Good evening Tia, I have thought about your idea a few times, but always some pretty good arguments against this project came to my mind. In my opinion the main problem is that you have to safe the passwords on a server and like you said: If the server is penetrated, the passwords will be lost. So you have to look after a method of getting the passwords without saving them on the server. Databases aren't "very" secure; not enough secure for your project. My thought is coding a script which constitutes your passwords that you want to keep safe. So you have a private key with which you have to login into your account --> you have to fill in a form and after clicking "submit" the script generates your passwords without the constraint to connect to your database. Ok, by getting into the server and downloading this script the attacker can try to crack the algorithm, but without the private Key he won`t find out your stored passwords. This is only my theory and my thoughts about this issue. But I think it is very sophisticated to solve a problem like this.
Sincerely Dominik Birk At 21:53 08.04.02 -0400, Wooi Koay wrote: >Hi, > >I would like to write a web app that stores a list of passwords securely. >The reason why it has to be a web app is because I want to access the site >using blackberry (rim handheld). > >My idea is to decrypt the password list using a public key, and when a >valid user logs in, the password list are decrypted using the user's >private key. If another user accidentally access the password list of >different people, he still can't read the password list because he doesn't >have the matched private key. The problem that I can see is that the >webserver somehow need to have access to the public/private key pair. If >the webserver is compromised, the passwords could potentially be read. Any >thought on that? > >TIA, wooi. -- http://www.code-foundation.de 217.229.69.207 - - [14/Oct/2001:02:29:41 +0200] "GET /MSADC/root.exe?/c+dir Microsoft? Where do you want to surf today?
