RE: store passwords securely in the internet

["Smallman, Martin (Contractor)" <Martin.Smallman.Contractor () usap gov>]

With all due respect to the interesting discussion this has created.

Is not the subject line in itself an oxymoron....



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of krymson () gmail com
Sent: Tuesday, 14 September 2010 6:52 a.m.
To: security-basics () securityfocus com
Subject: Re: store passwords securely in the internet

I have no disagreements with what you've said, but keep in mind this
thread is from 6 months ago. 



I've re-posted the OP question and my full response below. I said I
wouldn't use such a public system, and the use-case I had in mind for
the part of, "if I needed to," was something like an emergency or
personal crisis of some sort.



Just being anal in clarifying, while masking my annoyance at the
outdated re-postings being spewed out...





<- snip ->

I note that the subject of this email itself is inherently contradictory


(or, at least, simply not a good idea)... anyway, rest of my reply is 

properly inline...



On 04/08/2010 10:52 AM, krymson (at) gmail (dot) com [email concealed]
wrote:

> You're still going to have to ultimately trust the server that is

> doing the https/ssl termination.



And if you don't control it, don't trust it.



> If I personally need to do something like this, I prefer to have

> something like a passwordsafe database stored somewhere that I can

> retrieve securely,



Like a flash drive on your keychain or in your wallet containing an 

encrypted password db (say, keepass).



> For systems I don't control like an internet cafe or library,



You don't use them, except to read non-login public sites. Browse 

slashdot all you want from a public terminal, but don't check your 

email. That's what MID's are for.



> terminal. And even if I needed to, I'd prefer to just remember them

> if they're that important that I'd need them.



And if that's the case, then you remember them, type it in at the 

terminal, and get p0wn3d by the script kiddie who dropped a hardware 

keystroke logger inline on the keyboard cable.



-- 

Matthew Caron

Build Engineer

Sixnet | www.sixnet.com

O +1 518 877 5173 Ext. 138

F +1 518 602 9209

matt.caron (at) sixnet (dot) com [email concealed]



------------------------------------------------------------------------





<- another snip ->



You're still going to have to ultimately trust the server that is doing
the https/ssl termination. Not only might it 

hook before the encryption takes place, but it will have access to the
keys and could just mitm you when you bring a 

decrypted password down to your local system over SSL.



If I personally need to do something like this, I prefer to have
something like a passwordsafe database stored 

somewhere that I can retrieve securely, and then open it and retrieve my
passwords on my system. Or smaller databases 

with a set of credentials that I may ever want remotely, rather than the
whole set.



For systems I don't control like an internet cafe or library, I wouldn't
want to be using those passwords anyway on 

such a public terminal. And even if I needed to, I'd prefer to just
remember them if they're that important that I'd 

need them.



<- snip ->



Hi guys,



I've written a program to store your passwords secure in a container on 

a server. It's written for the Horde framework and is called eleusis ( 

http://h4des.org/index.php?inhalt=eleusis ). The idea was to have your 

passwords everytime available when you are online even when you are 

using an internet cafe or a pc at work.



When the user creates a passwordstore, he must give a masterpassword. 

With this masterpassword every password you want to save will encrypt 

with blowfish. For every step (reading, writing) you have to enter the 

masterpassword, because nothing will write unencrypted to the hard disk.


The masterpassword is never stored. When the user entered the 

masterpassword, the program will decrypt the container and check the 

header. If the header is correctly decrypted, the program will continue 

its work, if not, it will show you an error message.



The whole project is written in php. A weak point of the program is the 

http protocol. When the user doesn't use https to transfer the data the 

passwords will send decrypted over the net.



I hope there is any use for this program and I'm glad if anyone of you 

send me any critics or suggestions.



Regards



--



Andre Pawlowski

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an
SSL certificate.  We look at how SSL works, how it benefits your company
and how your customers can tell if a site is secure. You will find out
how to test, purchase, install and use a thawte Digital Certificate on
your Apache web server. Throughout, best practices for set-up are
highlighted to help you ensure efficient ongoing management of your
encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------