This bachelor’s thesis proposes the development of a web application for password generation and account management in an organized and secure environment. The application is built using the ASP.NET Core and Angular frameworks.
Users can create multiple folders and add accounts specifying login names, URLs, and the desired password length. The password is then automatically generated using lowercase letters, uppercase letters, digits, and symbols. Passwords are encrypted with the AES algorithm and are converted to plain text only when the copy functionality is used.
The interface is designed to be user-friendly, targeting users who want to use passwords with a low level of vulnerability.
Passwords represent an essential element of digital life, serving as the means of access to each user's personal data and efforts. Usually, not enough attention is given to the choice of a password, and often one that is easy to remember is preferred, used in the same form across multiple applications.
This approach significantly increases account vulnerability and exposes users to security risks, such as unauthorized access or the compromise of personal data.
This bachelor's thesis aims to develop a web application that facilitates the generation and organization of passwords with low vulnerability in an efficient manner.
- ASP.NET Core
- ASP.NET Core Identity
- Entity Framework Core
- Microsoft Restier for OData integration
- Microsoft SQL Server
- Docker
- Angular
- Material Design
It is written in C# and uses a secure random number generator. It can generate passwords of different lengths, consisting of lowercase letters, uppercase letters, digits and symbols. It is composed of four functions: GetRandomInt, GetRandomIndex, GetRandomString and GeneratePassword and four sets containing uppercase letters, lowercase letters, digits or symbols.
Here is a diagram of the function calls to generate a password:
OData (Open Data Protocol) is a protocol that allows the creation and use of web APIs that use HTTP to add and modify information in a database directly from the URL, using a specific route and a special syntax with parameters. The response received is in JSON format.
For example, to select two rows and the VaultId and VaultName columns from the Vaults table, the following URL would be used in a GET request:
/odata/Vaults?$select=VaultId,VaultName&$top=2
To perform the JOIN operation between the Vaults and Passwords tables and select only the PasswordId and URL columns in the Passwords tableand only the rows in the Vaults table that have 𝑈𝑠𝑒𝑟𝐼𝑑 = 7 and 𝑉𝑎𝑢𝑙𝑡𝐼𝑑 = 2, the following URL shall be used in a GET request:
/odata/Vaults/?$expand=Passwords($select=PasswordId,URL)&$filter=UserId eq 7 and VaultId eq 2
JWT bearer implementation with cookies
The user is asked for an e-mail address, a name and to choose the length of the master password, which can be 12, 24 or 36 words. After registration, the password is displayed on the screen and it's the only time it will exist in clear text, after which ASP.NET Core Identity protects it using the PBKDF2 algorithm with HMAC-SHA512.
The master password is generated using 2048 words, derived from the list used by Bitcoin Improvement Proposal 39 (BIP39). BIP39 proposes that the way for users to regain access to their cryptocurrency wallets is through a phrase consisting of some of the 2048 words. The words are chosen by randomly generating a position from the list of 2048 words, using the crypto.GetRandomValues from TypeScript.
The number of possible master passwords is 2048^12 + 2048^24 + 2048^36, since the user chooses whether his password consists of 12, 24 or 36 words.
Passwords are generated in the backend by calling the GeneratePassword function, then encrypted and sent as HTTP response.
For encryption, the symmetric Advanced Encryption Standard (AES) algorithm in Cipher Block Chaining (CBC) operation mode is used, which requires an initialization vector that is stored together with the encrypted password value and is needed for decryption.
The AES algorithm requires an encryption key. In order to avoid storing it in the application, the following approach is used: for each user, the generated password key is based on the hash value of the master password, which is 512 bits; since the encryption key for the AES algorithm can be up to 256 bits, it is obtained by applying the SHA256 algorithm on the hash value of the master password.
The decryption takes place only in the frontend component, so each time the user wants to use a generated password, the user's master password is used to obtain the key, and the encryption takes place only in the backend component.