Password Manager Extension | πŸ”’ SHA-256 + Salt | πŸ’Ύ Persistent | ⚑ Fast

πŸ” Password Manager Extension

An extension for MIT App Inventor 2.

A powerful Java-side password system for your Kodular apps!


:bullseye: What is it?

Password Manager is a professional-grade Kodular extension that helps you securely manage passwords inside your app β€” no extra component required!

Keep your users’ credentials safe with industry-standard one-way hashing.
No AES, no reversible encryption β€” just strong, secure, and irreversible protection.


:sparkles: Features at a Glance

:small_blue_diamond: Feature :white_check_mark: Description
SetPassword() Save a new password securely using SHA-256 hash and unique salt
VerifyPassword() Check if user input matches stored password
ChangePassword() Safely change password using old one
ClearPassword() Wipe stored hash and salt
SetPasswordHint() Save a helpful password hint
GetPasswordHint() Retrieve the saved hint
IsPasswordStrong() Prevent weak passwords (digit + uppercase + special char)
IsPasswordSet() Check if any password is stored

:puzzle_piece: Blocks Overview

SetPassword_Method

SetPasswordHint_Method

VerifyPassword_Method

ChangePassword_Method

ClearPassword_Method

GetPasswordHint_Method

IsPasswordCorrect_Method

IsPasswordSet_Method

IsPasswordStrong_Method

OldPasswordIncorrect_Event

PasswordChanged_Event

PasswordCleared_Event

PasswordTooWeak_Event

PasswordVerified_Event

You don’t need TinyDB β€” everything is handled inside the extension!

:wrench: Set Password

PasswordManager.SetPassword("MySecure@123")

:locked: Verify Password

PasswordManager.VerifyPassword("MySecure@123")

:repeat_button: Change Password

PasswordManager.ChangePassword("old", "new")

:speech_balloon: Set Hint

PasswordManager.SetPasswordHint("Try your pet’s name")

:bell: Events

Event Triggered When…
PasswordChanged Password changed successfully
OldPasswordIncorrect Wrong password during change/verify
PasswordVerified User input password matched current password
PasswordCleared Password data was wiped
PasswordTooWeak New password doesn’t meet strength requirements

:package: Storage

  • :locked_with_key: Uses SharedPreferences
  • :salt: Generates a random 128-bit salt per password
  • :brain: Only the hash and salt are stored β€” no plain text, no encrypted values
  • :white_check_mark: Works across sessions, phones, and restarts β€” fully persistent

:brain: Password Strength Rules

Password must:

  • Be at least 6 characters :white_check_mark:
  • Include a digit (0–9) :1234:
  • Include an uppercase letter (A–Z) :input_latin_uppercase:
  • Include a special character (!, @, #, etc.) :red_exclamation_mark:

:package: Extension Details

  • Extension Name: PasswordManager
  • Version: v1.0
  • Created by: Mahir Labib
  • Compatible with: Kodular, AI2, etc.
  • Storage: One-way hashing, SharedPreferences (internal & secure)
  • Size: Lightweight (< 100KB)
  • Dependencies: None
  • Built using: FAST v2.6.0

:test_tube: Download

com.mahir.passwordmanager.aix (7.3 KB) (UPDATED)


:white_check_mark: Why Use This?

  • :brick: No blocks needed for saving β€” it handles everything internally
  • :locked_with_key: No AES key risk β€” truly irreversible storage
  • :no_mobile_phones: No internet needed β€” works 100% offline
  • :100: Perfect for login screens, app lockers, or secure gate features

:left_speech_bubble: Feedback Welcome!

If you like it, comment :heart:
If you want new features like fingerprint support, multi-user, or backup/restore, just request below!

#passwordmanager

4 Likes

Why not to use this

Usually storing password hashes instead of encrypted passwords (or even worse, plaintext passwords) is a fundamental security practice. The core reason lies in the irreversibility of hashing, which provides a crucial layer of protection in case of a data breach.

Here’s a breakdown of why hashing is preferred:
Hashing is a One-Way Process (Irreversible)

  • What it is: A hash function takes an input (your password) and transforms it into a fixed-length string of characters (the hash value). This process is designed to be one-way. You can easily generate a hash from a password, but it’s computationally extremely difficult, practically impossible, to reverse the process and get the original password back from the hash.
  • Security benefit: If a database storing hashed passwords is breached, the attackers only get the hashes, not the actual passwords. Since they can’t reverse the hash, they don’t immediately know your password. This significantly reduces the risk of your password being compromised and used on other services (especially if you reuse passwords).

Encryption is a Two-Way Process (Reversible)

  • What it is: Encryption takes plaintext data and transforms it into ciphertext using an algorithm and a key. The key allows the ciphertext to be decrypted back into the original plaintext.
  • Security drawback for passwords: If an attacker gains access to encrypted passwords AND the decryption key, they can easily decrypt all the passwords and gain full access. Storing the key securely alongside the encrypted passwords is a major challenge, and if the system is compromised, both could be exposed.

The goal of password storage is not to be able to retrieve the original password, but only to verify that the user knows it. Hashing achieves this by providing a one-way, irreversible transformation that protects user credentials even if the database storing the hashes is compromised. Encryption, while vital for data in transit, is not suitable for storing passwords because of its inherent reversibility.

There are extensions available, which can create a hash value, for example the tools extension App Inventor Extensions: Tools | Pura Vida Apps

TinyDB uses also SharedPreferences

Taifun

2 Likes

Thank you for the valuable feedback! You’re absolutely right β€” for best practice in credential storage, hashing is the ideal approach due to its irreversibility and security.

My extension uses AES encryption mainly because it supports use cases where the password needs to be retrieved (such as offline app locks or private notes). However, I’m planning to release an ** hash-based version** soon for users who want irreversible and safer storage.

Appreciate your input β€” stay tuned for the secure-hash edition!

:new_button: New Update! (July 1, 2025)

:white_check_mark: Now uses SHA-256 with random salt for password storage

:white_check_mark: Replaced AES encryption with secure, irreversible hashing

:white_check_mark: Improved overall security β€” no way to retrieve passwords, even by attacker

Thanks @Taifun for informing me. :clap:

1 Like

Are you storing an encrypted password or a hash value now?

What is the difference between VerifyPaasword and IsPasswordCorrect?

What does GetCurrentPassword return? The hash value?

Taifun

1 Like

hash value

In the secure hash-based version, the GetCurrentPassword() method has been removed β€” because hashed passwords are irreversible and cannot be retrieved.

  • :locked_with_key: In the older AES version, it returned the decrypted password
  • :shield: In this updated version, no such method exists β€” for security reasons

Functionally, both methods do the same thing β€” they check if the user input matches the stored password.

  • VerifyPassword() also triggers success/failure events like PasswordVerified or OldPasswordIncorrect
  • IsPasswordCorrect() is a quiet alias that just returns true/false without triggering events

Use VerifyPassword if you want event-driven feedback, and IsPasswordCorrect if you’re checking silently in logic.

Hi @Taifun,
Now my extension is full of secure :key:.
Do you appreciate my work?

Request

If yes, would you please remove your post (WHY not to use this extension) :sob: