Re: Secure Password Storage

To: Debian-User <debian-user@lists.debian.org>
Subject: Re: Secure Password Storage
From: David Clymer <david@zettazebra.com>
Date: Thu, 14 Oct 2004 00:37:55 -0400
Message-id: <[🔎] 1097728628.7658.33.camel@localhost>
In-reply-to: <[🔎] 20041013181802.44a8562b@jacob.6texans.net>
References: <[🔎] 20041013181802.44a8562b@jacob.6texans.net>

On Wed, 2004-10-13 at 19:18, Jacob S wrote:
> Ok, so I know that using key based authentication is better, and that
> you should never write down passwords. But, I don't know of any websites
> that allow key based authentication (yet) and 135+ passwords is hard to
> memorize. :-)
> 
> So, my next thought was removeable media. But, what happens if I lose
> the removeable media (falls out of my pocket, gets stolen, etc.), or a
> 'friend' snoops files they shouldn't?
> 

Thats quite a few passwords. Depending on your security needs, it might
be better to just split them into groups of 12 (an arbitrary number) and
use the same password for each group. This would only require that you
remember 12 passwords and which group the site/computer belongs to
rather than having to remember such a large number of passwords. It
would then be much easier to change passwords on a regular basis, if
password security is an issue.

> I could encrypt them using ssh, but now I have to carry a second
> removeable media with me at all times - for my ssh key - and hope I
> don't lose both pieces of media at the same time. If I don't carry my
> ssh key with me, I've just lost the functionality of always having my
> passwords with me. I could do a password protected zip file, but that
> seems pretty weak to me. 
> 

It seems you've found a use for ssh that I dont know about. You could
use bcrypt to encrypt/decrypt your password file instead. With bcrypt,
the passphrase is the key, no keyfiles are necessary.

> I also don't have a laptop, so I realize that presents a whole new set
> of complications and ways for privacy/security to be compromised in
> regard to my passwords and keyloggers, etc. 
> 
> So, does anyone have any other suggestions for good ways to store
> passwords in a fashion I can carry with me yet keep them secure? I'm
> pretty much resigned to the fact that anyone that *really* wants to get
> the passwords can, if they have the removeable media and enough time,
> but I don't want to make it any easier on them than I have to.
> 

You could tattoo them on your body, or write them on paper with
invisible ink :)

If you are really worried about security, you could just decide not to
access sensitive accounts/data from an untrusted computer, period. This
kind of policy would remove the need to worry about keyloggers, etc.

-davidc

Reply to:

Follow-Ups:
- Re: Secure Password Storage
  - From: Jacob Schroeder <stormspotter@6Texans.net>

References:
- Secure Password Storage
  - From: Jacob S <stormspotter@6Texans.net>

Prev by Date: Re: Not installing gnome
Next by Date: Re: Secure Password Storage
Previous by thread: Re: Secure Password Storage
Next by thread: Re: Secure Password Storage
Index(es):
- Date
- Thread