Comments on: P2M Encrypted Password http://www.p2pnet.net/story/2616 p2pnet.net - reader powered Wed, 01 Feb 2012 15:11:09 -0300 http://wordpress.org/?v=2.8.4 hourly 1 By: Reader's Write http://www.p2pnet.net/story/2616/comment-page-1#comment-135639 Reader's Write Tue, 20 Mar 2007 18:59:00 +0000 #comment-135639 There is a underground P2M Community that exists at http://p2m.serveHTTP.com (requires registration) they already released alot of stuff. There is a underground P2M Community that exists at
http://p2m.serveHTTP.com (requires registration)

they already released alot of stuff.

]]> By: Reader's Write http://www.p2pnet.net/story/2616/comment-page-1#comment-135638 Reader's Write Tue, 20 Mar 2007 18:57:35 +0000 #comment-135638 There is a underground P2M Community that exists at http://p2m.serveHTTP.com (requires registration) they already released alot of stuff. There is a underground P2M Community that exists at
http://p2m.serveHTTP.com (requires registration)

they already released alot of stuff.

]]> By: Reader's Write http://www.p2pnet.net/story/2616/comment-page-1#comment-13151 Reader's Write Wed, 04 May 2005 20:49:40 +0000 #comment-13151 By: Reader's Write http://www.p2pnet.net/story/2616/comment-page-1#comment-10778 Reader's Write Mon, 07 Mar 2005 04:46:59 +0000 #comment-10778 http://p2manyak.cjb.net/ http://p2manyak.cjb.net/

]]> By: Reader's Write http://www.p2pnet.net/story/2616/comment-page-1#comment-6049 Reader's Write Sun, 03 Oct 2004 15:15:20 +0000 #comment-6049 All the things you said are true and I do warn the users that this method isnt bullet proof. The suggestions you mentioned are out of my hands as you said yourself - the servers need to support that. As I said before a sophisticated user can read the decrypted password. A big part of P2M community is trust. But, a user dont even have to share his account. users can trade. For example, I can ask you to send me a file and in return I will send one to your account. If you do want to share your account, do it with friends who wont go through all the hassle to recover your password. All the things you said are true and I do warn the users that this method isnt bullet proof. The suggestions you mentioned are out of my hands as you said yourself – the servers need to support that. As I said before a sophisticated user can read the decrypted password.
A big part of P2M community is trust.
But, a user dont even have to share his account. users can trade. For example, I can ask you to send me a file and in return I will send one to your account.

If you do want to share your account, do it with friends who wont go through all the hassle to recover your password.

]]> By: Reader's Write http://www.p2pnet.net/story/2616/comment-page-1#comment-6047 Reader's Write Sun, 03 Oct 2004 14:35:59 +0000 #comment-6047 I understand it is already better than using the password itself, but I am concerned that you could obtain the password easily by redirecting the output to yourself, thus having users complain that the security is not effective. For instance you could redirect the ip of the website to localhost by adding a line in your host file and set up a webserver on localhost. This is a trivial example but you could route all request to a local server since you can fool your own computer... Not to that mention that reading the password from memory with a debugger after decryption would not be that hard... Is this option better if the user mistakenly thinks it is secure when it probably is more obfuscation? What is really neaded is a "read-only" password for e-mail accounts... Or possibly the "secure authentification" that sends a hash of the password instead of the password itself. Since the hash is one-way it cannot be used to recover the password. But the mail server needs to support that option, so it knows to compare the hash and not the password. I'm not sure how common that method is... Keep up the good work! I understand it is already better than using the password itself,
but I am concerned that you could obtain the password easily
by redirecting the output to yourself,
thus having users complain that the security is not effective.

For instance you could redirect the ip of the website to localhost
by adding a line in your host file
and set up a webserver on localhost.
This is a trivial example but you could route all request to a local server
since you can fool your own computer…

Not to that mention that reading the password from memory
with a debugger after decryption would not be that hard…

Is this option better if the user mistakenly thinks it is secure
when it probably is more obfuscation?

What is really neaded is a “read-only” password for e-mail accounts…

Or possibly the “secure authentification” that sends
a hash of the password instead of the password itself.
Since the hash is one-way it cannot be used to recover the password.

But the mail server needs to support that option,
so it knows to compare the hash and not the password.
I’m not sure how common that method is…

Keep up the good work!

]]> By: Reader's Write http://www.p2pnet.net/story/2616/comment-page-1#comment-6031 Reader's Write Sun, 03 Oct 2004 05:25:15 +0000 #comment-6031 First I have to say that the password encryption is not bullet proof and if you REALLY wanted you can find it out using sophisticated methods. P2M decrypt the password only to the password input box of predefined websites (gmail, walla, yahoo, hotmail etc) so you cannot see the password after its decrypted. The password is decrypted locally and there is no server that holds passwords. The reason I created this option is to lower the risks of someone locking your out of your account by changing the password. You know that once a user is logged in to the account he can delete the whole content, so there must be some kind of trust between the users. The encryption is just a way to prevent account locking – feeling more safe sharing your account. You can change the password at any time and lock it to anyone else – but only you the account holder. First I have to say that the password encryption is not bullet proof and if you REALLY wanted you can find it out using sophisticated methods. P2M decrypt the password only to the password input box of predefined websites (gmail, walla, yahoo, hotmail etc) so you cannot see the password after its decrypted. The password is decrypted locally and there is no server that holds passwords.
The reason I created this option is to lower the risks of someone locking your out of your account by changing the password. You know that once a user is logged in to the account he can delete the whole content, so there must be some kind of trust between the users. The encryption is just a way to prevent account locking – feeling more safe sharing your account. You can change the password at any time and lock it to anyone else – but only you the account holder.

]]> By: Reader's Write http://www.p2pnet.net/story/2616/comment-page-1#comment-6027 Reader's Write Sun, 03 Oct 2004 04:38:55 +0000 #comment-6027 If P2M decrypts the password, what exactly is there to prevent anyone from capturing said password after decryption? Also, why can't anyone just use decryption function of P2M to get the passwords? Or is P2M some server somewhere to acts as a trusted party that holds all the passwords to unlock accounts? The security model doesn't make sense. Need more info. If P2M decrypts the password, what exactly is there to prevent
anyone from capturing said password after decryption?

Also, why can’t anyone just use decryption function of P2M
to get the passwords?

Or is P2M some server somewhere to acts as a trusted party
that holds all the passwords to unlock accounts?

The security model doesn’t make sense.
Need more info.

]]>