How would I store passwords for a Password Manager?

Question

How would you guys go around with storing passwords for an online password manager in a MySQL database? Nothing big, just a few users. I can't really hash them or something because it's irreversible right? How do programs like KeePass achieve this?

Thanks in advance!

Answer 1

(Upgrading to an answer)

Usually users' passwords are encrypted using a master password before transmission to you, the password manager; you would store such encrypted passwords and return them to the user upon their request: they would then decrypt on their own machine using their master password. At no point do you handle the master password or the unencrypted passwords, therefore you are totally unable to access the underlying passwords you store.

If your application is web-based, you could perform the crypto operations in Javascript (although you should be very wary of XSS and browser security vulnerabilities) - the Stanford Javascript Crypto Library is a good place to start.

Answer 2

Hashing a password is, indeed, irreversible. But you hash a password for exactly that reason:

1. Hash the password. Insert into database.
2. User tries to log in, provides password. User-provided password is hashed. If it matches what is in the database, authenticate user.

Programs generally provide the following:

setPassword(user, password); //puts the (hashed) password into a database table associated with user
authenticate(user, password); //for given user, checks to see if password is valid

That said, this question is very broad and will likely get downvoted. You're not asking a specific question or saying what you've tried thus far.