Master Password

04 Nov 2010

For an online IDE security is vitally important. We hold the passwords to many websites and are a potential target for malicious hackers.

Our systems are fully patched and we have a firewall in place to prevent hackers but we have to plan for the worst case scenario. What if a hacker somehow obtained our database and source code?

If you connect without using the save password option then the password is kept in the session until you logout or the session expires.

If you have many sites typing in all the different passwords can be annoying and also hard to remember. So we've introduced a new master password feature.

You can set a master password by going to Preferences -> Security. Once the master password is set any ftp passwords that are stored will be encrypted using your password. You will then only need to enter the master password once per session to access all of your sites.

Without the master password the only way a hacker could obtain your passwords would be using an unfeasible brute force attack.

If you forget your master password - you can remove it but you will lose all of your stored FTP passwords.

This is an overview of how the master password system works:

Setting the master password

  1. Client enters master password.
  2. Master password is hashed with a unique salt in the clients browser
  3. Hash is then transmitted to server
  4. Existing FTP passwords are AES encrypted using the hash
  5. The hash is then re-hashed and stored on the server

 

Accessing a site

  1. Client enters master password
  2. Master password is hashed with a unique salt in the clients browser
  3. Hash is then transmitted to server
  4. Hash is rehashed and verified against stored hash
  5. FTP password is AES decrypted using the original hash
  6. The hash is stored in the session until the user logs out or the session expires

You will notice that at no point is your master password directly transmitted to our server, ensuring greater security.