Tuesday, January 23rd, 2007

LockBin: An OpenID Password Vault

Category: JavaScript, Utility

Lock Bin

Matt Reider decided to write a password vault called LockBin.

What is it, and why is it different?

LockBin is an AJAX website built in PHP. It stores our passwords securely, and uses OpenID to do so. It is sort of funny to me that it uses OpenID, because the technology was never intended to be used in this way. But it serves as a good way of encrypting data because I can save unique encryption keys for each user, without storing their keys anywhere on my server. The encryption key is their OpenID, which is located elsewhere and verified using a neutral 3rd party.

Isn’t this risky

This is a grand experiment about trust. Will people take a leap of faith and use a system like this? I am not sure that I would, but I am. But I trust it, because I built it. And if other people take that risk, it is likely that more will follow.

Posted by Dion Almaer at 9:28 am
4 Comments

+++--
3.6 rating from 23 votes

4 Comments »

Comments feed TrackBack URI

Not sure you support openid.delegate. My openid is http://www.4coderz.com/, and I have the following in my page. This works when i log into zooomr.com:

Comment by Jeremy — January 24, 2007

<link href=’http://www.myopenid.com/server’ rel=’openid.server’>
<link href=’http://jeremy1.myopenid.com/’ rel=’openid.delegate’/>

Comment by Jeremy — January 24, 2007

Hi,
in the inaugural post of LockBin forums, the author says that he had these design constraints:

“- The key which encrypts their information must be unique to each user.
– These keys must not be anywhere on LockBin’s server, impossible for even the system admin (me) to figure out. “

and his solution was using OpenID.

“OpenID is the perfect key with which to encrypt a user’s information. The raw OpenID is not saved on LockBin’s server. It is unique for every user, and it cannot be guessed because the user must be authenticated by the OpenID server when they login.

Wouldn’t be nice if he provided more information about what exactly is the “raw OpenID”, how it is retrieved and stored, which kind of cipher has been used, …?

Many thanks,
Marco

Comment by Marco Barulli — January 24, 2007

Raw OpenID is just that, the user’s openID. But it is not located anywhere on the LockBin server. This is the problem with most seed-based encryption schemes. The seed is sitting in a script file on the server somewhere. But in this case, the seed is elsewhere.

Comment by Matt — January 27, 2007

Leave a comment

You must be logged in to post a comment.