After non-stop security problems with password manager LastPass, I decided to make my own: aeKee.com.
It’s an entirely browser based system and all encryption is performed client side in the user’s browser before being data is sent to the server for secure storage. Industry standard encryption techniques and algorithms are used throughout.
Main features are:
* Password manager. Stores all of your passwords and secure notes with easy rapid access so long as you’ve passed security.
* Password generator. Unique, strong, long, brute-force proof passwords are generated automatically as required.
* Secure note storage. Safely store secure plain-text information in your vault.
* Secure note sharing. Send an encrypted message to someone by email. If they know the password, they can decrypt it and see what it says.
From the FAQ…
How secure is it?
There are a number of pieces of information involved, and we secure them in different ways as follows:
When you register and log in, your email address and account password are transmit (posted) to us over an SSL connection (the data portion of which is not logged) then salted and one-way hashed using the latest PHP7.1 password hashing algorithm and stored on our server in a caged file system using CloudLinux and CageFS. Even if someone gained access to the data we store, they would not be able to do anything with it – it has been one way hashed. Here’s an example data block for an account’s credentials:
We do not store your email address or password in a reversible way.
Your email address and password are used to encrypt your 2fa (two factor authentication) secret (there’s an encrypted secret in the block of characters above) – this is done reversibly such that when you log in we can decrypt your 2fa secret in order to determine if the 2fa digits you enter correspond correctly with the ones Google Authenticator says they should.
Here’s what’s stored on the server for a vault with very little in it:
A record of your logins and failed logins is kept however this data is encrypted on the server side using a salt and a PBKDF2’d version of your account login credentials. We do not know your login credentials and so we cannot decrypt these logs – only you can. Here’s an example record of a login event. It includes the remote IP address, the time, and browser details:
Notes are encrypted (in the same way vaults are) in the browser then uploaded and stored on our server when ‘sent’. The specified recipient receives an email with a link, and a plain-text comment from the sender. If the recipient knows the correct password, they are able to decrypt and view the message. The moment the recipient clicks on the link, the server copy of the message is destroyed so it can never be seen again.
Here’s an example – this example is unique in that, for the purposes of this demonstration, the server does not destroy its local copy.
The password is: aetherweb
Our server is as secure as we can possibly make it. We work very very hard to achieve this and it would be foolhardy to go into public technical detail. Rest assured we’ve taken every normal measure, and a lot of additional ones too. Regardless, even the best servers get compromised from time to time so we’ve built this entire application with the insistance that should all data on our server be made public, there is no risk to our users’ confidentiality or integrity. Additionally, all of the application files on the server are scanned routinely (we use SHA3-512 hashes) and compared to the known release versions – any differences detected are immediately highlighted to us so that we can take instant remedial action.