Pretty Good ID - Password replacement
Re: Password replacement
It works for me as well (I used X-Chromium too). Great work!
IMO, the most important addition the extension needs is ability to store the PGID in Local Storage (optionally with symmetric encryption) and load it automatically when the browser starts or when the user tries to login/register into a PGID-enabled website for the first time.
In fact, I'm interested in working on PGID myself. There may be an improved version of the extension later...
IMO, the most important addition the extension needs is ability to store the PGID in Local Storage (optionally with symmetric encryption) and load it automatically when the browser starts or when the user tries to login/register into a PGID-enabled website for the first time.
In fact, I'm interested in working on PGID myself. There may be an improved version of the extension later...
My YouTube channel | Release date of my 13th playlist: August 24, 2020
- Andrew Lee
- Posts: 3063
- Joined: Sat Feb 04, 2006 9:19 am
- Contact:
Re: Password replacement
Thanks for checking this out! You guys are so cool.
I will check out X-Chromium myself.
This current implementation is more a proof-of-concept to solicit feedback, so many things (eg. robust error checking) are purposely missing. I think a basic implementation also has the advantage of being easy to read and understand without being bogged down by aesthetics or production level error checks.
However, once the concept checks out, I will be more than happy to be involved in the development of a production level PGID extension that stores the PGIDs in local storage, protected with symmetric encryption! I also plan to develop production mods and plugins for phpBB and Wordpress for a start. I even have the motto stuck in my mind: "Pretty Good ID: Eliminating passwords, one website at a time."
Like I mentioned on the home page, I am not even sure storing the private key at the browser or app level is the best way to go. If this gets wide-spread use, you might not want to store your PGID with each of the browsers that you use, your feedreader, your email reader etc.
I will check out X-Chromium myself.
This current implementation is more a proof-of-concept to solicit feedback, so many things (eg. robust error checking) are purposely missing. I think a basic implementation also has the advantage of being easy to read and understand without being bogged down by aesthetics or production level error checks.
However, once the concept checks out, I will be more than happy to be involved in the development of a production level PGID extension that stores the PGIDs in local storage, protected with symmetric encryption! I also plan to develop production mods and plugins for phpBB and Wordpress for a start. I even have the motto stuck in my mind: "Pretty Good ID: Eliminating passwords, one website at a time."
Like I mentioned on the home page, I am not even sure storing the private key at the browser or app level is the best way to go. If this gets wide-spread use, you might not want to store your PGID with each of the browsers that you use, your feedreader, your email reader etc.
But since it is so simple to implement, maybe there are different approaches to suit different people. That's the beauty of it. A production level extension that stores the PGIDs in local storage symmetrically encrypted is definitely one way to go. Maybe an extension that stores nothing but allow you to load the private key from file or scanned with webcam. Or as mentioned, one vault-like software that provides a service to all other software on the machine without ever revealing the private keys. Or the ultimate: the operating system (Windows, Android etc.) providing this service!There are many possible implementations that I can think of. Conceivably, the best approach is to have one vault-like software on each device that has access to the private key. Other software will simply communicate with the vault via IPC to invoke the various functions, without ever having access to the content of the private key. The PGID can be further protected using symmetric encryption (using a password, PIN, pattern etc.) so that it needs to be unlocked before use. This means even if the device is stolen, the thief will not have access to the private key. I have an unfinished prototype running under Windows, where the Chrome extension talks to the vault via native messaging, so the idea is certainly feasible.
Re: Password replacement
I'm afraid I still can't get how it works. I mean the general functionality and not the 'behind-the-scene' magic.
Could someone enlighten this (as if I were a 6 year old child)?
Could someone enlighten this (as if I were a 6 year old child)?
Re: Password replacement
Just thought I would chime in and say it works (of course the extension issue has already been mentioned.)
- Andrew Lee
- Posts: 3063
- Joined: Sat Feb 04, 2006 9:19 am
- Contact:
Re: Password replacement
@tproli: Have you installed the Chrome extension and tried it out? The demo site tries to provide the relevant technical info as you try out each function.
If you are unfamiliar with public key crypto, this wiki might get you started:
http://en.wikipedia.org/wiki/Public-key_cryptography
OK, short-term goals for this project:
1. Get the idea validated. So if you have any friends who are black hat, white hat, security experts etc., please get them to take a look and punch holes into the whole idea before I sink any more time and effort into this thing!
2. Create a production-level PGID extension for Chrome/Chromium and submit to Chrome App Store.
3. Create a phpBB mod and dog-food it on TPFC.
Exciting times!
If you are unfamiliar with public key crypto, this wiki might get you started:
http://en.wikipedia.org/wiki/Public-key_cryptography
OK, short-term goals for this project:
1. Get the idea validated. So if you have any friends who are black hat, white hat, security experts etc., please get them to take a look and punch holes into the whole idea before I sink any more time and effort into this thing!
2. Create a production-level PGID extension for Chrome/Chromium and submit to Chrome App Store.
3. Create a phpBB mod and dog-food it on TPFC.
Exciting times!
- Andrew Lee
- Posts: 3063
- Joined: Sat Feb 04, 2006 9:19 am
- Contact:
Re: Password replacement
@tproli: General functionality is, you create a PGID and use that to register with supporting websites, instead of passwords.
Then, to login to a website, it is essentially a one-click operation using the Chrome extension.
The selling point is, you can use the same PGID for all the websites you register with. One PGID to rule them all! If one website gets hacked, nothing is compromised, nothing needs to be changed.
Questions?
Then, to login to a website, it is essentially a one-click operation using the Chrome extension.
The selling point is, you can use the same PGID for all the websites you register with. One PGID to rule them all! If one website gets hacked, nothing is compromised, nothing needs to be changed.
Questions?
- Andrew Lee
- Posts: 3063
- Joined: Sat Feb 04, 2006 9:19 am
- Contact:
Re: Password replacement
Another usage scenario:
Imagine someone at an Internet cafe. The browser has a non-storage, webcam-enabled PGID extension installed. He starts the browser, takes out a card with the QR-code of his PGID and scans it into the browser. Now he is free to login into all his websites. At the end of the session, he simply shuts down the browser and is clean to go.
Of course you can worry about a rogue extension, but it's on the same level of threat as a keylogger. A more secure way is of course to bring portable browser on a USB memory stick. But I am describing a typical usage scenario involving someone who's not as security conscious and how PGID can be used in this case.
Imagine someone at an Internet cafe. The browser has a non-storage, webcam-enabled PGID extension installed. He starts the browser, takes out a card with the QR-code of his PGID and scans it into the browser. Now he is free to login into all his websites. At the end of the session, he simply shuts down the browser and is clean to go.
Of course you can worry about a rogue extension, but it's on the same level of threat as a keylogger. A more secure way is of course to bring portable browser on a USB memory stick. But I am describing a typical usage scenario involving someone who's not as security conscious and how PGID can be used in this case.
Re: Password replacement
If I understand correctly, I can have a PGID for all websites, but I can also have a different one for every website, right?
Last edited by joby_toss on Sun Jun 15, 2014 3:51 am, edited 1 time in total.
- Andrew Lee
- Posts: 3063
- Joined: Sat Feb 04, 2006 9:19 am
- Contact:
Re: Password replacement
@joby_toss: Yes. As few or as many as you wish. The extreme case is indeed one PGID for every website.
Re: Password replacement
Much clearer, thanks.
However, if one gets hold of my public key then she can login with my account(s)?
And what happens if someone sits to my computer, or steals my USB stick?
However, if one gets hold of my public key then she can login with my account(s)?
And what happens if someone sits to my computer, or steals my USB stick?
Re: Password replacement
Same thing that happens when your password is stolen (from your PC, usb device etc.), but at least you have some control over this fact. PGID solves the "server hacked" part, the one you have no control over.
@Andrew: would it be possible (as an option) that the browser extension asks for a master password before the QR-Code is loaded?
@Andrew: would it be possible (as an option) that the browser extension asks for a master password before the QR-Code is loaded?
Re: Password replacement
You meant private key.tproli wrote:Much clearer, thanks.
However, if one gets hold of my public key then she can login with my account(s)?
And what happens if someone sits to my computer, or steals my USB stick?
Re: Password replacement
Course I meant
- Andrew Lee
- Posts: 3063
- Joined: Sat Feb 04, 2006 9:19 am
- Contact:
Re: Password replacement
Sure! That won't be difficult to do. Just add symmetric encryption like AES to local storage. I am leaving out of the proof-of-concept code because I feel that should be implementation-dependent. Let's add that + local storage to the basic production extension.@Andrew: would it be possible (as an option) that the browser extension asks for a master password before the QR-Code is loaded?
- Andrew Lee
- Posts: 3063
- Joined: Sat Feb 04, 2006 9:19 am
- Contact:
Re: Password replacement
Well, as I mentioned before, in production code, the local storage (storing all the private keys) should be symmetrically encrypted and require a master password to decrypt.However, if one gets hold of my private key then she can login with my account(s)?