Hello,
another idea (which i came accross with KeePass Password Counter plugin): Search for accounts which share the same password -> in a secure world no password should be used twice. Most users use the same password for dozens or hundreds of websites/services/,,, - to sensibilize it would be great to have a util in syspass to check for accounts with same password and to eliminate.
I checked SQL database to do this but same passwords are encrypted with different values so they need to be decrypted before comparing the plain text passwords.
Hello, this would be a painful task from the performance view, since there is no way to compare password without decrypting/encrypting them, so it would expose all the password during the checking time.
Keepass works in another way, the vault is decrypted when the app starts and you unlock it with the master password, so you would be able to compare each password without decrypting one by one.
i agree that searching and comparing hundreds of passwords would be painful.
just a draft from my mind: a useful variant could be to generate some sort of additional non-plaintext comparison key
i think some more brain has to be investigated but maybe possible. what do you think?
Hello, I've been thinking about this and in my opinion, there wouldn't be any method to compare password without compromising the security. Hashing is a good technique but you need to add a salt to every hashed string to keep it secure to rainbow tables based attacks, so this salt makes every password unique.
sysPass does not store any password hash because security reasons thereby, if you need to make a hash for each password, they should be decrypted for hashing and then comparing, so it will be a big task in terms of performance and security.
Please, let me know if you have any thoughts about it.
Kind regards
hey. i thought a while about it and you are right.
comparing the passwords to check for duplicates is some kind auf maintenance task. it could be done by using the syspass decryptor and then comparing clear type passwords. so i think its not required to compare it in frontend. just get an exported xml from syspass and decrypt it would be workaround. So its not needed to change something in php
regards, Mario
Hey, i got some other idea for this FR. Maybe sysPass could have some kind of own dictionary which stores each password which was ever used within the instance. When adding a new account the system could warn the user if the password was already used once (but still allow the user to type it in and store it). The account could be marked with some color/flag that the password may be unsafe because used multiple times. I don't know if it's possible but what do you think about it? regards, Mario
ps: i have still no internet at my home. i am using my smartphone to tether. i moved to a new flat. That's why i was muted last weeks ;-)