As many of you probably know, I’ve been working for quite some time on a project called Private Passwords. It is an online password management tool which stores your passwords for any site and allows you to retrieve them from anywhere in the world. One of the things that has niggled me for a while was the fact that the encrypted passwords were all encrypted using an AES encryption key, but had no real barrier if someone somehow managed to get hold of the AES key. The AES key itself could not  be based on the user’s password as Private Passwords allows businesses to set up accounts for everyone in their company to store/retrieve passwords – that means the key must be shared amongst all the users otherwise if one user encrypts a password, another would not be able to see it unless they had exactly the same password.
However, Kelvin at work suggested adding a second “password” which would be used for each account (account being either a single user’s account, or a multiple-user business account). I have been busy implementing this solution into Private Passwords. What this means is there would be a community-wide* secondary passwords, which I have called a “3D Code” (3-dimensional security – username, password and 3D code). For example, “My Company” would have a 3D Code of “herebedragons”, which would be known to everyone in the company. and user Joe Bloggs who works for My Company would enter his e-mail address, password and also the 3D Code for the company when he logs in. The 3D Code forms part of the encryption key, so when they log in, the 3D code is checked against a hash to ensure the decryption routine would work. If it doesn’t, authentication fails and the user cannot log in.
The important point here is that the 3D Code is never stored anywhere on Private Passwords, so even if the database was compromised somehow there would be absolutely no way of decrypting any of the passwords in the system without knowing that 3D Code which would be different for each home user, and each business account. I think this is a great solution, and although it means having to remember your own password as well as the secondary 3D Code, I think this will provide users of Private Passwords peace of mind when storing passwords in Private Passwords, so thanks Kelvin for that brilliant idea!
* In Private Passwords, a community is a group of users. For a home account, there is one community per user, but for business accounts there is one community for everyone in the business.
