PHPCRED-13: Password Usage Search



Issue Information

Issue Type: New Feature
 
Priority: Major
Status: In Progress

Reported By:
Ben Tasker
Assigned To:
Ben Tasker
Project: PHPCredlocker (PHPCRED)
Resolution: Unresolved
Target version: 1.25,
Components: Crypto , Storage ,

Created: 2013-12-07 00:52:43
Time Spent Working


Description
Would need to be a Super-Admin only function.

If a password is known to be compromised (or it's known that a specific pass has been re-used), it'd be good to be able to search all stored credentials to display a list of where that password is used.

Would need to encrypt the submitted password with all available crypto keys (so begin by retrieving cred types) and then search the database for that value.

Obviously needs to be well secured to prevent introducing a fairly severe security hole!


Toggle State Changes

Activity


btasker added '1.25' to Fix Version
btasker removed '1.5' from Fix Version
btasker changed status from 'Open' to 'In Progress'
Given the potential number of keys, and the key length, it'll need to be 1 request per credType to ensure that we don't hit any execution limits. So whilst the view needs to be created, most of the legwork will need to be created through an AJAX request.

Would suggest the resulting output is along the following lines

|Customer|CredType|Username|Comment|Edit Cred Link|
The API request method to use is


searchCredValue


The view name is


searchCreds


No real functionality implemented as yet, but the JS functions are in place (if currently somewhat useless)
Feature implemented to a basic level.

Have merged and closed the feature branch. Changes now in Dev