins can assign rights
- Access and/or write permissions can be assigned to:
- User-groups
- Single users
- Anyone can create an entry, insofar as he has rights to the manager himself and then for the particular point he can see. (tree-structure)
- Each entry is created as follows:
- The key consists of a salt, which is hashed with sha256.
- I chose "aes-256-cbc" as encryption method.
- The "IV" is randomly generated with "openssl_random_pseudo_bytes".
- Then I use the function "openssl_encrypt" to get the password-hash.
- After that I use the function hash_hmac (sha256 again), to generate the hash, which will be stored in database.
But now I face the following problem that, as soon as someone gets access to the php-files, all passwords would be compressed.
That's why I've considered the following:
I would like to encrypt each password additionally with the user password of the respective user. Although this would mean that each password must be created/stored x times, but this is not a problem.
The fact that the password can only be read out with the previous entry of the user password is not a problem, but desired. However, this would mean that the access right to a password can only be assigned by an administrator who has already "unlocked" this entry. But since passwords can also be created by other administrators, or even by users, this would mean that in order to encrypt these passwords, each user who wishes to have access ( which admins anyway have by default) needs at the same time the creator's (or a person who already has this entry) presence as well as his or her own to decrypt and re-encrypt the entry.
Well, theoretically I could also take the stored hashes of the user passwords from the database, but that would get me back to the point that once someone has file-level access, all passwords would be compromised.
Is there a good and reliable alternative for this? On the one hand, it would be a master password that has to be known by a creator in order to create an entry with which an entry is then stored initially. But that would be the unpleasant alternative.
Maybe something like a certificate or similar. I am thankful for any advice.
Thanks in advance!