Firewall Wizards mailing list archives
Re: password mgmt
From: Bennett Todd <bet () mordor net>
Date: Fri, 3 Dec 1999 10:47:58 -0500
1999-12-03-10:08:56 Ogrodnek, Larry:
Haven't tried it yet, but I recently picked up GNU Keyring>[1] (as advertised on Freshmeat:-), and it looks like it's very specifically designed for this job.isn't all this a little too much of all the eggs in one basket? What's the use of having a different password for each machine that's so hard to guess that you have to write it down when after all that you are just storing them all encrypted by a single password? There doesn't seem to be too much difference between that and actually using the same password on every machine.
I use different passwords in different security domain. Every web site that wants a password gets a different one; every system administered by a different person, or with a different security policy, gets a different password. They're all very strong passwords, randomly generated strings picked from the 96 printable characters. Ones I use often, I learn and remember. But many I use rarely, particularly because I use ssh with public keys for most of my connecting around, so rarely need to present a password to anything except my own computer. When I do, I can look up the password in the keyring app.
storing it on a PalmPilot doesn't seem so bad since someone would have to physically take it from you in order to try and get your passwords...
They'd have to get the Palm Pilot, or get access to my backups (which live on a tightly-secured machine, and are backed up via ssh to a secure server, and I keep the tapes locked up:-). Or they'd have to guess the password, which is another strong one. One strong password that I use often I can remember; many strong passwords, each of which I use occasionally, I can't.
but now that application is going to sync to your desktop machine. Sure, it's encrypted, but I only have to guess one password correctly to gain access to every system you have access to.
You have to lay your hands on my Palm Pilot, or break into my tightly secured desktop machine, or into the tightly secured backup server, or break into the locked cabinet that has the tapes. Then you have to guess a really good password to break the encryption. -Bennett
Attachment:
_bin
Description:
Current thread:
- Re: password mgmt Rodney van den Oever (Dec 01)
- <Possible follow-ups>
- Re: password mgmt Rafi Sadowsky (Dec 01)
- Re: password mgmt Bennett Todd (Dec 02)
- RE: password mgmt sean . kelly (Dec 02)
- re: password mgmt Sebastian Dunne (Dec 02)
- RE: password mgmt Teri Lindstrom (Dec 02)
- RE: password mgmt sean . kelly (Dec 03)
- RE: password mgmt Linus Corin (Dec 05)
- RE: password mgmt Ogrodnek, Larry (Dec 05)
- Re: password mgmt Bennett Todd (Dec 05)