StoreBirds - the main competitor for LastPass

Hi, Habr. Finally, it's time to introduce you to your project called " StoreBirds ". It is a free password manager and form filler in the form of a Chrome browser plugin. Let me tell you what motivated me to create “StoreBirds”, what are its main features and why I was not attracted by the idea of ​​using such a popular “LastPass” as a password manager ...

Why not "LastPass"

Of course, you may disagree with me, but “LastPass” is not very cute to me, and here's why:

• That number of settings and features, than literally punctuated the LastPass interface, however, does not really contribute to its convenient use. Yes, maybe it gives him some flexibility, but does that flexibility need an ordinary user? I, personally, am an ordinary user and I love when everything is simple and clear, but at the same time without neglecting reliability and safety.
• Incorrect work with some WEB-resources, for example, the filling of the registration form on battle.net does not work correctly. (yes, yes, I, like many, really love Blizzard games, in particular StarCraft :)) or filling out registration forms for some sites on the GWT engine, for example ppc.clickbro.com. You can easily make sure of it yourself, if you use hotkeys or a mouse - it doesn't matter at all.
• A significant role is played by the psychological and, perhaps, a little unnecessarily paranoid side of the question of what kind of software stores your personal information, in what form, and whether it can compromise your data.

Agree, it would be great to use open source software or, even better, if its server part were on your host. Well, in any case, including thanks to the arguments of Vichy, I decided to write my own project of a password manager for my favorite browser “Chrome”.
Before writing the plug-in, I singled out for him three basic conditions: security, reliability, convenience.

Security

General system security features:

1. The server acts as a “black box”, that is, it stores on itself only and only encrypted information, and no keys (logins / passwords).
2. All encoding and decoding operations are carried out strictly on the client side under the AES256 tool (the user password acts as the master password).
3. Authorization of the user on the server passes only through the hash login \ password \ salt- hash_function (login, password, salt1).
4. Each request that contains some kind of action is unique and contains a random dynamic component, which can only be correctly processed on the server and client side, this gives additional protection against query reading and re-execution.
5. The connection to the server can take place both over HTTP and over HTTPS (the connection type can be selected in the plugin settings), it will not play such a significant role, because even so all data is encrypted, but if you still have the opportunity to connect via HTTPS, then use this mode.
6. All important database fields on the server are subject to local AES256 encryption, the main part of the key, which is specified in the corresponding variable in the server-side source file configuration file.

User registration

Registration of a new user in the system is as follows:

• On the client side, a hash from the login and password is taken using the hash1_function function (login, password, salt1) and sent to the server — this hash will be used to authorize requests in the system from client to server for this user.
• A secret hash sec_hash is created by the hash2_function function (login, password, salt2) on the client’s side. This hash is sent to the server only when a new user is created or a user’s password is changed, never again, and takes part in shaping the uniqueness of each request from the client to server.

Data exchange between client and server:

According to clause 4, in general system security features, every request from a client to a server containing an action must be unique. This uniqueness is achieved by introducing a dynamic component into it, the correct processing of which is possible only on the server and client side, and depends on the secret hash (sec_hash). The dynamic component is determined by the hash3_function function (sec_hash, random_key, salt3), where random_key is requested from the server. The general scheme of work is as follows:

• client -> server - client's request to the server to obtain a random key (random_key) for the next request.
  The client receives a random key and on the basis of it forms the dynamic component of the hash3_function function (sec_hash, random_key, salt3).
• client -> server - a request from a client to a server with encrypted content, containing an action, and a dynamic component formed.
  The server, having received such a request, compares the dynamic component of the incoming request with the dynamic component formed by the same algorithm on its side, and if they match, resets the random key for this connection and allows the action according to the request content.

In the plug-in user login and password can be stored either in localStorage, in encrypted form, or in the user's head. Of course, it’s more reliable in the head, but for convenience it’s better to save in localStorage, so every time you start the browser, the plugin will automatically log in. After the authorization of the plug-in passes, it pulls all the data from the server and works with them in its memory, without discarding it to the local database. As for me, the less information is stored locally, the better. When I lost the user, I reacted negatively to the question of restoring a username / password, because then the server will have to store them, and this already contradicts the definition of the server as a “black box”. But nevertheless, I turned on the ability to remind the username and password to an email when registering a new user at will, that is, if the user wants the reminder to be turned on, his username and password are sent to the server for storage, if not, then this condition only once when registering a new user, in addition, if the user changes the password, then auto-recall is disabled for him and in the database the login, password and e-mail fields are overwritten.

Reliability

The project “StoreBirds” is completely written in JavaScript and PHP, its client part is a plugin under “Chrome” and executed in pure JavaScript. Each new written function was thoroughly tested and, subsequently, the test cases of the usual usable that I compiled, and the load tests were passed perfectly. The server part also successfully passed all the tests and is a bunch of Apache (or Nginx) + PHP + MySql- the most common bunch in the World. :) :) :)
')

Convenience

The development of the interface and the capabilities of StoreBirds was influenced by my own philosophy: “It will be convenient for me - it will be convenient for everyone”. I will not go into details and description of the interface, since you yourself can try it in your work. Perhaps someone may not like the interface - you will not please everyone, but I hope many still succeed :). As for interesting chips, a function has been added to block the user's account and unlock it by password, this is done so that during your absence at the computer no one can use your account (the lock is on the server). You can assign this unlock password yourself in your account settings. A convenient presentation of user saves in the form of an expandable list was also made. In principle, "StoreBirds" has all the necessary functions, you can familiarize yourself with them personally by examining the project site and trying it in work.

StoreBirds service

The site storebirds.com serves as a ready, official resource. Already have a trusted SSL certificate and a reliable, powerful platform for work. Welcome to everyone. You will also be able to install the server part on your host (if you have one). For this, only the Apache (or Nginx) + PHP + MySQL must be configured and in the config of the downloaded source of the server part of the StoreBirds project you can literally drive in parameters for authorization to your DBMS MySql, you must also run the database install script. Everything! However, on the site itself on the page “ storebirds.com/storebirds/user/begin_to_use.php ” everything is written. If you do not have your own host, then use official “ storebirds.com ”. Send any email, questions, suggestions, comments, suggestions: askstorebirds@gmail.com or fill out the form on the page “ storebirds.com/storebirds/user/support_page.php ” (you must be registered in the system to fill out the form).

Thanks for attention!
PS Watch for updates, since new features of the service will be added (as desired by users).
I will try to answer all your questions.

Continued: http://habrahabr.ru/blogs/google_chrome/138669/