my1Login - Trustworthy Passwordmanagement?

Michael asked me to translate the my1Loging Blog Entry I wrote last week into English. Here you go…

What is my1Login?

my1login is your free, online favorites and password manager, providing you with a personal portal to the internet. It can be used to securely store bookmarks for your favourite web sites together with your corresponding login and password details, meaning that wherever you’re accessing the internet from, you’ll only have to remember your my1login to sign-in to all your favourite sites.

So basically, it’s a browser based Version of KeePass or 1Password.

The security focus with my1Login lies on the „KEY” which is used to encrypt the passwords of the different websites and which is independent from the username and password you are using to access the my1Login site. my1Login describes the „KEY” this way:

Your KEY enables your data to be encrypted within your browser using AES (Advanced Encryption Standard), an encryption standard which is so secure that it has been adopted by the US government to secure classified information.

Unfortunately, we don’t know nothing more about the AES implementation they are using. Have they implemented AES themselves – which would make Bruce Schneier rather nervous – and if they are using a Library, they are not disclosing which one. They are also not stating, with what parameters they are operating AES – which can make a big difference.
But even more important then these details is the question how „secure” an AES implementation inside a browser window can be, even if they are implementing features to derail keyloggers and the like. Who is guaranteeing me, that the my1Login JavaScript code is not recording and transmitting my keyphrase to their servers or that the browser is secure and does not have a „bugged” JavaScript engine?
If you want further arguments why JavaScript Cryptography is a bad idea, read JavaScript Cryptography Considered Harmful.

To get the JavaScript code to the browser in a secure way, my1Login is using SSL/TLS (good idea) and certificates from Verisign (not such a good idea). Verisign a) basically belongs to the US government and b) was repeatedly hacked in 2010.

I personally wouldn’t give a rats ass that an security audit performed by Hewlett Packard’s Information Security team confirmed that the my1login service is „robust” and also specifically commented about the high levels of encryption used to provide the service. As long, as nobody is describing to me EXACTLY, what they mean bei „robust”, I would touch that solution with a 10 feet pole. And using „high levels of encryption”, does not mean, that the service is „secure” in any way.

Another thing that bothers me is the fact, that my1Login can automatically log me into services like Facebook or Twitter. This would mean – at least in my understanding – that my1Login needs access to my password for that service. A thing they claim to prevent by using the AES KEY. IMHO, they are contradicting themselves.

There are a few other quirks, like not being able to use valid email-addresses to register (a „+” in the name is valid, a thing they fixed after a tweet from me) or that a registration without JavaScript enabled is not possible.

Personally, I wouldn’t use that service if you would pay me for it.
But if somebody out there is doing a „real” security assessment of my1Login, I would be interested in reading it.

Tagged as: , , , , | Author:
[Sonntag, 20120311, 13:09 | permanent link | 0 Kommentar(e)

Comments are closed for this story.


Disclaimer

„Leyrers Online Pamphlet“ ist die persönliche Website von mir, Martin Leyrer. Die hier veröffentlichten Beiträge spiegeln meine Ideen, Interessen, meinen Humor und fallweise auch mein Leben wider.
The postings on this site are my own and do not represent the positions, strategies or opinions of any former, current or future employer of mine.
Impressum / Offenlegung gemäß § 25 Mediengesetz

Search

Me, Elsewhere

Tag Cloud

2007, 2blog, 2do, 2read, a-trust, a.trust, a1, accessability, acta, advent, age, ai, amazon, ankündigung, apache, apple, at, audio, austria, backup, barcamp, basteln, bba, big brother awards, birthday, blog, blogging, book, books, browser, Browser_-_Firefox, bruce sterling, buch, bürgerkarte, cars, cartoon, ccc, cfp, christmas, cloud, coding, collection, command line, commandline, computer, computing, concert, conference, copyright, covid19, css, database, date, datenschutz, debian, delicious, demokratie, design, desktop, deutsch, deutschland, dev, developer, development, devops, digitalisierung, digitalks, dilbert, disobay, dna, dns, Doctor Who, documentation, Domino, domino, Douglas Adams, download, downloads, drm, dsk, dvd, e-card, e-government, e-mail, e-voting, E71, education, Ein_Tag_im_Leben, elga, email, encryption, essen, eu, EU, event, events, exchange, Extensions, fail, fedora, feedback, film, firefox, flash, flightexpress, food, foto, fsfe, fun, future, games, gaming, geek, geld, git, gleichberechtigung, google, graz, grüne, grüninnen, hack, hacker, handtuch, handy, hardware, HHGTTG, history, how-to, howto, hp, html, humor, ibm, IBM, ical, iCalendar, image, innovation, intel, internet, internet explorer, iot, iphone, ipod, isp, IT, it, itfails, itfailsAT, itfailsDE, java, javascript, job, jobmarket, journalismus, keyboard, knowledge, konzert, language, laptop, law, lego, lenovo, life, links, linux, Linux, linuxwochen, linuxwochenende, live, living, lol, london, lost+found, lotus, Lotus, Lotus Notes, lotus notes, lotusnotes, LotusNotes, lotusphere, Lotusphere, Lotusphere2006, lotusphere2007, Lotusphere2008, lotusphere2008, lustig, m3_bei_der_Arbeit, mac, mail, marketing, mathematik, media, medien, metalab, microsoft, Microsoft, mITtendrin, mobile, mood, motivation, movie, mp3, multimedia, music, musik, männer, nasa, nerd, netwatcher, network, netzpolitik, news, nokia, Notes, notes, Notes+Domino, office, online, OOXML, open source, openoffice, opensource, orf, orlando, os, outlook, patents, pc, pdf, performance, perl, personal, php, picture, pictures, podcast, politics, politik, pr, press, presse, privacy, privatsphäre, productivity, programming, protest, public speaking, qtalk, quintessenz, quote, quotes, radio, rant, recherche, recht, release, review, rezension, rip, rss, science, search, security, server, settings, sf, shaarli, Show-n-tell thursday, sicherheit, silverlight, smtp, SnTT, social media, software, sony, sound, space, spam, sprache, spö, ssh, ssl, standards, storage, story, stupid, summerspecial, sun, surveillance, sysadmin, talk, talks, technology, The Hitchhikers Guide to the Galaxy, theme, think, thinkpad, thunderbird, tip, tipp, tools, topgear, torrent, towel, Towel Day, TowelDay, travel, truth, tv, twitter, ubuntu, ui, uk, unix, update, usa, usb, vds, video, videoüberwachung, vienna, Vim, vim, vintage, vista, vorratsdatenspeicherung, vortrag, wahl, wcm, web, web 2.0, web2.0, Web20, web20, webdesign, werbung, wien, wiener linien, wikileaks, windows, windows 7, wired, wishlist, wissen, Wissen_ist_Macht, wlan, work, workshops, wow, writing, wtf, Wunschzettel, wunschzettel, www, xbox, xml, xp, zensur, zukunft, zune, österreich, övp, übersetzung, überwachung

AFK Readinglist