Closed grctest closed 7 years ago
It's in the responsibility of the account manager like BAM. When i add a new account the default PW is used. Why account manager don't generate a secure PW and store them like a PW manager? The biggest problem i see is that the user needs a PW for every project he or she wants to log in besides the account manager. Maybe the account manager could support a export function of the users PW database in a KeePass encrypted database file. So it would be an ease to receive the pws and import them to a local KeePass instance.
Why account manager don't generate a secure PW and store them like a PW manager? It's just the way things have been implemented, it's certainly the case for Boincstats however it's not confirmed that gridrepublic has the same security practices - that's certainly worth further investigation.
What would be great would be a stand-alone account manager, like a local Boincstats BAM! on your computer, so you'd be in charge of all your own keys.
Being able to export your passwords from boincstats would enable an attacker to gain access to your BOINC projects this way, no? But you have a good point that if they wanted to log into their BOINC project account directly this would be difficult without a SSO implemented.
What would be great would be a stand-alone account manager, like a local Boincstats BAM! on your computer, so you'd be in charge of all your own keys.
It would be another "app" the user have to install. But what if we think a bit further. Imagine a Secure Boinc Manager which encapsulate the native BOINC Manager in a secure environment that uses the Project Manager interface from the Boinc Manager - like a virtual machine. It's open source. So instead of one App u install another app including Password Manager and multi machine remote management like boinc task. Than the dev has nearly unlimited possibilities.
But: this is not the topic of this "issue"
The current state of password reuse within the BOINC environment due to account managers poses a massive security risk, if a BOINC user has a single project's credentials phished then they can log into their Boincstats account and all associated BOINC projects (due to boincstats using the same username/email/password combination).
If there was a more secure auth mechanism found, integration into existing projects may be difficult & compatibility with existing BOINC account managers will break.