The website online password vault can be looked on as either a noble but bad attempt in password security or as a lame phishing attack.
If you have been following my comments at Technopinoy and at a Pinoytechblog, you may have read some of my observations with OPV. Starts off with a lousy privacy policy (which was suddenly changed) and a lack of SSL. Now, overnight, it appears that OPV has found its SSL certificate. Or so it claims. (Click on thumbnail below to see the screen shot)
SSL, or Secure Socket Layer, is basically a communication protocol. Not an encryption algorithm. SSL basically ensures that there is a secure channel between client and host. But once the data reaches the host, how the data is stored is dependent on the host. Therefore, while my password information is transmitted securely, it does not mean that it is securely stored. For all we know, the password is stored in plain text at the server side.
(Update: I checked the certificate. It isn’t coming from a trusted source like Verisign but from Forest Data Systems. Tried googling it and zilch)
Hence my fundamental issue with the design and the explanations. OPV claimes:
Your passwords are heavily protected in a database. Every password uses certain types of encryption. Encryption is the process of obscuring information to make it unreadable without special knowledge or rights like knowing your username, e-mail and password. These keys to your account are a form of secret authentication data that is used to control access to a resource. All passwords use a one-way cryptographic hash function with a 128-bit hash value. A hash function is a way of creating a small digital fingerprint from any kind of data, which is unique to each user.
Because of the design of the website, your passwords are not just sitting on a webpage ready for someone to intercept. They are only sent to you, and only you when you push show password. Once you hide it, the password is no longer there. All action with user accounts is server side.
Heavily protected? How?
It appears that the password is encrypted using your username, email, and OPV password as the keys. The problem is the one-way hashing. If it is one-way hashing, how can you retrieve the information? And if it is stored encrypted on the server side, OPV still has to decrypt the password to transmit it back to you for you to display. If so, then what’s stopping the webmaster from decrypting all the stored passwords themselves?
I know the webmaster reads this site because he has acted on all my comments. So I hope he can clarify how the site processes the inputs. Until then, it is best that people stay away from this site.
15 comments
It does need caution on the part fo the users. And the webmaster, too. 😉
I wouldn’t even subscribe for such service.
not my type of service.
Did anyone notice Andrew Portelese’s biography?
http://www.andrewportolese.com/bio.php
Christ, he’s in 11th grade. Would you trust online information to a Highschooler?
I’ll stick to KEYPASS…I will not take even a single look and consider such things like that. Obviously when you’ll learn about it the first time, you’ll doubt about the security!
The database of the site is a must-have for hackers. They’ll have all the motivation to get it. 😉
The idea is great but this is a poor implementation. The most legit I have seen is Defygo. You can download it at http://www.defygo.com
Your actual passwords are stored on their server which makes it “Online”. However your passwords and other info are ecrypted with AES 256 (NSA standard), passed over 128 bit SSL, and finally stored on the server. It takes two passwords to get into it. There is software keylogger prevention and bruteforce prevention. On top of all that it has AES and TDES file encryption. It also has RSA 1024 bit public/private key encryption. The only sucky thing is that the client is .NET so you have to have the framework installed and it only works on Windows.
Defygo looks interesting. I’ll download it and give it a try. From what I gathered in the website, it does look correctly designed. I am still wondering though where does the decryption occur–is it in the server, which makes it insecure since the encryption key will be stored somewhere in the server even if temporary; or is it decrypted by the client PC, which is the preferred approach.
I understand where your coming from, but you have to think of this way. Every single site that you have an account with temporarily has your clear text password before they one way hash it and store it. Your browser doesn’t do any of the encryption before it sends your password. Not to mention that some big name sites don’t even use SSL or Hashing. So you already have this level of trust, if not more, with every site that you have a username and password for.
Personally, I would rather them temporarly handle my key and discard it like every other site in the world. It is amazing what memory dumps and hex editors can recover on a personal machine.
Dmac,
Regarding “trusting” the sites, even if they do disclose my userid and password, it will only impact my access to THEIR site.
The problem with having all your passwords in one site is that any compromise will impact EVERYTHING.
And I dont think the site uses hashing. It uses encryption, so if you hand over your encryption key, then they can decrypt everything.
I definitely agree that it is a bottleneck and a risk. Your Defygo data is locked behind two passwords of your choice. I personally have relayed two 14+ completely random passwords to memory with both capital, lowercase, letters, numbers, and special characters. I then let Defygo generate crypto-random passwords for all my other accounts so that each site has a completely unique and strong password. If you are are capable of rembering 50 random strong passwords then you definitely do not need Defygo. I personally can’t do that so I feel that 50 accounts with cryptorandom passwords locked behind two strong keys creates more security for me in the long run.
The bottom line is “TRUST”. I trust that the people at Google don’t read my GMAIL everyday. If they were to create a Product like Defygo, everyrone would be using it.
I can tell you exactly how your data is encrypted with Defygo. I guess I should have mentioned that I was in on development.
You create an e-liberty account just like on any other site. Your pasword is hashed and stored. You login to Defygo the first time and it asks you to create a Defygo Security Key (another password) which is sha512’ed and stored in the database. You then login to Defygo with your elib account and security key. The cleartext of your security key is hashed twice in a sha256 and sha512 format. The sha512 hash is used for comparison against the one in the database to authenticate you. The sha256 is kept for encryption purposes. When you add a username and password, your info is sent over ssl (just like any site you login into) with the sha256 hash of your security key. The server then AES 256 encrypts your data with the key being your sha256 hash of your defygo security key. The encrypted data is then stored and the sha256 hash is discarded. So the key used for the encryption is actually a 256 bit string of random hex characters vs.. your clear text password.
The scheme is solid and has been reviewed by security professionals. And if all else fails, you write your passwords in an excell file and use Defygo to encrypt the excell file with AES or TDES using a password of your choice locally. Use Defygo to decrypt it when neccessary.
I love talking about this stuff. Sorry for so much typing..
I also forgot to mention that all the hasing i spoke of was done on the client side on your local computer.
You also forgot to mention that you can’t download the software unless you are in the US or Canada.
I realize this may/may not be relevant, but I’ve been working on an open source, client side password keeper. It’s uses whats called a “host-proof” design. Essentially, all (en/de)cryption is done in the end users browser, and since it’s all encrypted with blowfish, there is about a nil chance that anyone sniffing the traffic or accessing the information on the server can read it.
That said it has drawbacks, like a very loose authentication system. Still, it’s just in it’s early stages. If you want to check it out go to http://www.blowpass.com/, and we also have a sourceforge account where you can grab all the source and set up your own version.