Wednesday, December 21, 2005


Storing Passwords On-line

I received an unsolicited promotion of a company that runs a password storage service--Agatra. Considering that I have several score passwords in a file folder in my cabinet, this could be very useful. I am not sure what the word 'Agatra' means, but something like would be a little more user friendly. Remember, it's about the end user remembering the site in easy to understand plain English, not how cool a company's name is.

The most important aspect of a password service is the trust the end user has in the service. This depends in part on how well the service encrypts the passwords. Unfortunately, the description they give--that they use "cipher block" encryption--is not self-evident for the average user and it sounds like they are trying to hide something from the technical user.

I suggest they give a better description for the average user--only use the word 'encryption' and then talk about how passwords are accepted, encrypted, stored, retrieved, decrypted, and presented to 3rd party websites in a secure way--include a diagram that a 6th grader would understand. I would also suggest including a more technical description of which type/mode of cipher block encryption being used (ECB, CBC, OFB, CFB, CCM, EAX, OCB, or one of their own making). We want to know that you know what you are doing.

Finally, some metrics would also add to the confidence factor: "15,392 passwords secured and counting" "368 websites safely accessed in the last 24 hours," etc.

Good luck, Agatra.

This idea feels profoundly wrong to me. I can completely understand the rationale for wanting such a service, but the possible breaking points are numerous and mostly out of a user's control. They may store them in a secure format, but what if they they are transmitted in the clear somewhere in the chain? What if they get bought and the privacy policy is modified? It'd be the ChoicePoint debacle all over again.

For my "forget your password" needs, I turn to I also use passwords from a short list of good ones that I repeat all over the place. And, Apple's OS X provides the most-excellent Keychain, which encrypts and stores them on your local machine.
If you're looking for this type of password storing service, you might check out Bruce Schneier's Password Safe application.

Would you rather store your passwords in a tool written by one of the foremost cipher designers, or through an online service of people who are quite openly soliciting all of your passwords?
Post a Comment

<< Home

This page is powered by Blogger. Isn't yours?