Hello There!
In my last blog post, I shared how I built a simple password generator in C, which was an exciting way to explore randomness and character sets. Today, I’m diving deeper into an equally important topic: password management! I’ll guide you through the thought process and steps involved in creating a password manager, so you can build your own secure storage solution.
The source code can be found here
Understanding the Need for a Password Manager
Before we get into the nitty-gritty of coding, let’s take a moment to reflect on why password managers are essential in today’s digital landscape. As we create more online accounts, the challenge of remembering all those unique passwords becomes overwhelming. Using the same password across multiple accounts is a recipe for disaster. A password manager solves this problem by securely storing your credentials and generating strong, unique passwords for each of your accounts.
Defining the Key Features
When embarking on this project, I started by identifying the core features I wanted my password manager to have:
- Add New Services: Users should be able to store their service name, username, and password. If the user doesn’t provide a password, the program should generate one.
- Retrieve Stored Credentials: Users need to easily query the vault for their credentials based on the service name.
- List All Services: A simple command to display all stored services would facilitate easy management.
- Secure Encryption and Decryption: All passwords must be encrypted using a secure method, ensuring that even if someone gains access to the vault, they can't read the passwords without the master password.
Exploring Encryption Techniques
With the features in mind, I turned my attention to the security aspect—how to encrypt and decrypt the passwords. I decided to use OpenSSL, a powerful library for implementing cryptographic functions.
Choosing the Right Encryption
For my password manager, I opted for AES (Advanced Encryption Standard) in CBC (Cipher Block Chaining) mode. CBC mode offers a good balance of security and efficiency, ensuring that identical plaintext blocks will produce different ciphertext blocks due to the use of an IV (Initialization Vector). I also wanted to derive encryption keys from a user-provided master password, adding another layer of security.
Setting Up Your Development Environment
Before starting the coding journey, make sure you have OpenSSL installed on your system. If you’re using a Linux-based environment, you can typically install it via your package manager. If you’re on Windows, you might need to download and set it up separately. Having the OpenSSL development libraries will allow you to access the necessary headers and functions.
Structuring Your Program
I planned to keep my code organized and modular, so I sketched out a basic structure for the program. Here are the main components I decided on:
- Input Handling: A function to parse command-line arguments for different operations (like adding a new service or retrieving credentials).
- Password Management Functions: Functions dedicated to adding and retrieving credentials from the vault.
- Encryption and Decryption: Functions responsible for securely storing and retrieving passwords.
Implementing the Core Functions
Now, let’s dive into the coding! Here’s a breakdown of the core functionality of the password manager:
1. Command-Line Argument Parsing
To provide flexibility, I implemented a function to handle command-line arguments. This allows users to specify the operation they want to perform:
void parseArgs(int argc, char **argv, char **operation, char **service, char **username, char **password) {
// Parse command-line arguments using getopt_long
// Populate operation, service, username, and password accordingly
}2. Password Encryption
Next, I wrote the encryptPassword function. This is where the magic happens! Here’s a simplified version:
void encryptPassword(const char *plaintext, unsigned char *ciphertext, unsigned char *salt, int *ciphertext_len) {
unsigned char key[KEY_SIZE], iv[IV_SIZE];
deriveKey(key, salt); // Derive the encryption key from the master password
RAND_bytes(iv, sizeof(iv)); // Generate a random IV
// Prepend salt and IV to the ciphertext
memcpy(ciphertext, salt, SALT_SIZE);
memcpy(ciphertext + SALT_SIZE, iv, IV_SIZE);
// Encrypt the plaintext
EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
// Initialize and finalize the encryption process
}In this function, I generate a random IV and prepend it, along with the salt, to the ciphertext. This way, when retrieving the password later, I can easily extract these components for decryption.
3. Password Decryption
The corresponding decryptPassword function is just as crucial. Here’s how it looks:
void decryptPassword(const unsigned char *ciphertext, char *plaintext, int ciphertext_len) {
unsigned char key[KEY_SIZE], iv[IV_SIZE], salt[SALT_SIZE];
memcpy(salt, ciphertext, SALT_SIZE); // Extract salt
memcpy(iv, ciphertext + SALT_SIZE, IV_SIZE); // Extract IV
deriveKey(key, salt); // Derive the key
EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
// Initialize and finalize the decryption process
}This function takes care of decrypting the ciphertext by extracting the salt and IV and then deriving the key before performing the decryption.
4. Managing Passwords
With the core functions in place, I implemented methods to add and retrieve passwords:
- Adding a Service: This function allows users to store their service name, username, and password. If no password is provided, a secure random password is generated.
- Retrieving a Service: Users can easily query the vault by the service name and get their credentials back.
Handling Errors and Enhancing User Experience
As I tested the program, I quickly realized the importance of error handling. If a user tried to access a non-existent service or there was an issue reading the vault file, the program should inform them without crashing.
To enhance user experience, I also added a couple of features:
- Hidden Password Input: When entering the master password, I wanted to ensure that it wouldn’t be displayed on the screen. I used the
termioslibrary to manipulate terminal settings and hide the input. - Help Commands: Providing users with clear instructions on how to use the password manager through command-line options was essential.
Security Considerations
Creating a secure password manager isn’t just about encryption; it’s about how you handle sensitive data. Here are a few security practices I incorporated:
- Strong Random Number Generation: Using OpenSSL’s
RAND_bytesfunction ensures that keys and IVs are generated securely. - Key Derivation: I used PBKDF2 to derive encryption keys from the master password, making it more resilient against brute-force attacks.
- Secure Storage: Passwords are stored in a file that can only be accessed by the password manager, ensuring unauthorized users can’t easily access the stored credentials.
Reflections and Future Improvements
Building this password manager has been a fulfilling journey. I learned a great deal about cryptography, secure coding practices, and the importance of user experience. However, I know there’s always room for improvement. Here are a few features I’m considering for future iterations:
- Multi-Factor Authentication: Adding an extra layer of security could significantly enhance protection.
- Password Sharing: Enabling secure sharing of passwords between trusted users would be a valuable feature.
- Web Interface: While I love coding in C, a web-based interface could make the password manager more accessible and user-friendly.
Conclusion
Creating this password manager has been a rewarding experience! It not only helped me solidify my understanding of encryption and secure storage but also provided a practical tool that I can use daily. I hope this guide inspires you to tackle your own projects, whether it’s building a simple generator, a robust password manager, or something entirely different.
If you have any questions about the code or want to share your experiences, feel free to open an issue at the git page or even drop me an email at at tarkan@bidonov.xyz !
Happy coding and till the next time! 🔐💻