password-security-module
v1.1.0
Published
A module inspired by TPM to provide some password security by safely storing and generating passwords.
Downloads
3
Readme
password-security-module
Introduction
This project creates a Javascript library for NodeJS. It aims at securing existing passwords by encrypting them, or generating new passwords on demand. For both usages, the whole process is repeatable: by providing the same input, the library always produces the same output. And the cryptographic secrets necessary to control the library's behavior, never leaves the module itself.
Although similar to another password manager, the library itself is stateless, it outsources any task for permanent storage to the calling code. As such this module supplements, rather than replaces, existing password storage practices of using a password manager: by replacing the stored password with a "password requesting URL" (generated by this module after importing it), one must have access to both the password manager itself, and this module, to have an actual password revealed.
And consider that this module can be used quasi-offline on a computer detached from Internet:
A request or a response is transferred in text-form with predefined format,
and initial secrets for running the module are either stored within hardware
security modules, or decrypted on the computer without going over wire.(*)
Therefore a higher level of security can be achieved as nothing exists online, and from any output one cannot infer the secrets used (given good implementation).
(*) In fact, the module itself does not make assumption on how the secret
is stored, all it requires is a random oracle function with 512 bits output
(preferably a SHA512-HMAC function loaded with a secret). This function
can be implemented in software or hardware, the latter could have better
security.