Re: password managers
On Tue, 15 Jun 2004 04:56, andrew lattis <debian@naranek.org> wrote:
> currently i've got an ever growing password list in a plain text file
> stored on an encrypted loopback fs, this is getting cumbersome...
>
> figaro's password manager (package fpm) looks nice and uses blowfish to
> encrypt data but i can't find anything showing any type of third party
> audit.
>
> what does everyone else use to keep track of all there passwords?
OS/X from Apple has a password manager program, it allows passwords to be made
available to applications for certain time periods (not sure how this is
supposed to work as the application could just write it to disk).
I think that an ideal password management scheme would be mediated by a SGID
application (SGID so that it can access storage unavailable to regular user
processes and so that it can't be ptraced).
Password storage would be either in a file owned by the user that is mode 0600
under a mode 1770 system directory with group ownership being the group that
the management program is SGID to, or a regular file in the home directory
that is encrypted (requiring a password authentication for the first login of
the day or something similar).
The password management system would need to have helpers for managing
passwords that would be called by the application. For example there would
be POP and IMAP helpers which would establish a connection to the mail
server, authenticate, and then use a unix domain socket to pass the file
handle for the TCP socket back to the calling application (so the MUA would
never be able to recover the password).
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
Reply to: