Re: store passwords securely in the internet


Why don't you want make one step more?

You may encrypt and decrypt al your passwords just on client side using
master password and crypto-application realised as javascript or as
java-applet in browser. In such case unencrypted password will never cross
the net, and for saving/retrieving encrypted passwords you may use ordinary
file storage like ftp-server.


On Thu, 8 Apr 2010, Andre Pawlowski wrote:

Date: Thu, 08 Apr 2010 08:40:58 +0200
From: Andre Pawlowski <sqall@xxxxxxxxx>
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: store passwords securely in the internet
Resent-Date: Mon, 12 Apr 2010 09:36:28 -0600 (MDT)
Resent-From: security-basics-return-54013@xxxxxxxxxxxxxxxxx

The container is decrypted with this password. If someone entered a wrong masterpassword, the program will decrypt the container with this wrong masterpassword, then it checks the header and will see that it was a wrong masterpassword and gives you an error.

You see, the masterpassword is not stored on the server.

Andre Pawlowski

-------------------------------------------------------------------

Ordnung braucht nur der Dumme, das Genie beherrscht das Chaos.
-Albert Einstein


On 04/07/2010 10:01 PM, Jhfjjf Hfdsjj wrote:
Wait, if the master password is never stored on the hard disk WHERE is it stored? Gotta be somewhere in order for it to be used to decrypt something.



----- Original Message ----
From: Andre Pawlowski<sqall@xxxxxxxxx>
To: security-basics@xxxxxxxxxxxxxxxxx
Sent: Tue, April 6, 2010 2:40:05 PM
Subject: store passwords securely in the internet

Hi guys,

I've written a program to store your passwords secure in a container on a server. It's written for the Horde framework and is called eleusis ( http://h4des.org/index.php?inhalt=eleusis ). The idea was to have your passwords everytime available when you are online even when you are using an internet cafe or a pc at work.

When the user creates a passwordstore, he must give a masterpassword. With this masterpassword every password you want to save will encrypt with blowfish. For every step (reading, writing) you have to enter the masterpassword, because nothing will write unencrypted to the hard disk. The masterpassword is never stored. When the user entered the masterpassword, the program will decrypt the container and check the header. If the header is correctly decrypted, the program will continue its work, if not, it will show you an error message.

The whole project is written in php. A weak point of the program is the http protocol. When the user doesn't use https to transfer the data the passwords will send decrypted over the net.

I hope there is any use for this program and I'm glad if anyone of you send me any critics or suggestions.

Regards



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------




---
Alexander A. Kelner
Centertelecom - Bryansk
Network Operation Center
Senior engineer

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Relevant Pages

  • Re: Polyalphabetic encryption for Passwords
    ... ResourcePasswords = f(publicdata, MasterPassword) ... So with this trick, the encrypted passwords ... per-UserPassword basis to encrypt a single MasterPassword (which itself ... without access to the unencrypted/hashed UserPasswords - another security ...
    (comp.lang.php)
  • Re: store passwords securely in the internet
    ... The container is decrypted with this password. ... If someone entered a wrong masterpassword, the program will decrypt the container with this ... wrong masterpassword, then it checks the header and will see that it was a wrong masterpassword and gives you an error. ... When the user doesn't use https to transfer the data the passwords will send decrypted over the net. ...
    (Security-Basics)
  • Re: CryptoAPIs - compatibility between NT, 2000 and XP
    ... >> passwords for the various components in the system. ... >> encrypted/decrypted on the client as required. ... >> successfully decrypt and log into applications. ... >> On NT machine if I encrypt passwords, ...
    (microsoft.public.security)
  • Re: store passwords securely in the internet
    ... You're still going to have to ultimately trust the server that is doing the https/ssl termination. ... For systems I don't control like an internet cafe or library, I wouldn't want to be using those passwords anyway on ... When the user creates a passwordstore, he must give a masterpassword. ... the program will decrypt the container and check the ...
    (Security-Basics)
  • Re: store passwords securely in the internet
    ... When the user creates a passwordstore, he must give a masterpassword. ... passwords will send decrypted over the net. ... Keyloggers are a great way of circumventing the best laid plans regarding encryption and security. ... Securing Apache Web Server with thawte Digital Certificate ...
    (Security-Basics)