Re: Secure Password Storage

To: debian-user@lists.debian.org
Subject: Re: Secure Password Storage
From: Jacob Schroeder <stormspotter@6Texans.net>
Date: Wed, 13 Oct 2004 23:54:47 -0500
Message-id: <[🔎] 20041013235447.7607d932@jacob.6texans.net>
In-reply-to: <[🔎] 1097728628.7658.33.camel@localhost>
References: <[🔎] 20041013181802.44a8562b@jacob.6texans.net> <[🔎] 1097728628.7658.33.camel@localhost>

On Thu, 14 Oct 2004 00:37:55 -0400
David Clymer <david@zettazebra.com> wrote:

> On Wed, 2004-10-13 at 19:18, Jacob S wrote:
> > Ok, so I know that using key based authentication is better, and
> > that you should never write down passwords. But, I don't know of any
> > websites that allow key based authentication (yet) and 135+
> > passwords is hard to memorize. :-)
> > 
> > So, my next thought was removeable media. But, what happens if I
> > lose the removeable media (falls out of my pocket, gets stolen,
> > etc.), or a'friend' snoops files they shouldn't?
> 
> Thats quite a few passwords. Depending on your security needs, it
> might be better to just split them into groups of 12 (an arbitrary
> number) and use the same password for each group. This would only
> require that you remember 12 passwords and which group the
> site/computer belongs to rather than having to remember such a large
> number of passwords. It would then be much easier to change passwords
> on a regular basis, if password security is an issue.

hmm... The problem there would be remembering which site/computer is in
which group. Though I could use the usbkey to note which group the site
is in and just memorize the passwords for the different groups. That
would allow me to keep the passwords off the usbkey and probably provide
the best security for the passwords.

> > I could encrypt them using ssh, but now I have to carry a second
> > removeable media with me at all times - for my ssh key - and hope I
> > don't lose both pieces of media at the same time. If I don't carry
> > my ssh key with me, I've just lost the functionality of always
> > having my passwords with me. I could do a password protected zip
> > file, but that seems pretty weak to me. 
> 
> It seems you've found a use for ssh that I dont know about. You could
> use bcrypt to encrypt/decrypt your password file instead. With bcrypt,
> the passphrase is the key, no keyfiles are necessary.

Oops, sorry. I meant gpg, not ssh. :-[

> > I also don't have a laptop, so I realize that presents a whole new
> > set of complications and ways for privacy/security to be compromised
> > in regard to my passwords and keyloggers, etc. 
> > 
> > So, does anyone have any other suggestions for good ways to store
> > passwords in a fashion I can carry with me yet keep them secure? I'm
> > pretty much resigned to the fact that anyone that *really* wants to
> > get the passwords can, if they have the removeable media and enough
> > time, but I don't want to make it any easier on them than I have to.
> > 
> 
> You could tattoo them on your body, or write them on paper with
> invisible ink :)
> 
> If you are really worried about security, you could just decide not to
> access sensitive accounts/data from an untrusted computer, period.
> This kind of policy would remove the need to worry about keyloggers,
> etc.

Yes, I'll definitely need to prioritize, depending on what I'm doing,
where I'm trying to access. It's not like I'm a spy or a terrorist
though, so I shouldn't have to be too worried about it. :-) 

Thanks,
Jacob

Reply to:

References:
- Secure Password Storage
  - From: Jacob S <stormspotter@6Texans.net>
- Re: Secure Password Storage
  - From: David Clymer <david@zettazebra.com>

Prev by Date: Re: Secure Password Storage
Next by Date: Re: change /dev/console owner to user logged on console?
Previous by thread: Re: Secure Password Storage
Next by thread: Re: Secure Password Storage
Index(es):
- Date
- Thread