Simple line-number based password manager

File: lemme off.gif (156KB, 500x375px) Image search: [Google]

156KB, 500x375px

Brump

File: 200.gif (2MB, 267x200px) Image search: [Google]

2MB, 267x200px

No PHP guys lurkin?

Use hash_pass and dump anything SHA if you are serious about security

>>59280512
>using php when node.js exists

>>59280512
Nobody here can actually write programs .

>>59280817
Huh. That's a neat feature. Some reading is in order.

>>59280512
You should generate a different salt for each password and store it alongside the password.

Also I don't see you using a library that utilizes key stretching which is a bare necessity. But I can't be bothered to php so disregard if it is actually done.

>>59280512
>>59280908

> Aside from the obvious plaintext password file

Also forgot to mention:
Never do this! Not even as a joke. You may know it is bs but the next best idiot coming across your code (might be a coworker or w/ever) is just blindly going to use it.

>>59280931
I know it's not exactly smart to store passwords in plaintext, the server is just sitting at home and it's pretty tightly locked down. The web server is listening on a way high up port, as many precautions as I can take in order to be this lazy. The account/line number reference sheet is not even on the server. Both are useless unless put together.

>>59280908
Doesn't hashing twice + salting achieve this?

>>59281114
by that I mean the stretching*

>>59280882
I suggest you set up a PDO instead of using plaintext because it's easier but that's up to you

>>59280512

Use bcrypt if you are serious about security. It has builtin hashing (random for each entry) and unlike sha1/sha2 it's expensive (which makes it good).

>>59280512

Use password_hash and password_verify. They were made for people like you who don't know how to cypto.

>>59281403
Serious question. What's cryptographically wrong with this script for this purpose? Just the script itself, assuming the passwords will be stored properly at some point. (this is a proof of concept)

>>59281455
A few things:
You shouldn't use the same salt for every password you get - this is a security issue. Generate a new random salt for each new username (line number, whatever) and store this with the salted+hashed password.

Don't use SHA, use bcrypt. SHA is not for cryptographic purposes, it's mathematically weak.

Hashing the already hashed password is unnecessary and won't add the security through obscurity that you think it will.

>>59281505
That hash function is for one password. The script just pulls a specified line from a file and dumps it out if the password matches. It's always the same, it's a master password

>>59281505

All of these points are valid which is why the PHP built in password functions do it this way.

Seriously OP, there's a reason you use real crypto libraries. Making your own functions just sets you up for Nintendo-tier security lapses.

>>59280512

>weak comparision operator
Not sure if it's actually dangerous but it's bad form to do this.

>>59281540
Ok - change the hashing method then and you could probably use it.

I'd advise storing the hashed password in bit form, and doing a bitwise comparison on it and your inputted password - I'm not too sure how PHP works with strings though.

>>59281601
See I knew /g/ wasn't completely full of tryhards. All the other threads on this board are nonsense. There are some smart folks on here. Thanks for the advice. Much appreciated my man.