Self-made password management system

Now more and more Web sites or systems require us to enter a password, usually we will choose a password, so it is easier to remember, a password into the world. But there are other problems with the use of a password, such as:

• Unsafe, if one of the website password is leaked, other sites are not safe;
• There are limitations, and sometimes the passwords we use are not available under the restrictions of a certain website. For example, the passwords we use are all lowercase letters and numbers, but this site requires our passwords to contain special characters. Or we use a 20-bit password, but this site requires a maximum of 15-bit password.
• The website is too popular, we can not visit for a long time. After a few visits, the results of the second visit forgot the password.

Considering the above situation, we need to think of a password, when the situation encountered more, the password is not good management. Direct storage, afraid of being seen by others, not directly stored it, do not know where to put. And now there are a lot of password management software online, but I am not very comfortable with these things, because it is to encrypt our password stored on his server, joined his server was cracked, then all our passwords will be leaked. So I want to write a password management system that belongs to oneself!

　　Of course, if the site's recovery password is more simple, then use this site to provide 找回密码 it

Originally wanted to make a list, all passwords are encrypted and stored in the database. However, because there is no available space and database, if you use a local database, then the password stored on this computer is not available on the other computer.

Therefore, the policy is changed, the program is placed locally, only provides encryption and decryption of the password, using the mailbox, cloud disk and other tools to store encrypted fields. If another computer is to be used, clone the program locally and decrypt that field to get the password.

Explain my idea of storing passwords.
The required fields are:

1. URL: The website where you want to store your password, or a word or character, as long as you know it.
2. Password: Encrypt the key of the password;
3. Content: stored passwords;

The encryption method uses the recognized AES. The complexity of this encryption method is universally acknowledged and is very complex to decrypt.

The AES encryption process operates on a 4x4 byte matrix, which is also known as state, and its initial value is a plaintext chunk (an element size in the matrix is a byte in the plaintext chunk). (Rijndael encryption method for supporting larger chunks, the number of matrix rows visible increase) encryption, each round of AES encryption cycle (except the last round) contains 4 steps: 1. Each byte in the addroundkey-matrix does an XOR operation with the secondary key (round key), and each sub-key is generated by a key generation scheme. 2. subbytes-uses a non-linear substitution function to replace each byte with the corresponding byte in the form of a lookup table. 3. shiftrows-Each Heng lie in the matrix with a cyclic shift. 4. mixcolumns-in order to fully mix the operations of each straight line in the matrix. This step uses a linear transformation to mix four bytes per column. The last cryptographic loop omits the Mixcolumns step and replaces it with another addroundkey.

Of course, many of the principles in fact we do not need to know very deep, but I should learn how to use, AES encryption and decryption requires two parameters: encrypt($input, $key) , decrypt($sStr, $sKey) . The first parameter is the string that we want to manipulate, the second parameter is the key value of the encryption and decryption, usually the same key value is required for encryption and decryption.

For more information about AES, you can click here "aes-Baidu Encyclopedia" "aes-wikipedia"

From the above, we can see that if you want to encrypt the two fields: the string and key value that need to be encrypted; the two fields required for decryption: the string to decrypt and the key value. So, my encryption process is this:
1. Determine the key value:

$code substr (MD5(). Wenzi ". Rand (1000, 9999)), 4, 10); // need to remember $key MD5 ($password. ' Wenzi '. $code);

As you can see from the code above, the $key value depends on the value we enter password and the value generated by the system code .

2. Need to encrypt the string: not to encrypt the password directly, but the $content stitching together to encrypt, and so on decryption needs to verify that the input URL is not the URL at the time of encryption, if not get the password.

3. Encryption: $content = Encrypt ($url. $content, $key);

4. Confirm the fields required for decryption: $url (the URL at the time of encryption), $code (the string randomly generated in the first step), $password (key), $content (what needs to be decrypted)

In order to prevent others from seeing the code value of direct storage, we can let the program return according to our needs, in my program, the code value is a length of 10 string, return when we see the code is: the first 5 bits is a single digit, the last 5 bits are double digits, the decryption requires alternating input.

$e 1="";$e 2=""; for($i= 0;$i<strlen($code);$i++) {    if($i%2==0){        $e 1.=$code[$i]; }Else{        $e 2.=$code[$i]; }}$e=$e 1.$e 2;

Of course you can also use the following strategies: The first 5 bits are the last 5 bits of code, the last 5 bits are the first 5 bits of code, and so on. Others just see code that has been processed by the program, without knowing the order of code

Let's use the program to encrypt one try:

The data returned after successful encryption is:

www.xiabingbao.com  3cf06d4ce6  ttkbt5bl30niyxv+wymngvnjwo2molq/ld0r4rorooo=

Three fields: URL, code value randomly generated by system, encrypted string

If we forget the password one day, we can retrieve the password of this website by storing the 3 fields above and the key we entered earlier.

$key=MD5($password.‘ Wenzi '.$code);$result=$aes->decrypt ($content,$key);if(Strpos($result,$url) >-1){    $msg=substr($result,strlen($url)); $s=Array(' Status ' =>0, ' msg ' = =$msg);}Else{    $s=Array(' Status ' =>2, ' msg ' = ' = ' validation error ');}

First through the $key and need to decrypt the field $content to decrypt the $content $result, decrypted and then determine whether the $result contains the field, if not included in the decryption failure, otherwise the password back to the user.

If someone gets you a saved encryption string, if he does not have your program is also not open, even if the encryption string and the program is obtained, he does not have your key, because the key is in your heart, not stored in any other files.

Well, maybe some people find it troublesome to save passwords like this. I think of it as a practiced hand project, and the way to store some more remote site password. When writing this system, the main learning is the AES algorithm and the use of bootsrap.

GitHub Address: Github-password

Original address: http://www.xiabingbao.com/password/2015/03/08/make-passwork/

"Reference":
AES Encrypted PHP version
Bootsrap

Self-made password management system