Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: store passwords securely in the internet

From: Adam Mooz <adam.mooz () gmail com>
Date: Thu, 8 Apr 2010 07:13:46 -0400
Https needs to be enforced.  Otherwise someone could mitm your
connection and modify the js as it comes across the wire to do
whatever they please.  Also you'll need to send password tokens across
the wire, single-use hashed that can only be used once otherwise your
passwords will be vulnerable to offline attacks

- Adam Mooz
http://www.AdamMooz.com
Sent from my iPhone, please excuse any typos.

On 2010-04-07, at 7:38 PM, Gregory Rubin <grrubin () gmail com> wrote:


While this is certainly better, you are still trusting the webserver
to provide you with valid javascript.  The only safe way to use it
would be to access the page, disconnect from the Internet, manage your
passwords, reconnect.

Greg

On Wed, Apr 7, 2010 at 1:21 AM, Andre Pawlowski <sqall () h4des org>
wrote:

Enforcing HTTPS is a good idea. I'm thinking about using AJAX to
send the
passwords encrypted over the net to the browser and the browser
decrypt the
passwords. With this configuration you can even use HTTP.

Thanks

Andre Pawlowski

-------------------------------------------------------------------

Ordnung braucht nur der Dumme, das Genie beherrscht das Chaos.
       -Albert Einstein



On 04/07/2010 05:29 AM, Adam Mooz wrote:


Interesting idea, I like the concept but it's far, far too fragile
of an
idea to use without some form of strong VPN like IPSec.  Please
take what
I'm about to say as constructive criticism.  First, you should be
enforcing
HTTPS with plaintext fallback disabled on the server end, use a
redirect to
allow users to "use" the HTTP protocol (such as lazy CEO's,
etc...) but
they'll be redirected to the HTTPS site.  Second, could you please
confirm
that the passwords are sent back to the user decrypted (but in the
https
tunnel)?  You should have something setup client-side so the
passwords NEVER
get sent across the wire unencrypted.  Something like a two-factor
authentication where there is a login password (which could be
tied into AD)
and a second password to decrypt the password when it's received,
or some
other form of two-factor authentication (PKI, dynamically
generated one-time
tokens, etc..)

It sounds strange I agree, but having to remember only two passwords
instead of the umpteen that need to be remember when working with
servers
that don't have AD sync is much easier.  If you send the password
in clear
text, even through an HTTPS tunnel, the risk for a MITM gaining
your root
password is huge.  By only transmitting an encrypted version of
the password
you get:
a) a token-based system where no matter how many times the user
requests
the password it never looks the same twice coming across the wire
(even
within the HTTPS tunnel.)

Hope this helps and what I'm trying to say is clear enough,
-----------------------------------------------------------------
Adam Mooz
Adam.Mooz () gmail com
http://www.AdamMooz.com

On 2010-04-06, at 5:40 PM, Andre Pawlowski wrote:




Hi guys,

I've written a program to store your passwords secure in a
container on a
server. It's written for the Horde framework and is called
eleusis (
http://h4des.org/index.php?inhalt=eleusis ). The idea was to have
your
passwords everytime available when you are online even when you
are using an
internet cafe or a pc at work.

When the user creates a passwordstore, he must give a
masterpassword.
With this masterpassword every password you want to save will
encrypt with
blowfish. For every step (reading, writing) you have to enter the
masterpassword, because nothing will write unencrypted to the
hard disk. The
masterpassword is never stored. When the user entered the
masterpassword,
the program will decrypt the container and check the header. If
the header
is correctly decrypted, the program will continue its work, if
not, it will
show you an error message.

The whole project is written in php. A weak point of the program
is the
http protocol. When the user doesn't use https to transfer the
data the
passwords will send decrypted over the net.

I hope there is any use for this program and I'm glad if anyone
of you
send me any critics or suggestions.

Regards

--

Andre Pawlowski

-------------------------------------------------------------------

Ordnung braucht nur der Dumme, das Genie beherrscht das Chaos.
       -Albert Einstein





---
---------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs
an SSL
certificate.  We look at how SSL works, how it benefits your
company and how
your customers can tell if a site is secure. You will find out how
to test,
purchase, install and use a thawte Digital Certificate on your
Apache web
server. Throughout, best practices for set-up are highlighted to
help you
ensure efficient ongoing management of your encryption keys and
digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
---
---------------------------------------------------------------------




------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: