William L. Maltby wrote:
On Wed, 2006-08-09 at 17:26 -0400, Bowie Bailey wrote:
William L. Maltby wrote:
The solution to that is a secure password manager. http://passwordsafe.sourceforge.net/
You just have to remember the one password and the program will track all of the rest for you. This way you can use gibberish passwords for important sites such as online banking and you don't have to remember them or write them down anywhere. The password database is encrypted using Twofish and SHA-256.
I don't care for that concept. One password cracked gives access to all. I would rather take the admitted risk of writing them down (in *my* scenario, rather secure at home) and referring to that when needed.
True, but if you make that one a good one and use it only for that purpose, the risks are minimal.
The ones I use frequently will be remembered. I don't use them on the road at all, so that's reasonable. I prefer to not have passwords stored on computers any more that necessary.
I don't think it's a problem to have the passwords stored on the computer. Just make sure they're securely encrypted.
No I'll admit I fudge a *small* amount. Those who have access in my home know windows only, not Linux and I have no shares with them. They are TDU (Typical Dumb Users) and don't know how to use SSH, FTP, ... or even how to find my comps on the LAN (now SMB node or Domain Controllers here).
The only real downside is that if you don't have access to the password manager, you don't have access to anything else either.
Well, I do consider the one password exposes all a downside. But I also grant that it is more secure than many alternatives.
You know what they say: "You can put all your eggs in one basket, but WATCH THAT BASKET!"
As long as you are extremely careful with the access password, you shouldn't have a problem. I will take this risk for the advantage of being able to easily use highly secure passwords. For example, my online banking password is a sequence of random characters. I don't have to remember it or type it. If I didn't have a tool like this, I would have to either write it down somewhere or use a less-secure password that I could remember.
Oh...and don't forget backup the password database! :)
I'm finalizing my LVM-based snapshots with aging of deleted files right now, so I will be covered.
That works, but a simple backup copy to a floppy disk or external hard drive works as well.
Thanks for the URL. I will go take a look. My mind is not yet rusted closed even if (... *when*) I think I'm right! :-)
The creator of this tool is a rather paranoid security expert. I figure if he is willing to use it, it's worth a look.
http://schneier.com/ (note that the Password Safe information on that page refers to an older version that used Blowfish rather than Twofish)