meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
passwords [2023/09/14 19:40] – created johnnypasswords [2024/08/29 20:13] (current) – external edit 127.0.0.1
Line 1: Line 1:
-====== Passwords ====== +====== Credentials/Passwords ====== 
-TFlow allows you to store asset/URL credentials+ITFlow allows you to store asset/URL credentials
 {{:passwords-listing.png?nolink|}} {{:passwords-listing.png?nolink|}}
  
-Login Fields+===== Credential Fields ===== 
   * Name/Desc   * Name/Desc
-  * Username +  * Username (encrypted in database) 
-  * Password (encrypted) +  * Password (encrypted in database
-  * OTP (bug)+  * OTP
   * URL   * URL
   * Related vendor/asset/software   * Related vendor/asset/software
   * Notes   * Notes
  
-ITFlow Login Helper Browser Extension+===== How logins are protected ===== 
 + 
 +All login password data is encrypted at rest, and ideally in transit as you're using HTTPS to access your ITFlow instance, //right//? 
 + 
 +In order to understand how ITFlow encrypts login entries, you must first understand the requirements: 
 + 
 +  - Securely protect login entries with encryption 
 +  - Never store the plaintext encryption key in the database / on disk 
 +  - Allow multiple users to easily and quickly access login passwords 
 +  - Not require a server TPM chip or third party server/service for secret management 
 + 
 +With that in mind, the solution decided upon was to generate an AES master key during the initial installation and **encrypt this master key for each technician using their password** hash as their "user-specific key". Each login entry is protected with this master key using AES 128-bit encryption. This ensures that each user has access to passwords without storing the plaintext master key anywhere. In order to avoid storing the user's password or the master key for the duration of their session, an encrypted session key is generated and stored in the users session and provided to them as a cookie. This helps to further protect the master key as it never hits the disk/database in cleartext. 
 + 
 +This approach is by no means perfect. It also means that **if you forget/lose all user account passwords and haven't backed up the master AES key, your login passwords are not able to be decrypted by anyone!** We would much rather that you lose access to systems and spend the day resetting passwords than your passwords being compromised due to a server misconfiguration/compromise, etc. Make sure to **[[backups|backup]] your AES master key**, and **ideally have at least two admin accounts** for safety. 
 + 
 +I've abstracted some of the details here for readability. If you'd like to get into the technical detail of how this is done, please review the associated [[https://github.com/johnnyq/itflow/pull/265|PR]], specifically functions.php. If you have any questions/comments please raise them on the [[https://forum.itflow.org|Forum]]. 
  
-A browser extension is available for [[https://chrome.google.com/webstore/detail/itflow-login-helper/afgpakhonllnmnomchjhidealcpmnegc?hl=en-GB&authuser=0|Chrome]]. Upon being clicked, the extension will check the current site hostname and will attempt to fill the username/password of an ITFlow login entry with that hostname. Note that the extension is in Beta.+==== (Not in active use) ITFlow Login Helper Browser Extension ====
  
 +A browser extension is available for [[https://chrome.google.com/webstore/detail/itflow-login-helper/afgpakhonllnmnomchjhidealcpmnegc?hl=en-GB&authuser=0|Chrome]]. Upon being clicked, the extension will check the current site hostname and will attempt to fill the username/password of an ITFlow login entry with that hostname. //Note that the extension is in Beta//.