Thursday, January 5th, 2006
Forget Your Passwords with Agatra
Agatra is a new service for managing all your passwords. Based on your Agatra master password, it will maintain a list of logins and passwords for all your favourite websites. It’s more than a memory tool, because Agatra’s list of sites will actually launch the links - in most cases, you can login automatically from Agatra’s “launch page” (my terminology).
We’ve seen password managers before, but they’re usually standalone apps or browser extensions (e.g. PasswordMaker). What’s different here is that Agatra is portable and requires no plugins. The passwords are encrypted and decrypted locally, meaning that the server never sees them and data theft would not expose them. It’s the first public website I’ve come across that’s doing this (any others?).
Browser-side encryption of sensitive data was proposed a while back by Richard Schwartz and is the idea behind the Host-Proof Hosting pattern. It’s interesting because it’s very Ajax and yet nothing to do with rich widgets or sexy effects; instead, it relies on the ability of Ajax apps to avoid any page refresh. Browser state will survive display updates and server calls, meaning that the password only needs to be entered at the start of the session, and will then remain available without having to be transferred to the server.
There are some great benefits, but also significant risks such as the threat of script injection as raised by Alex Russell in comments for the original blog entry. Another risk is that user will offer a trivial password, unaware of how it’s being used. There are, of course, counter-measures as well to help reduce these risks.
Would you trust Agatra with your passwords? If you’re a sysadmin (most of us are, even if we’re not actually paid for it :-)), would you recommend it to your users? As always in security, it’s important to weigh up the system in the context of the practices many people currently use, which might well be more vulnerable.
Plus besoin de retenir vos passwords avec Agatra
Avec Agatra, plus besoin de retenir vos logins et passwords sur Internet !
Une fois connecté à Agatra, vous êtes immédiatement identifié sur les sites de votre choix (Gmail, Hotmail, vos forums préférés, etc…)
Agatra retient tous vos comptes (log…
There is no safe place to put your password other than your brain - just my opinion. No way would I trust this app.
Tom
How can they come up with such an app? The idea of a password is not to give it away.
There is a nice bookmarklet that let’s you have a master password, too. It’s called Passwdlet (also available for blummy) and your password will not leave your computer.
It’s the same reason for that I don’t use Meebo (instant messenger) or some del.icio.us tool which submits my password through their server. They can have 100 privacy policies and I’d still not use it.
Are you sure the passwords are encrypted and decrypted locally? I’m using the Firefox Web Developer extension and I didn’t see any JavaScript for encryption in there.
“Would you trust Agatra with your passwords? If you’re a sysadmin (most of us are, even if we’re not actually paid for it :-)), would you recommend it to your users?”
I’d give both of those a big “Hell, no!” in response. If I trust anything to store my passwords other than my brain, I’d keep them in a desktop app (as a Mac user, I use KeyChain) and then encrypt the filesystem wherever the app stores them.
No way would I store passwords in a place where someone could discover SQL injection, XSS or session hijacking.
Kevin, I haven’t verified there’s any browser-side encryption directly, but I asked the president of Agatra (Andrew Hayward) about this before posting and he said this:
“Agatra stores the passwords as encrypted
information throughout the login process. We use the Agatra password as a key
to unencrypt the passwords the users enter. As a result, there’s no way to
unlock the site passwords without possessing the “key” (i.e., the Agatra
password). We have no access to the users “Agatra” password in unencrypted
format, and thus we have no access to user passwords either. In this way, even
if someone with less than honorable intentions gains access to our server, they
would still need all the individual “keys” (Agatra passwords) to gain access to
the site passwords.”
I was left with the impression it’s encrypted locally, and that’s certainly feasible, but it is possible that’s not happening here.
Agatra 帳號管�
密碼守則第一�:��把密碼寫下來。
剛剛看到一篇有關 Agatra çš„å ±å°Žï¼Œæœ¬ä¾†ä¹Ÿæ˜¯çœ‹çœ‹è€Œå·²ï¼Œä¸?é?ŽæŽ¥ä¸‹ä¾†å?ˆåœ¨ keso 那邊也看到他寫了一篇,我æ‰?èª?真地去看了一下這到底是什麼æ?±è¥¿ï¼›åŽŸä¾†é€™æ˜…
I would put most of my passwords in here (email, logins to most sites) except my banking pw’s.. very little that you do online is secure anyway (especially email) so who cares? If it makes it easier, sounds great to me.
7dots is an app I’m working on that is a similar idea, but will have very different execution. Our primary goal is to allow quick and easy (assisted by AJAX, of course) retrieval for passwords to anything, not just websites.
We’re building it largely for people like us (web developers) who have way too many passwords to remember.
Read about 7dots and read about organizing passwords and tell us what you think.
Security is a huge issue, and we take it extremely seriously, but even so, we know we’ll have a tough time getting the Slashdot crowd to join.
I don’t like the idea that my passwords will be saved on some foreign and unknown server.
The more people use this service the more interesting will it get for hackers to get those passwords.
I use a local software (KeePass). I can store the data on my harddrive or take it with me on a USB memory stick.
Thanks, Alex, for recommending my Password Generator bookmarklet. I don’t know why people are still trying to solve this problem…! (Oh, right, they think they might make some money off it somehow.)
What happens when Agatra closes shop? By the way, Nic, PasswordMaker is and always has been free.
As Alex points out above, Agatra does NOT do local encryption and decryption.
For that, try the brand new Passlet:
https://www.passlet.com
Unlike Agatra, Passlet is a true AJAX site. All AES encryption and decryption happens client-side. The server never sees the master password.
I actually use NeedMyPassword.com and I love it! It’s online password storage and recovery. It’s GUARENTEED safe, secure, and hacker safe… there’s nothing to worry about. It’s so helpful because I have so many passwords to remember. I don’t even know how I got along without it! I would reccommend it 100%