I’m a software dev working on an open-sourced password manager(dev lib, gui and cli) for educational and eventually usefulness purposes. There doesn’t seem to be all that much information regarding vault-based password managers and the security they build on/attack vectors and common practices to protect against them.
So I was wondering what the application(especially the GUI app) can take for safety precautions for keeping the data secure?
For unlocking and adding/removing entries in the vault
- 1/2FA to unlock the vault
- It uses AesGsm + Argon2ID for password hashing/validation and data encryption.
- Sensitive data is stored in libsodium sodium_malloc memory space and sodium_mprotect_noaccess no matter encrypted or not
- It’ll offer password/word generation as well as warning against passwords existing in password lists
- Data is zeroized before deallocation/dropped
- Vault is locked based on in-activity
To summarize my questions,
- While I’ve understood that memory handling could only ever be relatively safer by using Intel SGX & Amd SEV enclaves, are there possibly any glaring flaws that I should know about in any category of the protection a password manager is supposed to offer?
- Are there generally any safety precautions that can be taken when presenting the sensitive information to the user, except for proper cleanup? It will support “revealing”/readable the password, clipboard and QR code generation?