Syspass: Feature Request: Search for accounts with duplicate passwords

Created on 19 Jan 2018  路  5Comments  路  Source: nuxsmin/sysPass

Hello,

another idea (which i came accross with KeePass Password Counter plugin): Search for accounts which share the same password -> in a secure world no password should be used twice. Most users use the same password for dozens or hundreds of websites/services/,,, - to sensibilize it would be great to have a util in syspass to check for accounts with same password and to eliminate.

I checked SQL database to do this but same passwords are encrypted with different values so they need to be decrypted before comparing the plain text passwords.

kinquestion

All 5 comments

Hello, this would be a painful task from the performance view, since there is no way to compare password without decrypting/encrypting them, so it would expose all the password during the checking time.

Keepass works in another way, the vault is decrypted when the app starts and you unlock it with the master password, so you would be able to compare each password without decrypting one by one.

i agree that searching and comparing hundreds of passwords would be painful.

just a draft from my mind: a useful variant could be to generate some sort of additional non-plaintext comparison key per account, saved in database too. this key could be used to be human unreadable but still quick and easy to decode by script. As you use account linking in the structure you can see which accounts share same password. So adding a comparison key would mean the same. thus makes all passwords comparable but still hides the passwords themselves. the comparison key may also look like a honeypot value as it is used to display in SQL meanings, that some passwords from different accounts are equal.

i think some more brain has to be investigated but maybe possible. what do you think?

Hello, I've been thinking about this and in my opinion, there wouldn't be any method to compare password without compromising the security. Hashing is a good technique but you need to add a salt to every hashed string to keep it secure to rainbow tables based attacks, so this salt makes every password unique.

sysPass does not store any password hash because security reasons thereby, if you need to make a hash for each password, they should be decrypted for hashing and then comparing, so it will be a big task in terms of performance and security.

Please, let me know if you have any thoughts about it.

Kind regards

hey. i thought a while about it and you are right.

comparing the passwords to check for duplicates is some kind auf maintenance task. it could be done by using the syspass decryptor and then comparing clear type passwords. so i think its not required to compare it in frontend. just get an exported xml from syspass and decrypt it would be workaround. So its not needed to change something in php

regards, Mario

Hey, i got some other idea for this FR. Maybe sysPass could have some kind of own dictionary which stores each password which was ever used within the instance. When adding a new account the system could warn the user if the password was already used once (but still allow the user to type it in and store it). The account could be marked with some color/flag that the password may be unsafe because used multiple times. I don't know if it's possible but what do you think about it? regards, Mario

ps: i have still no internet at my home. i am using my smartphone to tether. i moved to a new flat. That's why i was muted last weeks ;-)

Was this page helpful?
0 / 5 - 0 ratings

Related issues

TheMengzor picture TheMengzor  路  3Comments

supkk picture supkk  路  7Comments

deajan picture deajan  路  4Comments

matejzero picture matejzero  路  5Comments

NOTORIOUSVR picture NOTORIOUSVR  路  3Comments