Wednesday, November 29th, 2006
Passlet: Ajax password manager with AES client-side encryption
Passlet is a new Ajax password manager that does all encryption/decryption on the client side.
Passlet uses the industry-standard key derivation function PBKDF2 (c.f. RFC 2898) to derive a 128-bit AES key from the master password.
Here is the Password-Based Key Derivation Function 2 (PBKDF2) JavaScript implementation.
Agatra (covered earlier) offers similar functionality, but Passlet author Parvez Anandam points out: “Agatra does not encrypt and decrypt passwords locally. But Passlet does. All AES encryption and decryption is done completely client-side. The server does not ever see the master password. Passlet uses the key derivation function PBKDF2 (c.f. RFC 2898) to derive a 128-bit AES key from the master password. I believe this is the first (and only) javascript implementation of this key derivation.” Another website along these lines is Halfnote (covered earlier).
Passlet is an example of the Host-Proof Hosting (more closely than Agatra and Halfnote) - Parvez says “While I was reading it, I couldn’t help but smile: your design pattern is a generalization of what I was thinking in the specific context of a password manager. And now you have a real-world example of this design pattern!”
Unfortunately, Host-Proof Hosting pattern is unsafe as-is because it still relies on script sent from the server. If hackers can steal server-side data, encrypted or not, hackers can poison *.js files containing the script that runs on the client-side. The pattern also requires strong anti-phishing protection. Frankly, I don’t think any of the anti-phishing solutions out there is strong enough protection to guard universal password.
Basically what you are saying applies to any content you can get through the web, ergo your corolary is that you shouldnt trust anything that you do online whatsoever.
Garcia, what I am saying applies to not only the web but to real life. But I still wouldn’t make the ridiculous leap of logic you made because requiring zero risk is as vain as requiring perfection. BTW, I am just stating my opinion, not burning someone’s house down. Chill.
Garcia stated an opinion in response, rather than pummeling you with a fire hose. Chill.
i think this is a nice idea. We need only example how to implement it on own sites ;)
Related
For “insecure” passwords on websites, i use the passwdlet
http://labs.zarate.org/passwd/
It’s “only” md5, but at least the generated passwords are seemingly random and requires some effort to crack.
Neat thing is that it doesn’t require anything from a server :)
It looks like the system does not use asynchronous processing at all which creates some poor performance when submitting this information. The browser interface becomes unresposnse.
[...] Read more: here [...]
[...] I saw on my Ajaxian feed today a neat service called Passlet. Essentially it is a password keeper, like KisKis or the one built into Firefox. The novelty here is that it uses JavaScript to handle all the encrypting and decrypting on the client side. That means no transmission of clear text information, not even over SSL. [...]
BlowPass is an open source version of the same thing using the blowfish algorithm instead. It’s still in development (it was created a little over 3 days ago actually) but it’s already got a decent amount of functionality.
Check Out The Demo @ http://static.velvetcache.org/projects/blowpass/demo/