The following is an idea for a small technology demonstration application that I would like to have for my own use.
Internet Password Safe
The rationale for this application is to increase security for the user in the use of websites that require passwords, by storing the passwords in a secure way allowing the user to user different strong passwords for each web site they encounter.
The tool would include the following functionality:
- the user can store username, password, description of the site, and optionally a url for each site they use
- The information for a site would be encrypted on the browser and sent to and stored on the server in encrypted form.
- The server would not have a copy of the master password.
- The encryption of the entire user key safe would be governed by a single pass phrase.
- A strong password can be generated for the site and then used to register on the site.
- The password can be placed on the system clipboard and pasted into the password field of the website.
- The username can be placed on the system clipboard and pasted into the password field of the website.
- The system clipboard will be cleared after x seconds AND when the application is closed.
- The application would be accessible from a public url. SSL could be used to contact the server but the data stored would be further encrypted in the application.
- The user can make an export to his computer at any time. (This export could have it’s own password using some standard format?)
Technologies used:
- Flex for the UI
- encryption in Flex using AS3Crypto
- CouchDB for the DB
- Apache and PHP for the application
Benefits to the user:
- The user can use unique strong passwords for each site. The user would not need to know the passwords at all.
- The user can have a single password to unlock all of the passwords for the sites. This one password could be changed without affecting the other websites.
- The user could access the key safe from home and work an both would be kept in sync, they would be the same.
I use an application called PasswordSafe, which was originally written by Bruce Schneier. You can find a copy at the link. The only problem is that keeping the safe at home and work means carrying it on a thumb drive, which I never actually carry, so things are hopelessly out of sync. In practice this isn’t a big problem because I don’t tend to use the same sites at home, but I’d like to have a single safe.
Tags: couchdb, encryption, flex, passwords
I use password safe at home too.
How does this idea fit in with movement toward OpenID or other single identity stuff? That is, does this solve a problem that will eventually go away, or will this always be a problem? Just curious since I don’t know the state of ID stuff these days.
You are right this is solving a problem that might go away. It is all in how you define “go away.” Do you mean go away like calculators and slide rules (that have pretty much disappeared overnight) or go away like printers in the paperless office (where printers will never go away)?
Well I would bet that passwords on website will be more like the printer option. Password Safe can also be used for linux, remote desktop, etc logins in addition to websites. Kerberos and other solutions for this sort of thing have been around for decades but when was the last time you logged in to remote desktop with anything but a password?
I also use Password Safe for notes and bank account numbers among other things. It is pretty handy as a general tool.
As to OpenID as the technology to win here is a sad article. Sad for those who hope it will be universally adopted. http://blog.crowdvine.com/2009/04/02/declining-openid-usage/