First Flight #1: PasswordStore

Summary

Storing unencrypted passwords directly on the blockchain is a critical security vulnerability. Unencrypted passwords are exposed to anyone who has access to the blockchain, even when stored as private state variables, which poses significant risks to user privacy and security.

Vulnerability Details

This password is publically accessible, to anyone, always:

Impact

Privacy & Security Risk:
Storing unencrypted passwords on the blockchain poses significant privacy and security risks. Unencrypted passwords are visible to anyone inspecting the blockchain, which can lead to privacy breaches and unauthorized access to user accounts. This practice undermines user security, making it easier for malicious actors to target passwords for identity theft and other malicious activities.

Tools Used

VSC.

Recommendations

Never store unencrypted passwords on the blockchain. If users insist on storing their passwords on the blockchain, they should, at the very least, follow a more secure approach, which includes:

• Encryption: Users should encrypt their passwords before storing them on the blockchain. This should involve using a strong encryption algorithm and a user-specific encryption key (file).

• Local Key Storage: Users should securely manage their encryption keys on their local devices (e.g., PC). The key should never be exposed on the blockchain or any public location.

This way the strongly encrypted password can be stored in the smart contract, and only the owner can retrieve it (locally) by using their decryption key.

• Another potentially feasible approach:
  The password encryption/decryption functionality could potentially be implemented onchain, where the user only needs to provide the password, which then gets encrypted immediately, and the user given their decryption key to save/download locally, which they can use later to retrieve the password again via a decryption function onchain.