Security Basics mailing list archives

Re: store passwords securely in the internet

From: Matthew Caron <Matt.Caron () sixnet com>
Date: Mon, 13 Sep 2010 11:31:30 -0400

I note that the subject of this email itself is inherently contradictory(or, at least, simply not a good idea)... anyway, rest of my reply isproperly inline...


On 04/08/2010 10:52 AM, krymson () gmail com wrote:

You're still going to have to ultimately trust the server that is
doing the https/ssl termination.


And if you don't control it, don't trust it.

If I personally need to do something like this, I prefer to have
something like a passwordsafe database stored somewhere that I can
retrieve securely,

Like a flash drive on your keychain or in your wallet containing anencrypted password db (say, keepass).

For systems I don't control like an internet cafe or library,

You don't use them, except to read non-login public sites. Browseslashdot all you want from a public terminal, but don't check youremail. That's what MID's are for.

terminal. And even if I needed to, I'd prefer to just remember them
if they're that important that I'd need them.

And if that's the case, then you remember them, type it in at theterminal, and get p0wn3d by the script kiddie who dropped a hardwarekeystroke logger inline on the keyboard cable.


--
Matthew Caron
Build Engineer
Sixnet | www.sixnet.com
O +1 518 877 5173 Ext. 138
F +1 518 602 9209
matt.caron () sixnet com

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

Re: store passwords securely in the internet krymson (Sep 10)
- Re: store passwords securely in the internet Matthew Caron (Sep 13)
- <Possible follow-ups>
- Re: store passwords securely in the internet krymson (Sep 14)
  - RE: store passwords securely in the internet Smallman, Martin (Contractor) (Sep 14)