Wednesday, November 29th, 2006

Passlet: Ajax password manager with AES client-side encryption

Category: Security, Showcase

Passlet is a new Ajax password manager that does all encryption/decryption on the client side.

Passlet uses the industry-standard key derivation function PBKDF2 (c.f. RFC 2898) to derive a 128-bit AES key from the master password.

Here is the Password-Based Key Derivation Function 2 (PBKDF2) JavaScript implementation.

Agatra (covered earlier) offers similar functionality, but Passlet author Parvez Anandam points out: “Agatra does not encrypt and decrypt passwords locally. But Passlet does. All AES encryption and decryption is done completely client-side. The server does not ever see the master password. Passlet uses the key derivation function PBKDF2 (c.f. RFC 2898) to derive a 128-bit AES key from the master password. I believe this is the first (and only) javascript implementation of this key derivation.” Another website along these lines is Halfnote (covered earlier).

Passlet is an example of the Host-Proof Hosting (more closely than Agatra and Halfnote) – Parvez says “While I was reading it, I couldn’t help but smile: your design pattern is a generalization of what I was thinking in the specific context of a password manager. And now you have a real-world example of this design pattern!”


Posted by Dion Almaer at 8:37 am

4 rating from 25 votes


Comments feed TrackBack URI

Unfortunately, Host-Proof Hosting pattern is unsafe as-is because it still relies on script sent from the server. If hackers can steal server-side data, encrypted or not, hackers can poison *.js files containing the script that runs on the client-side. The pattern also requires strong anti-phishing protection. Frankly, I don’t think any of the anti-phishing solutions out there is strong enough protection to guard universal password.

Comment by Don Park — November 29, 2006

Basically what you are saying applies to any content you can get through the web, ergo your corolary is that you shouldnt trust anything that you do online whatsoever.

Comment by Garcia — November 29, 2006

Garcia, what I am saying applies to not only the web but to real life. But I still wouldn’t make the ridiculous leap of logic you made because requiring zero risk is as vain as requiring perfection. BTW, I am just stating my opinion, not burning someone’s house down. Chill.

Comment by Don Park — November 29, 2006

Garcia stated an opinion in response, rather than pummeling you with a fire hose. Chill.

Comment by Trevor — November 30, 2006

i think this is a nice idea. We need only example how to implement it on own sites ;)

Comment by murphy — November 30, 2006

For “insecure” passwords on websites, i use the passwdlet

It’s “only” md5, but at least the generated passwords are seemingly random and requires some effort to crack.

Neat thing is that it doesn’t require anything from a server :)

Comment by Morgan Roderick — November 30, 2006

It looks like the system does not use asynchronous processing at all which creates some poor performance when submitting this information. The browser interface becomes unresposnse.

Comment by Jason Kichline — December 1, 2006

[…] Read more: here […]

Pingback by Passlet: Ajax password manager with AES client-side encryption :: Newstack — December 2, 2006

[…] I saw on my Ajaxian feed today a neat service called Passlet. Essentially it is a password keeper, like KisKis or the one built into Firefox. The novelty here is that it uses JavaScript to handle all the encrypting and decrypting on the client side. That means no transmission of clear text information, not even over SSL. […]

Pingback by » John Hobbs Blog » Blog Archive » — December 4, 2006

Leave a comment

You must be logged in to post a comment.