Wednesday, November 29, 2006

AJAX driven password management

How many username/password combinations do you need to remember? Does having so many make you re-use the same password over and over? If you're like me, you have dozens of website logins to remember, and only a few different names and passwords for them.

Obviously, this is insecure. If someone were to get a hold of your common password, they could theoretically login to all your accounts that use it.

In comes Passlet, a web based, AJAX driven, client-side encrypting password manager.

The theory behind this is that all encryption is done in your local browser, and the Passlet server never sees your passwords in unencrypted form. Of course, you will have to make sure that the browser you are using is on a trusted computer.

Passlet does provide disclaimers that no one should use the site to store sensitive financial information, and that they are not responsible for any loss or damage resulting from the use of their service.

It's a good idea, but its security has yet to be really proven. It is in beta, and until more is done to verify the strength of their security, it should only be relegated to store the most mundane information (like other beta web sites you are testing, for example).


Roy Stahl said...

Problems with Passout: (My take on your blog)

Not really web2.0 - no community, no sharing (at least I hope not).

Web 2.0 and AJAX should be more exciting then a simple HTML response to sends a couple of small chucks of data to a backend to get me excited.

What happens if you walk away from your desk at work for 5 minutes and this screen is up. There is no protection, everything is exposed. A timeout would fix this.

I didn't see an SSL lock on my browser, just https

The encrypt/decrypt code is borrowed from a 2001 website. Looks like a Javascript project. It may even be in the guys book. It is not a JS book that I use.

I already do client side encrypting of passwords, and I image that a lot of people do. That way you never need to be involved with your users password.

It is a web page, not a web site or a web company. Anyone could duplicate this is a hour or two if they thought it was a good idea.

Tara said...

I've been working on PassPack - another online password manager in Beta3. We too implement the Host-Proof Hosting (like Passlet) but we've adresses a couple of the other issues you mentioned as well:

Close up/block when you're inactive for 2 minutes.

A quick hide-it-all button (we call it "pack it up") which also does a Close up/block, but on command.

Web community, you're right, no sharing, but we run a blog... and a developers area is coming soon for tech info, bug tracking, comments, feedback, etc.

SSL - of course (though I think Passlet actually has this too to be honest)

Encrypt/decrypt codes are all industry standard. The classics: AES, Bock TEA etc.

The site is here:

The blog is here:
(excuse the standard theme - one more thing to get done!)