What is it?

MyPassBox is designed to be a simple personal password storage service – capable of saving information for multiple users accessing the same application.

How it works:
The application allows a user to create a master account, without which, the user cannot access the ‘real password saving program.’
This not only ensures that other users on the computer do not have unrestricted access to the data of others, but also supports multiple users using the same application to store separate, non-conflicting data.

The application locally stores two ‘database (.db)’ files in same the directory where the application is executed.
For example, if the application is run on the Desktop, two storage files would be saved there.
The names of the respective files are: 1) “mypassbox_minordata” and 2) “mypassbox_masterdata”

While the application itself is responsible for running the interface that the user interacts with, the actual data is stored in these files.
It is recommended that you keep the application in the folder that it came in, such that the two storage files are not lost.

Is it secure?:
MyPassBox uses Argon2id as the cryptographic algorithm for the master user account passwords to avoid storing the passwords as normal text [e.g. mypass123 would be read as DC/YbdZLPVSvIX1IZKdWeA]. Argon2 has been ranked number 1 by the Password Hashing Competition (PHC) since 2015.

Hashing is a designed to be a one-way scrambling method, so it is near impossible for the passwords to be converted back into plain text. Argon2id also salts passwords, which adds a ‘randomly’ regenerated amount of information (bytes) to passwords before the hashing process – thereby fortifying passwords to specific types of cryptographic attacks. 

It is worth noting that considering the sophistication of the argon2id hashing algorithm used in this program, creating a master user account and logging in can take around 1-2 seconds (compared to a sub-second login time when it is not implemented).

On the other hand, minor account passwords (passwords stored under their respective master user), considering that they have to be retrieved as plain text, are encrypted using Fernet encryption. Fernet guarantees that any message encrypted using its algorithm cannot be read without the 128-bit key.

In other words, opening the any of the two database files would not compromise password security, since the passwords are not stored exactly as they are entered.