my1Login - Trustworthy Passwordmanagement?
Michael asked me to translate the my1Loging Blog Entry I wrote last week into English. Here you go…
What is my1Login?
my1login is your free, online favorites and password manager, providing you with a personal portal to the internet. It can be used to securely store bookmarks for your favourite web sites together with your corresponding login and password details, meaning that wherever you’re accessing the internet from, you’ll only have to remember your my1login to sign-in to all your favourite sites.
The security focus with my1Login lies on the „KEY” which is used to encrypt the passwords of the different websites and which is independent from the username and password you are using to access the my1Login site. my1Login describes the „KEY” this way:
Your KEY enables your data to be encrypted within your browser using AES (Advanced Encryption Standard), an encryption standard which is so secure that it has been adopted by the US government to secure classified information.
Unfortunately, we don’t know nothing more about the AES implementation they are using. Have they implemented AES themselves – which would make Bruce Schneier rather nervous – and if they are using a Library, they are not disclosing which one. They are also not stating, with what parameters they are operating AES – which can make a big difference.
I personally wouldn’t give a rats ass that
an security audit performed by Hewlett Packard’s Information Security team confirmed that the my1login service is „robust” and also specifically commented about the high levels of encryption used to provide the service. As long, as nobody is describing to me EXACTLY, what they mean bei „robust”, I would touch that solution with a 10 feet pole. And using „high levels of encryption”, does not mean, that the service is „secure” in any way.
Another thing that bothers me is the fact, that my1Login can automatically log me into services like Facebook or Twitter. This would mean – at least in my understanding – that my1Login needs access to my password for that service. A thing they claim to prevent by using the AES KEY. IMHO, they are contradicting themselves.
Personally, I wouldn’t use that service if you would pay me for it.
But if somebody out there is doing a „real” security assessment of my1Login, I would be interested in reading it.