\section{Overview} \begin{table}[h] \begin{center} \begin{tabular}{l|l} \textbf{Thesis title} & Password Compromise Monitoring Tool\\ \textbf{Thesis title CZ} & Nástroj pro monitoring kompromitace hesel\\ \textbf{Supervisor} & Ing. David Malaník, Ph.D.\\ \end{tabular} \caption{Overview} \label{tab:overview} \end{center} \end{table} \subsection{Thesis guidelines} \begin{enumerate} \item Specifikujte požadavky na systém s ohledem na jeho zabezpečení. \item Vyberte vhodné zdroje dat pro ověření kompromitace hesel. \item Navrhněte systém pro online správu vlastní databáze kompromitovaných loginů. \item Navržený systém implementujte v testovacím prostředí a ověřte jeho funkčnost. \item Ověřte izolaci uživatelských účtů Vašeho systému. Popište bezpečnostní mechanismy, keré ji zajišťují. \end{enumerate} \newpage \section{Thesis outline} % set up list numbering with roman numerals. \renewcommand{\labelenumi}{\arabic{enumi}.} \renewcommand{\labelenumii}{\arabic{enumi}.\arabic{enumii}} \renewcommand{\labelenumiii}{\arabic{enumi}.\arabic{enumii}.\arabic{enumiii}} \textbf{Introduction}\\ \textbf{Theoretical part} \begin{enumerate}[\itemsep=0em] \item Purpose \item Terms introduction \item Cryptography primer \begin{enumerate}[\itemsep=0em] \item Hash functions \begin{enumerate}[\itemsep=0em] \item Uses and \textit{mis}uses \item Threats to hashes \end{enumerate} \end{enumerate} \begin{enumerate}[\itemsep=0em] \item Encryption \begin{enumerate}[\itemsep=0em] \item The key exchange problem \item The key protection problem \end{enumerate} \end{enumerate} \item Brief passwords history \begin{enumerate}[\itemsep=0em] \item Purpose over time \item What is considered a password \item Problems with passwords \begin{enumerate}[\itemsep=0em] \item Arbitrary length requirements (min/max) \item Arbitrary complexity requirements \item Restricting special characters \end{enumerate} \end{enumerate} \item Password strength validation \item Web security \begin{enumerate}[\itemsep=0em] \item Browsers \item Cross-site scripting \item Content Security Policy \end{enumerate} \item Sandboxing \begin{enumerate}[\itemsep=0em] \item User isolation \item Process isolation \item Namespaced isolation \end{enumerate} \item Data storage \begin{enumerate}[\itemsep=0em] \item Integrity \item Authenticity \item Confidentiality \item Encryption-at-rest \end{enumerate} \item Compromise checking and prevention \begin{enumerate}[\itemsep=0em] \item HIBP and similar tools \item OWASP Top 10 for the implementers \item Password best practices \end{enumerate} \end{enumerate} \\ \textbf{Practical part} \begin{enumerate}[\itemsep=0em] \setcounter{enumi}{9} \item Toolchain \begin{enumerate}[\itemsep=0em] \item Development \begin{enumerate}[\itemsep=0em] \item A word about \href{https://builtwithnix.org/}{Nix} \end{enumerate} \item Production \end{enumerate} \item Application architecture \begin{enumerate}[\itemsep=0em] \item Data integrity \item Data authenticity \item Data confidentiality \item Connection security \item User isolation \end{enumerate} \item Implementation \begin{enumerate}[\itemsep=0em] \item Compromise checking \begin{enumerate}[\itemsep=0em] \item Have I Been Pwned? Integration \item Local Dataset Plugin \end{enumerate} \item Best practices \item Database configuration \item Deployment recommendations \end{enumerate} \item Validation \begin{enumerate}[\itemsep=0em] \item Unit tests \item Integration tests \item Click-ops \end{enumerate} \end{enumerate} \textbf{Conclusion} \newpage \section{Theoretical part status} Chapters started include: 3.1.1, 4.3.3, 6, 6.1, 7.1, 7.2, 7.3, 8.\\ Pages written in total amount to less than 5 (@\today).\\ Given how much I've written so far. I have not cited any resources. \newpage \section{Practical part status} Chapters started include: 12.1, 12.2, 12.3., 12.4.\\ The application is going to a be monolithic (no microservices planned), statically linked (ideally), self-contained \href{https://go.dev/}{Go} program serving generated HTML using a combination of the SSR-first \href{https://github.com/kyoto-framework/kyoto}{Kyoto} framework and Go's native templating support. The exposed REST API will enable potentially plugging in alternative clients (such as CLI or mobile ones) in the future. The fitness of a GraphQL API is also going to be explored. Client-side JS might be added, should building a particular component of the application be hardly feasible without it, although I'd love to get by without it, if at all possible. On the backend the application is going to talk to a \href{https://www.postgresql.org/}{PostgreSQL} database for raw data and to \href{https://immudb.io/}{immudb} for verification of data integrity (append only mode immudb-side). Data is going to be stored encrypted at rest and is only going to be ever decrypted momentarily in memory. \\ It's very likely that I will use the Go \textit{standard library} for the vast majority of my coding needs (apart from my original code, of course), with the exception of database connectors and hash algorithms (such as Argon2 or Blake3), for which third-party libraries will most probably be utilised, and of course the \textit{Kyoto} framework itself. Background tasks within the application (such as periodic checks) will be spawned using Go's native lightweight \textit{"threads"} - \textbf{Goroutines}. \\ Development environment will be brought up with the help of \href{https://builtwithnix.org/}{Nix} (specifically \texit{flakes}), which can then equally be used in CI and production, although alternative, containerised approach will also be evaluated for production (Kubernetes). The two, however, are not at all contradictory, Nix, for example, could be used to generate the container images (OCI) reproducibly (not just repeatably) in the exact same environment every single time. \\ So far I have only created the project's \href{https://git.dotya.ml/mirre-mt/pcmt}{home}, I have not written any code though (as of \today). \newpage \section{Statement of the supervisor} \label{sec:supstatement} \begin{quotation} Práce je v počáteční fázi a bude třeba zvýšit tempo prací. Nicméně teď již na to bude mít student více času a práce by měla být zdárně dokončena v termínu. Student komunikuje akorát prozatím spíše metodou ``na poslední chvíli.'' \end{quotation}