SlideShare a Scribd company logo

Enhancing Password Manager Chrome Extension through Multi Authentication and Device Logs

I
ijtsrd

The document describes a proposed enhancement to password manager Chrome extensions through multi-authentication and device logs. The proposed system would use PGP encryption and require 2FA for authentication. It would provide cross-device authentication and store user credentials in a secure manner. The system would use Angular, Node.js, MongoDB, and include modules for signup, login, and storing credentials. Implementing this as a Chrome extension initially could later be expanded to mobile or desktop apps to provide a more secure open-source password manager.

Education
1 of 7
Download to read offline
1
2
3
4
5
6
7
International Journal of Trend in Scientific Research and Development (IJTSRD) Volume 6 Issue 3, March-April 2022 Available Online: www.ijtsrd.com e-ISSN: 2456 – 6470 @ IJTSRD | Unique Paper ID – IJTSRD49775 | Volume – 6 | Issue – 3 | Mar-Apr 2022 Page 1564 Enhancing Password Manager Chrome Extension through Multi-Authentication and Device Logs Karthika Venugopal K, Prof. Priya. N School of CS & IT, Jain University, Bangalore, Karnataka, India ABSTRACT During the early years of the Internet, people used to have a few passwords for a few important web programmes that they used to shop, study, stay connected, and get work done. Things have gotten a lot more complicated. Last-research pass's from 2017 found that users had to remember an average of 191 different passwords—just for work—not to mention their own passwords. Users can save their credentials in an organized manner using the proposed system, such as Finance, Shopping, OTT, social networking, and Work. Users can also create new categories for themselves. Furthermore, upon logging in, the user must go through 2FA verification, which sends a unique six-digit numeric number to the user's authenticator App(s).A Time- Based One-Time Password (TOTP, or OTP) is a sequence of dynamic numbers that changes with the passage of time. Frequently, these take the form of sic-digit numbers that change every 30 seconds. TOTPs are created using a secret seed password that is given to users in the form of a QR code or in plaintext when they register. TOTPs (and their seeds) are stored on either hardware security tokens or soft tokens, which are apps that show the numbers on mobile devices. TOTP deciphers a code from the secret using Greenwich Mean Time (GMT). KEYWORDS: Password manager, Authentication, 2FA, Chrome Extension, unauthorized access, Mongo DB, Node.js, Google Authenticator, TOTP How to cite this paper: Karthika Venugopal K | Prof. Priya. N "Enhancing Password Manager Chrome Extension through Multi-Authentication and Device Logs" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456- 6470, Volume-6 | Issue-3, April 2022, pp.1564-1570, URL: www.ijtsrd.com/papers/ijtsrd49775.pdf Copyright © 2022 by author (s) and International Journal of Trend in Scientific Research and Development Journal. This is an Open Access article distributed under the terms of the Creative Commons Attribution License (CC BY 4.0) (http://creativecommons.org/licenses/by/4.0) I. INTRODUCTION This proposal for a password manager product will be an open-source, cross-platform application that uses PGP encryption standards & 2FA, another outstanding feature of this product is its abilityto give consumers with cross-device authentication. Initially, the aim was to implement this project idea as a Google Chrome extension, and then, based on user input, improve the idea as a Desktop Application / Mobile Application in the future. The main goal of this project is to provide users with a secure password manager in the form of a Google extension that can be used from anywhere and in any Google web store compatible browser, as well as a list of device logs that show the number of devices on which the account is active. The Significance of the proposed system is to provide users a secure password manager by overcoming below cons of the existing Chrome extension (Existing System). Cross-Device authentication. Digital Signature for Recovery and Backup of account. PGP Encryption and Decryption standard to store & retrieve users data. Multi-factor authentication is implemented to improve the initial security of the application. Device logs are made available to the user so that the user can keep track of which device is active & which is not. Following are the brief explanation about the technology used to build the product: - A. Angular7 Angular 7 is an open source JavaScript framework for developing web applications and apps in JavaScript, HTML, and Typescript, a JavaScript superset. Angular comes with built-in animation, http service, and materials, which come with features like auto- complete, navigation, toolbar, menus, and more. The IJTSRD49775
International Journal of Trend in Scientific Research and Development @ www.ijtsrd.com eISSN: 2456-6470 @ IJTSRD | Unique Paper ID – IJTSRD49775 | Volume – 6 | Issue – 3 | Mar-Apr 2022 Page 1565 code is written in Typescript, which is then translated into JavaScript and shown in the browser. B. Node.js Node.js is a cross-platform runtime environment and framework for executing JavaScript outside of the browser. It's used to make server-side and network web applications. It's free to use and open source. Many of Node.js' core modules are developed in JavaScript. The most common usage of Node.js is to execute real-time server applications. The following is the official documentation's definition: Node.js is a framework for easily creating fast and scalable network applications based on Chrome's JavaScript runtime. Node.js is lightweight and efficient because to its event-driven, non-blocking I/O approach, which is ideal for data-intensive real-time applications that operate across multiple devices C. MongoDB The technique for storing and retrieving data is provided by a database management system.[2] Different types of database management systems exist: RDBMS (Relational Database Management System) (Relational Database Management Systems) OLAP (Online Analytical Processing) (Online Analytical Processing) NoSQL database (Not only SQL) Relational databases, such as MySQL, are not the same as NoSQL databases. Before you can actually put data into a relational database, you must first construct the table, specify the structure, and set the data types of fields, among other things. You don't have to worry about it with NoSQL because you can insert and update data on the fly.[2]One of the benefits of NoSQL databases is that they are extremely easy to scale and perform substantially faster in the majority of database operations. There are times when a relational database is preferable to a NoSQL database, however when dealing with large amounts of data, a NoSQL database is the best option.[2]MongoDB is a document-oriented database that is open source and holds data in the form of documents (key and value pairs). Document-based databases are one sort of NoSQL database, as we mentioned in our previous course (NoSQL introduction).[2] D. Ajax Ajax is an acronym that stands for Asynchronous Javascript And Xml. Ajax is just a method of retrieving data from a server and modifying sections of a web page without having to reload the entire page. Essentially, Ajax uses the browser's built-in XML Http Request (XHR) object to send and receive data to and from a web server in the background, asynchronously, without blocking the page or interfering with the user's experience. Ajax has grown in popularity to the point where it's difficult to find an application that doesn't use it in some way. Gmail, Google Maps, Google Docs, YouTube, Facebook, Flickr, and a slew of other large-scale Ajax-driven internet apps are examples. E. Google Authenticator Google Authenticator is a software-based authenticator developed by Google for authenticating users of software applications using the Time-based One-time Password Algorithm (TOTP; described in RFC 6238) and HMAC-based One-time Password Algorithm (HOTP; specified in RFC 4226). Authenticator must must be installed on a smartphone before it can be used. It must be configured for each site with which it will be used: the site will provide the user a shared secret key through a secure channel, which the user will store in the Authenticator app. This secret key will be needed to log in to the site in the future. The user enters a username and password to log into a site or service that supports two-factor authentication and Authenticator. The site then calculates (but does not disclose) the six-digit one- time password necessary and prompts the user to enter it. The user launches the Authenticator app, which generates and displays the same password, which the user enters to verify their identity. II. LITERATURE REVIEW 1. A different technique of authentication is to use devices that are always nearby and personal like mobile phones or a credential server. Password- based authentication protocols are the result of a lot of research and testing. Wu suggests using a strong password, more contemporary protocols such as the PAKE protocols, can function with weak passwords to prevent dictionary attacks on the information transferred. When compromising a service provider, different variants of PAKE protocols prohibit an attacker from impersonating a user. Compact PAKE is a protocol that is similar to EKE2 however, it is more compact and incorporates user key parameter retrieval as well as asymmetric authentication. 2. The PAKE authentication mechanism is used by Better Auth, although it doesn't support password stretching. Van Laer proposes using KDF for password stretching and storing the needed salt parameters at the service provider, which is similar to our method. In comparison to our work, they only use pre-defined KDF factors, such as CPU cost, and only have configurable salt,
International Journal of Trend in Scientific Research and Development @ www.ijtsrd.com eISSN: 2456-6470 @ IJTSRD | Unique Paper ID – IJTSRD49775 | Volume – 6 | Issue – 3 | Mar-Apr 2022 Page 1566 making their account aging solution inflexible. They also employ the Schnorrprotocol, which is susceptible to parameter attacks, such as when the provider provides a tampered salt value. 3. An intriguing Key Derivation Function strategy is that it is not susceptible to parameter attacks. When assessing a Halting Key Derivation Function, the user runs a KDF algorithm until it reaches a halting parameter. A password that isn't legitimate can't be ruled out completely. When attempting a dictionary attack, this results in an attacker having to do more than three times the work. The HPAKE authentication protocol employs an HKDF and saves the necessary halting parameter at the predefined provider. External attackers can't see the halting parameters because of a covert credential retrieval technique, which makes offline dictionary attacks unfeasible. A parameter attack would be impossible with HPAKE since the user's HKDF calculation would not finish. A usability issue with HKDFs is that a user who inadvertently enters an erroneous password does not receive a timely notification about the error. Any typical state-of-the-art KDF can be used with our method. 4. Another set of authentication techniques makes use of external devices such as mobile phones or a credential server. No additional device or server is required in our job for the service provider's authentication. Management of passwords. A method that does not require the use of a server. A user's password being reused on several websites is to deduce a hash function that takes the value of the authentication key as inputs, passes the domain name and the password. Since this method is sensitive to dictionary assaults. To strengthen the hash function, it was recommended to use it n times. is the password n, on the other hand, is a hard-coded value. This indicates that the method will not be adaptable to future hardware. 5. Pvault provides two prominent services like cloud storage and password management, with the drawback of using the same password for both data encryption and storage server authentication. Zhao uses KDF to protect a password that is stored on a secure, reliable cloud storage system, but a simple authentication technique is used. Passport uses a similar basic key stretching mechanism as Halderman, except KDF parameters are stored on a Passport server. Passport, on the other hand, uses the Secure Remote Password protocol for authentication, which is vulnerable to parameter attacks. 6. The contributing factors of research carried out in the field of password manager has had a direct impact on cryptography and penetration testing. Hence, the majority of this study focuses on vast collections of academic studies on the security measures taken by most featured password managers and penetration testing experiments performed by security auditing teams. Furthermore, any checks performed on password managers have been extended to the full extent possible. 7. Moving on to the security analysis trends, we learned about featured password manager services like Last Pass and 1Password. Auto-fill is a function present in several popular password managers, and other browser-based password managers like Chrome web browser and Safari web browser. It has been discovered that major flaws exist that takes advantage of the auto-fill feature, such as I Frame sweep attacks, password sync exploits, and injections. III. PROBLEM FORMULATION The available password managers are either Desktop Applications or Web Apps. So, every single time a user needs to launch the application & update the password manager database if there's any change made to the credentials. All the available password manager extensions use AES/DES encryption/decryption standards so passing through those encryption keys is not a tedious task for hackers. IV. OVERVIEW OF THE APPLICATION A. SYSTEM ARCHITECTURE The proposed system will be an open-source and cross-platform application that involves PGP Encryption standards. Users are required to submit their digital signature related files to access their profile every time they need to manage their passwords. Another impeccable feature of this product is to provide users easy accessibility through cross-device authentication. Fig1: System architecture The above diagram shows the relationship between server & client and how the function of a client is dependent on the server for the functioning of the product.
International Journal of Trend in Scientific Research and Development @ www.ijtsrd.com eISSN: 2456-6470 @ IJTSRD | Unique Paper ID – IJTSRD49775 | Volume – 6 | Issue – 3 | Mar-Apr 2022 Page 1567 B. Structure of the extension In the above diagram the structure of the extension is read by the manifest. json file which will have the version number, name & description about the extension. C. Chrome extension workflow structure The above diagram shows the workflow of the proposed system from its initial state to end state. D. Authentication flow structure
International Journal of Trend in Scientific Research and Development @ www.ijtsrd.com eISSN: 2456-6470 @ IJTSRD | Unique Paper ID – IJTSRD49775 | Volume – 6 | Issue – 3 | Mar-Apr 2022 Page 1568 E. Node.js middleware flow diagram F. User token generation process V. Modules The proposed system involves flowing modules: - Signup module In this module user provides username/email to register/signup to the application. Once user is successfully registered, he will be getting a 16-digit secret key to generate TOTP. Login module In this module user logs in with his registered username/email to the application. Once login is successful user will be taken to TOTP screen.
International Journal of Trend in Scientific Research and Development @ www.ijtsrd.com eISSN: 2456-6470 @ IJTSRD | Unique Paper ID – IJTSRD49775 | Volume – 6 | Issue – 3 | Mar-Apr 2022 Page 1569 Store credentials module In this module user will store his credentials & stored credentials will be sent to database & stored there for future reference.
International Journal of Trend in Scientific Research and Development @ www.ijtsrd.com eISSN: 2456-6470 @ IJTSRD | Unique Paper ID – IJTSRD49775 | Volume – 6 | Issue – 3 | Mar-Apr 2022 Page 1570 VI. CONCLUSION& FUTURE SCOPE Proposed System is a better password manager as a Google Chrome plugin with 2FA for this research. We demonstrated that when employing PGP encryption technology for secure password-based encryption, a strong authentication approach is required to keep the user's password hidden. Users would simply need their login credentials to log in, and the proposed system would decrypt their data, allowing them to maintain track of their passwords. A. Future Scope The future enhancements of the proposed system are:- Converting the product into mobile or iOS Applications. Using updated encryption & decryption standards Providing it as a Desktop application using Electron.js framework Enabling the feature of signing up through social networks like Facebook, Google, and LinkedIn. REFERENCES [1] M. Bishop and D.V. Klein. Improving system security via proactive password checking. Computers & Security, 14(3):233–249, [2] J. Bonneau. The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords. Security and Privacy (SP).IEEE Symposium on, pages 538–552, 2012. [3] Malone and K. Maher. Investigating the distribution of password choices. In Proceedings of the 21st international conference on World Wide Web, WWW ‟12, pages 301–310, New York, NY, USA, 2012. ACM [4] https://www.thirdrocktechkno.com/blog/node- js-socket-io-chrome-extension-integration/ [5] https://ieeexplore.ieee.org/document/8456009 [6] https://ieeexplore.ieee.org/document/8326801 [7] https://www.section.io/engineering- education/speakeasy-two-factor-authentication- innodejs/#:~:text=May%205%2C%202021&te xt=Two%2Dfactor%20authentication%20is%2 0a,username%2Fe mail%20and%20password%20authentication. [8] https://www.npmjs.com/ [9] https://www.npmjs.com/package/otplib [10] https://otplib.yeojz.dev/

More Related Content

PPTX
Two factor authentication.pptx
ArpithaShoby
 
PPTX
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Michael Furman
 
PDF
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication Security
Yu-Shuan Hsieh
 
PDF
TYPES OF AUTHENTICATIONS IN WEB BASED FRONTEND
ijait
 
PDF
TYPES OF AUTHENTICATIONS IN WEB BASED FRONTEND
ijait
 
PDF
325 330
Editor IJARCET
 
PPTX
Presentation of website analytics in webi
hemantshrivas2004
 
PDF
The State of Passwordless Auth on the Web - Phil Nash
All Things Open
 
Two factor authentication.pptx
ArpithaShoby
 
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Michael Furman
 
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication Security
Yu-Shuan Hsieh
 
TYPES OF AUTHENTICATIONS IN WEB BASED FRONTEND
ijait
 
TYPES OF AUTHENTICATIONS IN WEB BASED FRONTEND
ijait
 
325 330
Editor IJARCET
 
Presentation of website analytics in webi
hemantshrivas2004
 
The State of Passwordless Auth on the Web - Phil Nash
All Things Open
 

Similar to Enhancing Password Manager Chrome Extension through Multi Authentication and Device Logs (20)

PDF
Web Authn & Security Keys: Unlocking the Key to Authentication
FIDO Alliance
 
PDF
The state of passwordless auth on the web
Phil Nash
 
PPTX
Better Security With Two Factor Authentication (PHP Unconference 2013)
Norman Soetbeer
 
PPTX
Access management
Venkatesh Jambulingam
 
PDF
Getting authentication right
Andre N. Klingsheim
 
PDF
Killing Passwords with JavaScript
Francois Marier
 
PDF
Kx3518741881
IJERA Editor
 
PDF
Node.js Authentication and Data Security
Tim Messerschmidt
 
PDF
WebAuthn & FIDO2
Leonard Moustacchis
 
PDF
UNIT 2 Information Security Sharad Institute
SatishPise4
 
PDF
CNIT 129: 6. Attacking Authentication
Sam Bowne
 
PPT
Web authentication
Pradeep J V
 
PDF
IRJET- Multi sharing Data using OTP
IRJET Journal
 
PPT
Authentication Technologies
Nicholas Davis
 
PPT
Authentication technologies
Nicholas Davis
 
PPTX
WebAuthn - The End of the Password As We Know It?
Thomas Konrad
 
PDF
GENERATION OF SECURE ONE-TIME PASSWORD BASED ON IMAGE AUTHENTICATION
cscpconf
 
PPTX
Web authentication
shubham dhiman
 
PDF
Strong Authentication in Web Application #SCS III
Sylvain Maret
 
PDF
Web Authentication: a Future Without Passwords?
Natasha Rooney
 
Web Authn & Security Keys: Unlocking the Key to Authentication
FIDO Alliance
 
The state of passwordless auth on the web
Phil Nash
 
Better Security With Two Factor Authentication (PHP Unconference 2013)
Norman Soetbeer
 
Access management
Venkatesh Jambulingam
 
Getting authentication right
Andre N. Klingsheim
 
Killing Passwords with JavaScript
Francois Marier
 
Kx3518741881
IJERA Editor
 
Node.js Authentication and Data Security
Tim Messerschmidt
 
WebAuthn & FIDO2
Leonard Moustacchis
 
UNIT 2 Information Security Sharad Institute
SatishPise4
 
CNIT 129: 6. Attacking Authentication
Sam Bowne
 
Web authentication
Pradeep J V
 
IRJET- Multi sharing Data using OTP
IRJET Journal
 
Authentication Technologies
Nicholas Davis
 
Authentication technologies
Nicholas Davis
 
WebAuthn - The End of the Password As We Know It?
Thomas Konrad
 
GENERATION OF SECURE ONE-TIME PASSWORD BASED ON IMAGE AUTHENTICATION
cscpconf
 
Web authentication
shubham dhiman
 
Strong Authentication in Web Application #SCS III
Sylvain Maret
 
Web Authentication: a Future Without Passwords?
Natasha Rooney
 
Ad

More from ijtsrd (20)

PDF
A Study of School Dropout in Rural Districts of Darjeeling and Its Causes
ijtsrd
 
PDF
Pre extension Demonstration and Evaluation of Soybean Technologies in Fedis D...
ijtsrd
 
PDF
Pre extension Demonstration and Evaluation of Potato Technologies in Selected...
ijtsrd
 
PDF
Pre extension Demonstration and Evaluation of Animal Drawn Potato Digger in S...
ijtsrd
 
PDF
Pre extension Demonstration and Evaluation of Drought Tolerant and Early Matu...
ijtsrd
 
PDF
Pre extension Demonstration and Evaluation of Double Cropping Practice Legume...
ijtsrd
 
PDF
Pre extension Demonstration and Evaluation of Common Bean Technology in Low L...
ijtsrd
 
PDF
Enhancing Image Quality in Compression and Fading Channels A Wavelet Based Ap...
ijtsrd
 
PDF
Manpower Training and Employee Performance in Mellienium Ltdawka, Anambra State
ijtsrd
 
PDF
A Statistical Analysis on the Growth Rate of Selected Sectors of Nigerian Eco...
ijtsrd
 
PDF
Automatic Accident Detection and Emergency Alert System using IoT
ijtsrd
 
PDF
Corporate Social Responsibility Dimensions and Corporate Image of Selected Up...
ijtsrd
 
PDF
The Role of Media in Tribal Health and Educational Progress of Odisha
ijtsrd
 
PDF
Advancements and Future Trends in Advanced Quantum Algorithms A Prompt Scienc...
ijtsrd
 
PDF
A Study on Seismic Analysis of High Rise Building with Mass Irregularities, T...
ijtsrd
 
PDF
Descriptive Study to Assess the Knowledge of B.Sc. Interns Regarding Biomedic...
ijtsrd
 
PDF
Performance of Grid Connected Solar PV Power Plant at Clear Sky Day
ijtsrd
 
PDF
Vitiligo Treated Homoeopathically A Case Report
ijtsrd
 
PDF
Vitiligo Treated Homoeopathically A Case Report
ijtsrd
 
PDF
Uterine Fibroids Homoeopathic Perspectives
ijtsrd
 
A Study of School Dropout in Rural Districts of Darjeeling and Its Causes
ijtsrd
 
Pre extension Demonstration and Evaluation of Soybean Technologies in Fedis D...
ijtsrd
 
Pre extension Demonstration and Evaluation of Potato Technologies in Selected...
ijtsrd
 
Pre extension Demonstration and Evaluation of Animal Drawn Potato Digger in S...
ijtsrd
 
Pre extension Demonstration and Evaluation of Drought Tolerant and Early Matu...
ijtsrd
 
Pre extension Demonstration and Evaluation of Double Cropping Practice Legume...
ijtsrd
 
Pre extension Demonstration and Evaluation of Common Bean Technology in Low L...
ijtsrd
 
Enhancing Image Quality in Compression and Fading Channels A Wavelet Based Ap...
ijtsrd
 
Manpower Training and Employee Performance in Mellienium Ltdawka, Anambra State
ijtsrd
 
A Statistical Analysis on the Growth Rate of Selected Sectors of Nigerian Eco...
ijtsrd
 
Automatic Accident Detection and Emergency Alert System using IoT
ijtsrd
 
Corporate Social Responsibility Dimensions and Corporate Image of Selected Up...
ijtsrd
 
The Role of Media in Tribal Health and Educational Progress of Odisha
ijtsrd
 
Advancements and Future Trends in Advanced Quantum Algorithms A Prompt Scienc...
ijtsrd
 
A Study on Seismic Analysis of High Rise Building with Mass Irregularities, T...
ijtsrd
 
Descriptive Study to Assess the Knowledge of B.Sc. Interns Regarding Biomedic...
ijtsrd
 
Performance of Grid Connected Solar PV Power Plant at Clear Sky Day
ijtsrd
 
Vitiligo Treated Homoeopathically A Case Report
ijtsrd
 
Vitiligo Treated Homoeopathically A Case Report
ijtsrd
 
Uterine Fibroids Homoeopathic Perspectives
ijtsrd
 
Ad

Recently uploaded (20)

PPTX
1st Inaugural Professorial Lecture held on 19th February 2020 (Governance and...
kawisojames10
 
PPTX
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
PDF
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
PDF
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
PDF
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
PDF
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
PDF
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
PPTX
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
PPTX
Pharma ospi slides which help in ospi learning
rameetkumar304
 
PPTX
master seminar digital applications in india
ananyaray35
 
PPTX
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
PDF
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
PDF
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
PDF
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
PDF
Pre independence Education in Inndia.pdf
goofy5603
 
PPTX
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
PDF
Microbial disease of the cardiovascular and lymphatic systems
KeyaSharma
 
PDF
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
PDF
Computing-Curriculum for Schools in Ghana
abigailanane203
 
PDF
Supply Chain Operations Speaking Notes -ICLT Program
labyankof
 
1st Inaugural Professorial Lecture held on 19th February 2020 (Governance and...
kawisojames10
 
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
Pharma ospi slides which help in ospi learning
rameetkumar304
 
master seminar digital applications in india
ananyaray35
 
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
Pre independence Education in Inndia.pdf
goofy5603
 
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
Microbial disease of the cardiovascular and lymphatic systems
KeyaSharma
 
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
Computing-Curriculum for Schools in Ghana
abigailanane203
 
Supply Chain Operations Speaking Notes -ICLT Program
labyankof
 

Enhancing Password Manager Chrome Extension through Multi Authentication and Device Logs

  • 1. International Journal of Trend in Scientific Research and Development (IJTSRD) Volume 6 Issue 3, March-April 2022 Available Online: www.ijtsrd.com e-ISSN: 2456 – 6470 @ IJTSRD | Unique Paper ID – IJTSRD49775 | Volume – 6 | Issue – 3 | Mar-Apr 2022 Page 1564 Enhancing Password Manager Chrome Extension through Multi-Authentication and Device Logs Karthika Venugopal K, Prof. Priya. N School of CS & IT, Jain University, Bangalore, Karnataka, India ABSTRACT During the early years of the Internet, people used to have a few passwords for a few important web programmes that they used to shop, study, stay connected, and get work done. Things have gotten a lot more complicated. Last-research pass's from 2017 found that users had to remember an average of 191 different passwords—just for work—not to mention their own passwords. Users can save their credentials in an organized manner using the proposed system, such as Finance, Shopping, OTT, social networking, and Work. Users can also create new categories for themselves. Furthermore, upon logging in, the user must go through 2FA verification, which sends a unique six-digit numeric number to the user's authenticator App(s).A Time- Based One-Time Password (TOTP, or OTP) is a sequence of dynamic numbers that changes with the passage of time. Frequently, these take the form of sic-digit numbers that change every 30 seconds. TOTPs are created using a secret seed password that is given to users in the form of a QR code or in plaintext when they register. TOTPs (and their seeds) are stored on either hardware security tokens or soft tokens, which are apps that show the numbers on mobile devices. TOTP deciphers a code from the secret using Greenwich Mean Time (GMT). KEYWORDS: Password manager, Authentication, 2FA, Chrome Extension, unauthorized access, Mongo DB, Node.js, Google Authenticator, TOTP How to cite this paper: Karthika Venugopal K | Prof. Priya. N "Enhancing Password Manager Chrome Extension through Multi-Authentication and Device Logs" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456- 6470, Volume-6 | Issue-3, April 2022, pp.1564-1570, URL: www.ijtsrd.com/papers/ijtsrd49775.pdf Copyright © 2022 by author (s) and International Journal of Trend in Scientific Research and Development Journal. This is an Open Access article distributed under the terms of the Creative Commons Attribution License (CC BY 4.0) (http://creativecommons.org/licenses/by/4.0) I. INTRODUCTION This proposal for a password manager product will be an open-source, cross-platform application that uses PGP encryption standards & 2FA, another outstanding feature of this product is its abilityto give consumers with cross-device authentication. Initially, the aim was to implement this project idea as a Google Chrome extension, and then, based on user input, improve the idea as a Desktop Application / Mobile Application in the future. The main goal of this project is to provide users with a secure password manager in the form of a Google extension that can be used from anywhere and in any Google web store compatible browser, as well as a list of device logs that show the number of devices on which the account is active. The Significance of the proposed system is to provide users a secure password manager by overcoming below cons of the existing Chrome extension (Existing System). Cross-Device authentication. Digital Signature for Recovery and Backup of account. PGP Encryption and Decryption standard to store & retrieve users data. Multi-factor authentication is implemented to improve the initial security of the application. Device logs are made available to the user so that the user can keep track of which device is active & which is not. Following are the brief explanation about the technology used to build the product: - A. Angular7 Angular 7 is an open source JavaScript framework for developing web applications and apps in JavaScript, HTML, and Typescript, a JavaScript superset. Angular comes with built-in animation, http service, and materials, which come with features like auto- complete, navigation, toolbar, menus, and more. The IJTSRD49775
  • 2. International Journal of Trend in Scientific Research and Development @ www.ijtsrd.com eISSN: 2456-6470 @ IJTSRD | Unique Paper ID – IJTSRD49775 | Volume – 6 | Issue – 3 | Mar-Apr 2022 Page 1565 code is written in Typescript, which is then translated into JavaScript and shown in the browser. B. Node.js Node.js is a cross-platform runtime environment and framework for executing JavaScript outside of the browser. It's used to make server-side and network web applications. It's free to use and open source. Many of Node.js' core modules are developed in JavaScript. The most common usage of Node.js is to execute real-time server applications. The following is the official documentation's definition: Node.js is a framework for easily creating fast and scalable network applications based on Chrome's JavaScript runtime. Node.js is lightweight and efficient because to its event-driven, non-blocking I/O approach, which is ideal for data-intensive real-time applications that operate across multiple devices C. MongoDB The technique for storing and retrieving data is provided by a database management system.[2] Different types of database management systems exist: RDBMS (Relational Database Management System) (Relational Database Management Systems) OLAP (Online Analytical Processing) (Online Analytical Processing) NoSQL database (Not only SQL) Relational databases, such as MySQL, are not the same as NoSQL databases. Before you can actually put data into a relational database, you must first construct the table, specify the structure, and set the data types of fields, among other things. You don't have to worry about it with NoSQL because you can insert and update data on the fly.[2]One of the benefits of NoSQL databases is that they are extremely easy to scale and perform substantially faster in the majority of database operations. There are times when a relational database is preferable to a NoSQL database, however when dealing with large amounts of data, a NoSQL database is the best option.[2]MongoDB is a document-oriented database that is open source and holds data in the form of documents (key and value pairs). Document-based databases are one sort of NoSQL database, as we mentioned in our previous course (NoSQL introduction).[2] D. Ajax Ajax is an acronym that stands for Asynchronous Javascript And Xml. Ajax is just a method of retrieving data from a server and modifying sections of a web page without having to reload the entire page. Essentially, Ajax uses the browser's built-in XML Http Request (XHR) object to send and receive data to and from a web server in the background, asynchronously, without blocking the page or interfering with the user's experience. Ajax has grown in popularity to the point where it's difficult to find an application that doesn't use it in some way. Gmail, Google Maps, Google Docs, YouTube, Facebook, Flickr, and a slew of other large-scale Ajax-driven internet apps are examples. E. Google Authenticator Google Authenticator is a software-based authenticator developed by Google for authenticating users of software applications using the Time-based One-time Password Algorithm (TOTP; described in RFC 6238) and HMAC-based One-time Password Algorithm (HOTP; specified in RFC 4226). Authenticator must must be installed on a smartphone before it can be used. It must be configured for each site with which it will be used: the site will provide the user a shared secret key through a secure channel, which the user will store in the Authenticator app. This secret key will be needed to log in to the site in the future. The user enters a username and password to log into a site or service that supports two-factor authentication and Authenticator. The site then calculates (but does not disclose) the six-digit one- time password necessary and prompts the user to enter it. The user launches the Authenticator app, which generates and displays the same password, which the user enters to verify their identity. II. LITERATURE REVIEW 1. A different technique of authentication is to use devices that are always nearby and personal like mobile phones or a credential server. Password- based authentication protocols are the result of a lot of research and testing. Wu suggests using a strong password, more contemporary protocols such as the PAKE protocols, can function with weak passwords to prevent dictionary attacks on the information transferred. When compromising a service provider, different variants of PAKE protocols prohibit an attacker from impersonating a user. Compact PAKE is a protocol that is similar to EKE2 however, it is more compact and incorporates user key parameter retrieval as well as asymmetric authentication. 2. The PAKE authentication mechanism is used by Better Auth, although it doesn't support password stretching. Van Laer proposes using KDF for password stretching and storing the needed salt parameters at the service provider, which is similar to our method. In comparison to our work, they only use pre-defined KDF factors, such as CPU cost, and only have configurable salt,
  • 3. International Journal of Trend in Scientific Research and Development @ www.ijtsrd.com eISSN: 2456-6470 @ IJTSRD | Unique Paper ID – IJTSRD49775 | Volume – 6 | Issue – 3 | Mar-Apr 2022 Page 1566 making their account aging solution inflexible. They also employ the Schnorrprotocol, which is susceptible to parameter attacks, such as when the provider provides a tampered salt value. 3. An intriguing Key Derivation Function strategy is that it is not susceptible to parameter attacks. When assessing a Halting Key Derivation Function, the user runs a KDF algorithm until it reaches a halting parameter. A password that isn't legitimate can't be ruled out completely. When attempting a dictionary attack, this results in an attacker having to do more than three times the work. The HPAKE authentication protocol employs an HKDF and saves the necessary halting parameter at the predefined provider. External attackers can't see the halting parameters because of a covert credential retrieval technique, which makes offline dictionary attacks unfeasible. A parameter attack would be impossible with HPAKE since the user's HKDF calculation would not finish. A usability issue with HKDFs is that a user who inadvertently enters an erroneous password does not receive a timely notification about the error. Any typical state-of-the-art KDF can be used with our method. 4. Another set of authentication techniques makes use of external devices such as mobile phones or a credential server. No additional device or server is required in our job for the service provider's authentication. Management of passwords. A method that does not require the use of a server. A user's password being reused on several websites is to deduce a hash function that takes the value of the authentication key as inputs, passes the domain name and the password. Since this method is sensitive to dictionary assaults. To strengthen the hash function, it was recommended to use it n times. is the password n, on the other hand, is a hard-coded value. This indicates that the method will not be adaptable to future hardware. 5. Pvault provides two prominent services like cloud storage and password management, with the drawback of using the same password for both data encryption and storage server authentication. Zhao uses KDF to protect a password that is stored on a secure, reliable cloud storage system, but a simple authentication technique is used. Passport uses a similar basic key stretching mechanism as Halderman, except KDF parameters are stored on a Passport server. Passport, on the other hand, uses the Secure Remote Password protocol for authentication, which is vulnerable to parameter attacks. 6. The contributing factors of research carried out in the field of password manager has had a direct impact on cryptography and penetration testing. Hence, the majority of this study focuses on vast collections of academic studies on the security measures taken by most featured password managers and penetration testing experiments performed by security auditing teams. Furthermore, any checks performed on password managers have been extended to the full extent possible. 7. Moving on to the security analysis trends, we learned about featured password manager services like Last Pass and 1Password. Auto-fill is a function present in several popular password managers, and other browser-based password managers like Chrome web browser and Safari web browser. It has been discovered that major flaws exist that takes advantage of the auto-fill feature, such as I Frame sweep attacks, password sync exploits, and injections. III. PROBLEM FORMULATION The available password managers are either Desktop Applications or Web Apps. So, every single time a user needs to launch the application & update the password manager database if there's any change made to the credentials. All the available password manager extensions use AES/DES encryption/decryption standards so passing through those encryption keys is not a tedious task for hackers. IV. OVERVIEW OF THE APPLICATION A. SYSTEM ARCHITECTURE The proposed system will be an open-source and cross-platform application that involves PGP Encryption standards. Users are required to submit their digital signature related files to access their profile every time they need to manage their passwords. Another impeccable feature of this product is to provide users easy accessibility through cross-device authentication. Fig1: System architecture The above diagram shows the relationship between server & client and how the function of a client is dependent on the server for the functioning of the product.
  • 4. International Journal of Trend in Scientific Research and Development @ www.ijtsrd.com eISSN: 2456-6470 @ IJTSRD | Unique Paper ID – IJTSRD49775 | Volume – 6 | Issue – 3 | Mar-Apr 2022 Page 1567 B. Structure of the extension In the above diagram the structure of the extension is read by the manifest. json file which will have the version number, name & description about the extension. C. Chrome extension workflow structure The above diagram shows the workflow of the proposed system from its initial state to end state. D. Authentication flow structure
  • 5. International Journal of Trend in Scientific Research and Development @ www.ijtsrd.com eISSN: 2456-6470 @ IJTSRD | Unique Paper ID – IJTSRD49775 | Volume – 6 | Issue – 3 | Mar-Apr 2022 Page 1568 E. Node.js middleware flow diagram F. User token generation process V. Modules The proposed system involves flowing modules: - Signup module In this module user provides username/email to register/signup to the application. Once user is successfully registered, he will be getting a 16-digit secret key to generate TOTP. Login module In this module user logs in with his registered username/email to the application. Once login is successful user will be taken to TOTP screen.
  • 6. International Journal of Trend in Scientific Research and Development @ www.ijtsrd.com eISSN: 2456-6470 @ IJTSRD | Unique Paper ID – IJTSRD49775 | Volume – 6 | Issue – 3 | Mar-Apr 2022 Page 1569 Store credentials module In this module user will store his credentials & stored credentials will be sent to database & stored there for future reference.
  • 7. International Journal of Trend in Scientific Research and Development @ www.ijtsrd.com eISSN: 2456-6470 @ IJTSRD | Unique Paper ID – IJTSRD49775 | Volume – 6 | Issue – 3 | Mar-Apr 2022 Page 1570 VI. CONCLUSION& FUTURE SCOPE Proposed System is a better password manager as a Google Chrome plugin with 2FA for this research. We demonstrated that when employing PGP encryption technology for secure password-based encryption, a strong authentication approach is required to keep the user's password hidden. Users would simply need their login credentials to log in, and the proposed system would decrypt their data, allowing them to maintain track of their passwords. A. Future Scope The future enhancements of the proposed system are:- Converting the product into mobile or iOS Applications. Using updated encryption & decryption standards Providing it as a Desktop application using Electron.js framework Enabling the feature of signing up through social networks like Facebook, Google, and LinkedIn. REFERENCES [1] M. Bishop and D.V. Klein. Improving system security via proactive password checking. Computers & Security, 14(3):233–249, [2] J. Bonneau. The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords. Security and Privacy (SP).IEEE Symposium on, pages 538–552, 2012. [3] Malone and K. Maher. Investigating the distribution of password choices. In Proceedings of the 21st international conference on World Wide Web, WWW ‟12, pages 301–310, New York, NY, USA, 2012. ACM [4] https://www.thirdrocktechkno.com/blog/node- js-socket-io-chrome-extension-integration/ [5] https://ieeexplore.ieee.org/document/8456009 [6] https://ieeexplore.ieee.org/document/8326801 [7] https://www.section.io/engineering- education/speakeasy-two-factor-authentication- innodejs/#:~:text=May%205%2C%202021&te xt=Two%2Dfactor%20authentication%20is%2 0a,username%2Fe mail%20and%20password%20authentication. [8] https://www.npmjs.com/ [9] https://www.npmjs.com/package/otplib [10] https://otplib.yeojz.dev/