Vault Haxor
Store your credentials safely in the cloud
Vault Haxor is a simple credential management system inspired by LastPass, 1Password, and other similar solutions.
I wrote Vault Haxor as the final study project in the Network and Information Security program at Noroff Vocational College. The project was designed to be as simple as possible while maintaining confidentiality, integrity, and (hopefully) availability. Luckily for you, you can use the app for free. 😉
Confidentiality
How does the app maintain confidentiality? It does so by using clientside cryptography on all data except user email. The only reason why your email is not encrypted is that the email will be used to send you critical information about updates that affect you.
How is clientside cryptography different from "normal" confidentiality? Because I don't want to risk any potential data breach on my server, where an attacker could set up any sniffer or logger to collect your authentication attempts, thereby getting you passwords, and then use that password to decrypt your credentials, the app generates a hash of your password in your web browser and sends that hash to the server for authentication. This makes it impossible for an attacker to gain access to your data without having access gained access to your password through hacking your computer or by performing phishing or any other sort of social engineering attacks.
Application names/website names, usernames, and passwords are stored encrypted, and is only encrypted and decrypted in your web browser. In other words, this application uses end-to-end encryption. This is done to make it impossible for me, who runs the application, or anyone else who gains unauthorized access to sniff or log any part of your stored credentials
Hashing of the master password for authentication is performed in the browser by using the Argon2 algorithm. To perform hashing, the open-source JavaScript library argon2-browser is used.
Encryption of the credentials is performed in the browser by using the open-source JavaScript library crypto-js.
Integrity
How does the app maintain integrity? Haxor Vault maintains integrity by only allowing users to access and modify their own apps and credentials. This is done using a session token generated when you log in and stored in your web browser. The token has a limited lifetime and is used to verify that you are the one trying to access or modify your data. You cannot access or modify your data if the token is missing or invalid. This token does not contain any sensitive or personally identifiable information (PII) and is only used to verify your identity.
Availability
But, what about availability? Can you trust that the app will be running and available for use? I will try my best to keep this project running and having it available. The biggest incentive for keeping it running is that I use Vault Haxor myself. Since this is a non-commercial and free app with no guarantees at all, I will not, under any circumstances, guarantee the availability of the application. Again, this is a hobby project and not a commercial product. Do NOT expect availability from this app like what you would expect from a commercial product.