Thursday, January 5th, 2006

Forget Your Passwords with Agatra

Category: Security, Showcase

Agatra is a new service for managing all your passwords. Based on your Agatra master password, it will maintain a list of logins and passwords for all your favourite websites. It’s more than a memory tool, because Agatra’s list of sites will actually launch the links – in most cases, you can login automatically from Agatra’s “launch page” (my terminology).

We’ve seen password managers before, but they’re usually standalone apps or browser extensions (e.g. PasswordMaker). What’s different here is that Agatra is portable and requires no plugins. The passwords are encrypted and decrypted locally, meaning that the server never sees them and data theft would not expose them. It’s the first public website I’ve come across that’s doing this (any others?).

Browser-side encryption of sensitive data was proposed a while back by Richard Schwartz and is the idea behind the Host-Proof Hosting pattern. It’s interesting because it’s very Ajax and yet nothing to do with rich widgets or sexy effects; instead, it relies on the ability of Ajax apps to avoid any page refresh. Browser state will survive display updates and server calls, meaning that the password only needs to be entered at the start of the session, and will then remain available without having to be transferred to the server.

There are some great benefits, but also significant risks such as the threat of script injection as raised by Alex Russell in comments for the original blog entry. Another risk is that user will offer a trivial password, unaware of how it’s being used. There are, of course, counter-measures as well to help reduce these risks.

Would you trust Agatra with your passwords? If you’re a sysadmin (most of us are, even if we’re not actually paid for it :-)), would you recommend it to your users? As always in security, it’s important to weigh up the system in the context of the practices many people currently use, which might well be more vulnerable.

Posted by Michael Mahemoff at 10:27 pm
9 Comments

+++--
3.6 rating from 19 votes

9 Comments »

Comments feed TrackBack URI

Plus besoin de retenir vos passwords avec Agatra

Avec Agatra, plus besoin de retenir vos logins et passwords sur Internet !
Une fois connecté à Agatra, vous êtes immédiatement identifié sur les sites de votre choix (Gmail, Hotmail, vos forums préférés, etc…)

Agatra retient tous vos comptes (log…

Trackback by Business Garden — January 6, 2006

There is no safe place to put your password other than your brain – just my opinion. No way would I trust this app.

Tom

Comment by Tom — January 6, 2006

Are you sure the passwords are encrypted and decrypted locally? I’m using the Firefox Web Developer extension and I didn’t see any JavaScript for encryption in there.

Comment by Kevin Dangoor — January 6, 2006

“Would you trust Agatra with your passwords? If you’re a sysadmin (most of us are, even if we’re not actually paid for it :-)), would you recommend it to your users?”

I’d give both of those a big “Hell, no!” in response. If I trust anything to store my passwords other than my brain, I’d keep them in a desktop app (as a Mac user, I use KeyChain) and then encrypt the filesystem wherever the app stores them.

No way would I store passwords in a place where someone could discover SQL injection, XSS or session hijacking.

Comment by Shawn — January 6, 2006

Kevin, I haven’t verified there’s any browser-side encryption directly, but I asked the president of Agatra (Andrew Hayward) about this before posting and he said this:

“Agatra stores the passwords as encrypted
information throughout the login process. We use the Agatra password as a key
to unencrypt the passwords the users enter. As a result, there’s no way to
unlock the site passwords without possessing the “key” (i.e., the Agatra
password). We have no access to the users “Agatra” password in unencrypted
format, and thus we have no access to user passwords either. In this way, even
if someone with less than honorable intentions gains access to our server, they
would still need all the individual “keys” (Agatra passwords) to gain access to
the site passwords.”

I was left with the impression it’s encrypted locally, and that’s certainly feasible, but it is possible that’s not happening here.

Comment by Michael — January 6, 2006

Agatra 帳號管�

密碼守則第一�:��把密碼寫下來。

剛剛看到一篇有關 Agatra 的報導,本來也是看看而已,��接下來�在 keso 那邊也看到他寫了一篇,我��真地去看了一下這到底是什麼�西;原來這昅

Trackback by 國生三年æ‰?開始 — January 6, 2006

I would put most of my passwords in here (email, logins to most sites) except my banking pw’s.. very little that you do online is secure anyway (especially email) so who cares? If it makes it easier, sounds great to me.

Comment by Alexei — January 6, 2006

Thanks, Alex, for recommending my Password Generator bookmarklet. I don’t know why people are still trying to solve this problem…! (Oh, right, they think they might make some money off it somehow.)

Comment by Nic Wolff — January 8, 2006

I actually use NeedMyPassword.com and I love it! It’s online password storage and recovery. It’s GUARENTEED safe, secure, and hacker safe… there’s nothing to worry about. It’s so helpful because I have so many passwords to remember. I don’t even know how I got along without it! I would reccommend it 100%

Comment by maddy71892 — May 3, 2008

Leave a comment

You must be logged in to post a comment.