Security Basics mailing list archives
Re: store passwords securely in the internet
From: krymson () gmail com
Date: Thu, 8 Apr 2010 08:52:03 -0600
You're still going to have to ultimately trust the server that is doing the https/ssl termination. Not only might it hook before the encryption takes place, but it will have access to the keys and could just mitm you when you bring a decrypted password down to your local system over SSL. If I personally need to do something like this, I prefer to have something like a passwordsafe database stored somewhere that I can retrieve securely, and then open it and retrieve my passwords on my system. Or smaller databases with a set of credentials that I may ever want remotely, rather than the whole set. For systems I don't control like an internet cafe or library, I wouldn't want to be using those passwords anyway on such a public terminal. And even if I needed to, I'd prefer to just remember them if they're that important that I'd need them. <- snip -> Hi guys, I've written a program to store your passwords secure in a container on a server. It's written for the Horde framework and is called eleusis ( http://h4des.org/index.php?inhalt=eleusis ). The idea was to have your passwords everytime available when you are online even when you are using an internet cafe or a pc at work. When the user creates a passwordstore, he must give a masterpassword. With this masterpassword every password you want to save will encrypt with blowfish. For every step (reading, writing) you have to enter the masterpassword, because nothing will write unencrypted to the hard disk. The masterpassword is never stored. When the user entered the masterpassword, the program will decrypt the container and check the header. If the header is correctly decrypted, the program will continue its work, if not, it will show you an error message. The whole project is written in php. A weak point of the program is the http protocol. When the user doesn't use https to transfer the data the passwords will send decrypted over the net. I hope there is any use for this program and I'm glad if anyone of you send me any critics or suggestions. Regards -- Andre Pawlowski ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: store passwords securely in the internet krymson (Sep 10)
- Re: store passwords securely in the internet Matthew Caron (Sep 13)
- <Possible follow-ups>
- Re: store passwords securely in the internet krymson (Sep 14)
- RE: store passwords securely in the internet Smallman, Martin (Contractor) (Sep 14)