Security Basics mailing list archives

Re: store passwords securely in the internet

From: Andre Pawlowski <sqall () h4des org>
Date: Wed, 07 Apr 2010 10:23:34 +0200

Yes, the passwords are stored encrypted on the server.

I know that you have to trust the provider to give it your passwords.For myself I am my own provider and my friends are using this feature.But there are also friends that have the same opinion "Never storepasswords on a system that they don't own".


Andre Pawlowski

-------------------------------------------------------------------

Ordnung braucht nur der Dumme, das Genie beherrscht das Chaos.
        -Albert Einstein


On 04/07/2010 01:43 AM, Gregory Rubin wrote:

To make sure that I understand this correctly:
The server has access to the plain-text passwords since it both
encrypts and decrypts the stored passwords with the masterpassword?

I'm sorry, but there is nobody in the world who I would trust this
way.  I've seen similar schemes proposed before but they all force you
to ultimately trust the web-service, which (unfortunately) is just not
doable in this day and age.

If you want to bring your passwords with you, may I recommend either a
thumbdrive with PasswordSafe/PasswordGorilla or just spring for an
IronKey?

Greg

On Tue, Apr 6, 2010 at 2:40 PM, Andre Pawlowski<sqall () h4des org>  wrote:

Hi guys,

I've written a program to store your passwords secure in a container on a
server. It's written for the Horde framework and is called eleusis (
http://h4des.org/index.php?inhalt=eleusis ). The idea was to have your
passwords everytime available when you are online even when you are using an
internet cafe or a pc at work.

When the user creates a passwordstore, he must give a masterpassword. With
this masterpassword every password you want to save will encrypt with
blowfish. For every step (reading, writing) you have to enter the
masterpassword, because nothing will write unencrypted to the hard disk. The
masterpassword is never stored. When the user entered the masterpassword,
the program will decrypt the container and check the header. If the header
is correctly decrypted, the program will continue its work, if not, it will
show you an error message.

The whole project is written in php. A weak point of the program is the http
protocol. When the user doesn't use https to transfer the data the passwords
will send decrypted over the net.

I hope there is any use for this program and I'm glad if anyone of you send
me any critics or suggestions.

Regards

--

Andre Pawlowski

-------------------------------------------------------------------

Ordnung braucht nur der Dumme, das Genie beherrscht das Chaos.
        -Albert Einstein


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate.  We look at how SSL works, how it benefits your company and how
your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web
server. Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

store passwords securely in the internet Andre Pawlowski (Apr 06)
- Re: store passwords securely in the internet Gregory Rubin (Apr 07)
  - Re: store passwords securely in the internet Andre Pawlowski (Apr 07)
- Message not available
  - Re: store passwords securely in the internet Ali, Saqib (Apr 07)
- Re: store passwords securely in the internet Jhfjjf Hfdsjj (Apr 07)
  - Re: store passwords securely in the internet Andre Pawlowski (Apr 12)
    - Re: store passwords securely in the internet Alexander A. Kelner (Apr 12)
    - Re: store passwords securely in the internet Greg R (Apr 13)
    - Re: store passwords securely in the internet Andre Pawlowski (Apr 13)
- Re: store passwords securely in the internet Adam Mooz (Apr 07)
  - Re: store passwords securely in the internet Andre Pawlowski (Apr 07)
    - Message not available
    - Re: store passwords securely in the internet Adam Mooz (Apr 12)
- Re: store passwords securely in the internet Patrick Cornelissen (Apr 12)

(Thread continues...)