Presenting to the world a solution for a basic password manager built using Oracle's java security framework and enhanced with Swing-like user interface.
Implemented new features and improved previous build:
- New entries aiming to improve the quality of the stored information (Account Type, Date Created, Date Modified and "Deactivated?" checkbox);
- New utility feature in the form of a random password generator;
- Inactivity for 15 minutes will lock the application;
- Various security improvements (Key derivation function for the login, Main password type switch from String to CharArray, Changed encryption algorithm to AES in Galois Counter Mode to provide a form of protection against data tampering):
-
Key Derivation + SHA-512 with salts - used for storing passwords;
//Key Derivation PBEKeySpec spec = new PBEKeySpec(password, SALT.getBytes(), 128, 1024); emptyPasswordArray(); SecretKeyFactory skf = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1"); byte[] derivative = skf.generateSecret(spec).getEncoded(); spec.clearPassword(); //Hash MessageDigest messageDigest = MessageDigest.getInstance("SHA-512"); String finalPassword = SALT + password + SALT; return messageDigest.digest(finalPassword.getBytes());
-
AES in GCM Mode - used for authenticated data encryption;
Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding"); byte[] iv = generateIV(); GCMParameterSpec gcmParameterSpec = new GCMParameterSpec(128, iv); SecretKey secretKey = KeyManager.getSecretKey(); cipher.init(Cipher.ENCRYPT_MODE, secretKey, gcmParameterSpec); byte [] encryptedData = cipher.doFinal(inputByteArray);
Warning! Due to major modifications and additions in this version, files created with version 1.0.0 are not compatible with this version. Version 2.0.0 will have its files in a different directory, but on the same user's home path.
- Java SE Runtime Environment 8 - Minimum Requirement;
- Java added to System PATH.
Note: Development was made on Java SE Development Kit 14.0.1, but the application was tested on Java SE Runtime Environment 8 as well.
Why Java? To be able to run the application with no trouble on whatever operation system is provided. No matter if it is Windows or Linux machines.
- Download the passwordManager.jar file located in the app package;
- Open the System Terminal and navigate to the location of the JAR;
- Run the below command:
java -jar passwordManager.jar
Alternatively, you can run the application by double clicking on the JAR file.
Quick Debug: If the command did not launch the application, please make sure java is installed and added to PATH by running one of the following commands:
java -version
javac -version
which will output something similar to the following:
java version "14.0.1" 2020-04-14
Java(TM) SE Runtime Environment (build 14.0.1+7)
Java HotSpot(TM) 64-Bit Server VM (build 14.0.1+7, mixed mode, sharing)
Note: The project was developed using IntelliJ IDEA Community Edition. For importing the source code into an IDE and compile it without any errors, please add the external JAR flatlaf-0.38.jar into your project. The JAR is located into the src\main\resources package.
The project is divided into two main ideas which are the Login Page and the Entries Page. Only the master key is required to access all the entries. The Password Manager works alongside 4 files:
- pm.enc - The main file which contains all the password inputs and all its related information. The file is always encrypted. Only the content is decrypted at runtime in order to display the values;
- pm.dat - This file contains the SHA-512 hash of the master password combined with a couple of salts. This password is used only to login in the app;
- pm.p12 - This file is the keystore that contains the master key used for encrypting and decrypting;
- pm.log - The log file which we require you to send in order to debug a certain crash situation or malfunction. Please note that we do not collect any information about the system;
All these files are created at runtime and updated properly. Also, their location is set to the user's home directory path (under the directory PMCojoFiles).
Very Important! Current version does not provide a way to reset the main password. We strongly recommend to not forget it. If such a situation occurs, or you simply want to reset the app, delete all the 4 files described above. Be aware that such an action will erase all previously added entries!
Here is a list of the main algorithms and best practice logic used inside the application:
-
SHA-512 with salts - used for hashing;
MessageDigest messageDigest = MessageDigest.getInstance("SHA-512"); String finalPassword = SALT + password + SALT; return messageDigest.digest(finalPassword.getBytes());
-
AES in CBC Mode with PKCS5Padding - used for cryptographic operations;
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); SecretKey secretKey = KeyManager.getSecretKey(); IvParameterSpec ivSpec = new IvParameterSpec(initialIV); cipher.init(Cipher.DECRYPT_MODE, secretKey, ivSpec);
-
The entries are stored inside an encrypted file whose content is read and decrypted at runtime;
ObjectInputStream objectInputStream = new ObjectInputStream(new ByteArrayInputStream(decryptContent(inputFilePath))); ArrayList<CredentialsElement> dataList = (ArrayList<CredentialsElement>) objectInputStream.readObject(); objectInputStream.close(); return dataList;
-
The key is generated and stored using Java KeyStore Manager.
KeyGenerator keyGen = KeyGenerator.getInstance(algorithmEncrypt); SecureRandom secRandom = new SecureRandom(); keyGen.init(secRandom); return keyGen.generateKey();
For any observations, comments, proposals, ideas or just some random thoughts please contact us at [email protected], on our Discord Server (https://discord.gg/cS7wBKu) or by opening a ticket on our git page. We provide full access to the code, even for the GUI/GUX - there is nothing to hide.
Also, if you want to support us financially you can do that by accessing the link below:
