Firewall Wizards mailing list archives

Re: password mgmt

From: Bennett Todd <bet () mordor net>
Date: Fri, 3 Dec 1999 10:47:58 -0500

1999-12-03-10:08:56 Ogrodnek, Larry:

Haven't tried it yet, but I recently picked up GNU Keyring>[1] (as
advertised on Freshmeat:-), and it looks like it's very specifically
designed for this job.


isn't all this a little too much of all the eggs in one basket?  What's the
use of having a different password for each machine that's so hard to guess
that you have to write it down when after all that you are just storing
them all encrypted by a single password?  There doesn't seem to be too
much difference between that and actually using the same password on every
machine.


I use different passwords in different security domain. Every web site that
wants a password gets a different one; every system administered by a
different person, or with a different security policy, gets a different
password. They're all very strong passwords, randomly generated strings picked
from the 96 printable characters.

Ones I use often, I learn and remember. But many I use rarely, particularly
because I use ssh with public keys for most of my connecting around, so rarely
need to present a password to anything except my own computer. When I do, I
can look up the password in the keyring app.

storing it on a PalmPilot doesn't seem so bad since someone would have to
physically take it from you in order to try and get your passwords...


They'd have to get the Palm Pilot, or get access to my backups (which live on
a tightly-secured machine, and are backed up via ssh to a secure server, and I
keep the tapes locked up:-).

Or they'd have to guess the password, which is another strong one. One strong
password that I use often I can remember; many strong passwords, each of which
I use occasionally, I can't.

but now that application is going to sync to your desktop machine.  Sure,
it's encrypted, but I only have to guess one password correctly to gain
access to every system you have access to.


You have to lay your hands on my Palm Pilot, or break into my tightly secured
desktop machine, or into the tightly secured backup server, or break into the
locked cabinet that has the tapes. Then you have to guess a really good
password to break the encryption.

-Bennett

Attachment: _bin
Description:

Current thread:

Re: password mgmt Rodney van den Oever (Dec 01)
- <Possible follow-ups>
- Re: password mgmt Rafi Sadowsky (Dec 01)
- Re: password mgmt Bennett Todd (Dec 02)
- RE: password mgmt sean . kelly (Dec 02)
- re: password mgmt Sebastian Dunne (Dec 02)
- RE: password mgmt Teri Lindstrom (Dec 02)
- RE: password mgmt sean . kelly (Dec 03)
- RE: password mgmt Linus Corin (Dec 05)
- RE: password mgmt Ogrodnek, Larry (Dec 05)
  - Re: password mgmt Bennett Todd (Dec 05)