Recently in sharedpass Category

So, I've got several people using SharedPass on a regular basis now.  They seem to be happy with it.  Other than the fact that it isn't prettified yet, it's ready for full use.  Feel free to use it!

You can store your passwords with confidence in SharedPass.  All fields marked "Encrypt" are encrypted and are completely unavailable to anyone, even me.  When you create your account, you choose the level of encryption.  The default setting is more than sufficient, but even the lowest setting is very secure.

I invite you to try it out.  I want to know what you think of it.  If you have feature requests, let me know!  I'd love to enhance it in whatever ways would make it better.

http://sharedpass.com/  (redirects to an SSL'd site, of course)

My fancy new password storage and sharing webapp is ready to be tried out.

http://sharedpass.com/ (redirects to an SSL'd site)

I intend to build a desktop app to interface with it at some point, but not today.  I'd also like a Palm app (or whatever phone I end up with when I finally do make it).

The interface is currently a bit ugly.  I'm not going to spend a bunch of time on the interface until I get feedback on the usage of the system.  I want feedback on the UI, too, but mostly the functionality.

You can create new entries as well as delete/remove/edit/share/import/export/revoke entries.  Delete will delete it from the database, including from everyone you've shared it with.  Remove just removes it for you.  When you click the button to do either, it'll tell you what happens.

On each page, there is a username/password form.  You must put in your username/password for each page if you want to perform an action.  Because I treat your password as something that should never be recorded (for security reasons) and the only thing that can unlock your keys is your password (combined with other things), I can't use a standard session management system to keep you logged in.

There is no logout.  There isn't a session to logout of, so there is no need to logout.  Just close the window or tab.  It's always best to close the browser if you want to be most secure, just in case the browser cached a page.

Feel free to use it.  I promise that I have absolutely no access to your passwords.  They're all encrypted (if you check the "encrypted" checkbox on that field) and require your valid login to unlock the key that decrypts the data.  Without your username/password, I can't access it.  Neither can anyone that gets access to the database.

Technically someone could hack the system, record all incoming passwords, and use them to unlock the keys.  Doing that would require that they modify the SharedPass app, which is likely to be noticed.  No promises on that yet.  It's not marketable yet, but it does function.

Let me know if you've used it and your thoughts.  Remember: I didn't intend for it to look nice yet.

Does anyone have the need for a system that allows you to share your passwords with other people?  My company needs to be able to share passwords between staff (website logins, etc).  The best I've found so far is SplashID, but it doesn't really work in Linux and it doesn't properly share passwords in the nice atomic way I need.  So I've started building a webservice that does this.

No, it doesn't store the passwords in plaintext.  Each user has a key (PKI-style).  The passwords are stored in a table.  That row doesn't have the password itself, just a reference to its existance.  Another table has the public-key-encrypted password, one entry per user with such access.  Not even the database admin (me) can see these passwords as they're encrypted with the keys.  The key is decrypted with the user's private key, which is only accessible by them.  When a user shares a password with someone else, the password is decrypted with the private key and then a new entry is created with the password encrypted with the target user's public key.  That entry is attached to the controlling row in the other table.  This allows for modifications to the password as well as all other meta data.  Those modifications will pass through to the other users' entries.

The nice thing about using public/private keys is that you can encrypt items destined for others without being able to decrypt it, properly protecting the data.  Even if someone were to get a full database dump of the system, they wouldn't be able to use it.

I'm planning to make a desktop client as well as a Palm client for this.