Firewall Wizards mailing list archives
RE: password mgmt
From: Linus Corin <linus () corin net>
Date: Fri, 03 Dec 1999 13:38:35 +0000
What's wrong with just storing the passwords in an encrypted file on the PC (or other computer for that matter, but I'd guess most admins are, just like me, stuck with a PC)? On the other hand, I don't mind if people have passwords written down on a piece of paper in their wallets, I do sometimes. If I'd loose my wallet, and I'd had a note in it saying "Password for all servers at work: abc123", I would just change those passwords anyway. So what's the problem? It's better to have a good password, and keep it written down, in a "safe" place, then having stupid passwords like "welcome". Linus
-----Original Message----- From: owner-firewall-wizards () lists nfr net [mailto:owner-firewall-wizards () lists nfr net]On Behalf Of Rick Smith Sent: 30 November 1999 22:25 To: John Kirby; firewall-wizards () nfr net Cc: john_kirby () hotmail com Subject: Re: password mgmt At 02:23 AM 11/29/1999 PST, John Kirby wrote:While not specific to firewalls, managing multiple passwords securely is certainly part of maintaining good security. Has anyone used a PalmPilot for keeping track of assorted passwords?If you feel comfortable putting the information on a yellow stickie near your computer, then it's probably OK to store in your Palm. For example, passwords for personal family Web sites, your New York Times freebie Web ID, things like that, should be no problem, since you're unlikely to suffer any major loss if someone snags a copy of your HotSynced files. It's important to recognize that Palm's "private record" feature only protects things when residing on the Palm itself. Once the data is HotSynced, it sits on your PC in plaintext. And not all Palm desktops demand a password before doing HotSync. So, passwords stored in conventional Palm databases can probably be read if someone steals your Palm or copies the HotSync files from your workstation. A better alternative is to use an encryption package. I've heard people say good things about a product called "ReadIt" that runs under HackMaster. It has an optional encryption module that uses 128 bit IDEA, and it hashes passphrases to generate keys. While this still isn't the strongest thing in the world (many peoples' passphrases will probably turn out to be their kids' names) it's worlds better than native Palm security.Any other ideas that avoid having critical passwords recorded somewhere?"Critical passwords should always be hard to remember and never be written down." My wife keeps hers on a slip of paper under her mouse pad. I won't let her do that sort of thing with the housekeys, though. I keep hearing about "wallets" and "keychains" from various software vendors, but they're all proprietary and incompatible. Didn't someone successfully attack the last incarnation of the Microsoft Wallet? The Right Thing would be to have an open standard for a text password/passphrase storage structure that could be unlocked on your workstation or palmtop or wherever a compatible application would run. The actual database just floats around in encrypted form. Maybe export control will be relaxed enough next month to make such a thing practical. Rick. smith () securecomputing com
Current thread:
- Re: password mgmt Rodney van den Oever (Dec 01)
- <Possible follow-ups>
- Re: password mgmt Rafi Sadowsky (Dec 01)
- Re: password mgmt Bennett Todd (Dec 02)
- RE: password mgmt sean . kelly (Dec 02)
- re: password mgmt Sebastian Dunne (Dec 02)
- RE: password mgmt Teri Lindstrom (Dec 02)
- RE: password mgmt sean . kelly (Dec 03)
- RE: password mgmt Linus Corin (Dec 05)
- RE: password mgmt Ogrodnek, Larry (Dec 05)
- Re: password mgmt Bennett Todd (Dec 05)