The website online password vault can be looked on as either a noble but bad attempt in password security or as a lame phishing attack.
If you have been following my comments at Technopinoy and at a Pinoytechblog, you may have read some of my observations with OPV. Starts off with a lousy privacy policy (which was suddenly changed) and a lack of SSL. Now, overnight, it appears that OPV has found its SSL certificate. Or so it claims. (Click on thumbnail below to see the screen shot)
SSL, or Secure Socket Layer, is basically a communication protocol. Not an encryption algorithm. SSL basically ensures that there is a secure channel between client and host. But once the data reaches the host, how the data is stored is dependent on the host. Therefore, while my password information is transmitted securely, it does not mean that it is securely stored. For all we know, the password is stored in plain text at the server side.
(Update: I checked the certificate. It isn’t coming from a trusted source like Verisign but from Forest Data Systems. Tried googling it and zilch)
Hence my fundamental issue with the design and the explanations. OPV claimes:
Your passwords are heavily protected in a database. Every password uses certain types of encryption. Encryption is the process of obscuring information to make it unreadable without special knowledge or rights like knowing your username, e-mail and password. These keys to your account are a form of secret authentication data that is used to control access to a resource. All passwords use a one-way cryptographic hash function with a 128-bit hash value. A hash function is a way of creating a small digital fingerprint from any kind of data, which is unique to each user.
Because of the design of the website, your passwords are not just sitting on a webpage ready for someone to intercept. They are only sent to you, and only you when you push show password. Once you hide it, the password is no longer there. All action with user accounts is server side.
Heavily protected? How?
It appears that the password is encrypted using your username, email, and OPV password as the keys. The problem is the one-way hashing. If it is one-way hashing, how can you retrieve the information? And if it is stored encrypted on the server side, OPV still has to decrypt the password to transmit it back to you for you to display. If so, then what’s stopping the webmaster from decrypting all the stored passwords themselves?
I know the webmaster reads this site because he has acted on all my comments. So I hope he can clarify how the site processes the inputs. Until then, it is best that people stay away from this site.