Security Basics mailing list archives

Re: store passwords securely in the internet

From: Andre Pawlowski <sqall () h4des org>
Date: Wed, 07 Apr 2010 10:21:05 +0200

Enforcing HTTPS is a good idea. I'm thinking about using AJAX to sendthe passwords encrypted over the net to the browser and the browserdecrypt the passwords. With this configuration you can even use HTTP.


Thanks

Andre Pawlowski

-------------------------------------------------------------------

Ordnung braucht nur der Dumme, das Genie beherrscht das Chaos.
        -Albert Einstein



On 04/07/2010 05:29 AM, Adam Mooz wrote:

Interesting idea, I like the concept but it's far, far too fragile of an idea to use without some form of strong VPN like IPSec.  Please take what 
I'm about to say as constructive criticism.  First, you should be enforcing HTTPS with plaintext fallback disabled on the server end, use a redirect 
to allow users to "use" the HTTP protocol (such as lazy CEO's, etc...) but they'll be redirected to the HTTPS site.  Second, could you 
please confirm that the passwords are sent back to the user decrypted (but in the https tunnel)?  You should have something setup client-side so the 
passwords NEVER get sent across the wire unencrypted.  Something like a two-factor authentication where there is a login password (which could be tied 
into AD) and a second password to decrypt the password when it's received, or some other form of two-factor authentication (PKI, dynamically 
generated one-time tokens, etc..)

It sounds strange I agree, but having to remember only two passwords instead of the umpteen that need to be remember when 
working with servers that don't have AD sync is much easier.  If you send the password in clear text, even through an 
HTTPS tunnel, the risk for a MITM gaining your root password is huge.  By only transmitting an encrypted version of the 
password you get:
a) a token-based system where no matter how many times the user requests the password it never looks the same twice 
coming across the wire (even within the HTTPS tunnel.)

Hope this helps and what I'm trying to say is clear enough,
-----------------------------------------------------------------
Adam Mooz
Adam.Mooz () gmail com
http://www.AdamMooz.com

On 2010-04-06, at 5:40 PM, Andre Pawlowski wrote:

Hi guys,

I've written a program to store your passwords secure in a container on a server. It's written for the Horde framework 
and is called eleusis ( http://h4des.org/index.php?inhalt=eleusis ). The idea was to have your passwords everytime available when 
you are online even when you are using an internet cafe or a pc at work.

When the user creates a passwordstore, he must give a masterpassword. With this masterpassword every password you want 
to save will encrypt with blowfish. For every step (reading, writing) you have to enter the masterpassword, because 
nothing will write unencrypted to the hard disk. The masterpassword is never stored. When the user entered the 
masterpassword, the program will decrypt the container and check the header. If the header is correctly decrypted, the 
program will continue its work, if not, it will show you an error message.

The whole project is written in php. A weak point of the program is the http protocol. When the user doesn't use https 
to transfer the data the passwords will send decrypted over the net.

I hope there is any use for this program and I'm glad if anyone of you send me any critics or suggestions.

Regards

--

Andre Pawlowski

-------------------------------------------------------------------

Ordnung braucht nur der Dumme, das Genie beherrscht das Chaos.
        -Albert Einstein




------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

store passwords securely in the internet Andre Pawlowski (Apr 06)
- Re: store passwords securely in the internet Gregory Rubin (Apr 07)
  - Re: store passwords securely in the internet Andre Pawlowski (Apr 07)
- Message not available
  - Re: store passwords securely in the internet Ali, Saqib (Apr 07)
- Re: store passwords securely in the internet Jhfjjf Hfdsjj (Apr 07)
  - Re: store passwords securely in the internet Andre Pawlowski (Apr 12)
    - Re: store passwords securely in the internet Alexander A. Kelner (Apr 12)
    - Re: store passwords securely in the internet Greg R (Apr 13)
    - Re: store passwords securely in the internet Andre Pawlowski (Apr 13)
- Re: store passwords securely in the internet Adam Mooz (Apr 07)
  - Re: store passwords securely in the internet Andre Pawlowski (Apr 07)
    - Message not available
    - Re: store passwords securely in the internet Adam Mooz (Apr 12)
- Re: store passwords securely in the internet Patrick Cornelissen (Apr 12)
  - Re: store passwords securely in the internet Adam Mooz (Apr 13)
    - Re: store passwords securely in the internet Patrick Cornelissen (Apr 12)
    - Re: store passwords securely in the internet Eric Furman (Apr 13)
    - Re: store passwords securely in the internet Adam Mooz (Apr 13)
    - RE: store passwords securely in the internet Lauren Twele (Apr 13)
- Re: store passwords securely in the internet Jan G.B. (Apr 12)
  - Re: store passwords securely in the internet Andre Pawlowski (Apr 12)
  - Re: store passwords securely in the internet Andre Pawlowski (Apr 12)

(Thread continues...)