PassLess

PassLess - A future without passwords. The advanced password manager using technological developments to be significantly more resistant to all attacks that target the weakest points of security.

Comment

Inspiration

As enthusiasts in the cybersecurity scene, we follow developments in cybersecurity and constantly hear about breaches in common password management services such as LastPass, Norton LifeLock just to list a few examples in the past two years. We wanted to create a completely secure solution for everyone's most sensitive data, while maintaining complete availability in all parts of the world. Pretty much, we were looking to create a theoretically perfect solution for an industry requiring nothing short of perfection.

What it does

PassLess is completely transparent on its cryptography and data handling. We created the design in mind in order to be different from all competitors: Not having a master password. That would mean you would be required to use a more secure solution: WebAuthn, requiring biometric or physical keys to authenticate as a user. Combined with email-based 2FA, the sign-on process is completely immune to Phishing. For its password management part, nobody sees, hears, or accesses the user's unencrypted data or keys. All encryption is done on the client side, and every key is saved on the client side for later use. What the server sees is an encrypted version of the symmetric key, encrypted user passwords, and very basic account information. In case of a data breach on the server, not a single user password will be revealed.

How we built it

We built a Next.ts application as our main application with implementations of WebAuthn, and have a Javascript file with the functions required for the browser based RSA-OAEP and AES-GCM encryption. We have an SQL database and a server for the backend holding and transmitting important encrypted information over the cloud.

Challenges we ran into

We ran into multiple challenges with creating the frontend experience for users and implementing each user functionality commonly found in other password managers such as email verification or real time password editing. Because our algorithms were so secure, they were heavier in its use of resources, meaning we had to consider a few tradeoffs without compromising security. Also, finding local web browser storage for the keys and having them stay persistent over the sessions was very difficult to manage, as many were either deprecated or insecure (stored in plaintext).

Accomplishments that we're proud of

We are proud of being able to confidently test the security of our application with the most common attacks. We tested our own MITM attacks, key loggers, complete breach of the server, rainbow table cracking the hashes, and port sniffing. None of those attacks resulted in any more than revealing the email of the user, which we consider to be a huge success.

What we learned

Difficulty in implementing cryptographic schemes The variety of attack vectors everyone is exposed to by being on the internet The forward shifting trend in the world away from passwords onto other forms of authentication Connecting different services together to create an application

What's next for PassLess

Usage of Quantum-Resistant Cryptography in our models Allowing more forms of secure user access and integrations with more platforms Potential Mobile/Desktop apps with more support More advanced account recovery processes (securely generated passphrases still have their risks!) Expansion and cloud systems management, automated workflow Fix minor user-side bugs and smaller issues that don't disturb workflow

Built With

Share this project:

Updates