Firewall Wizards mailing list archives
Re: password mgmt
From: Rick Smith <rick_smith () securecomputing com>
Date: Tue, 30 Nov 1999 16:25:25 -0600
At 02:23 AM 11/29/1999 PST, John Kirby wrote:
While not specific to firewalls, managing multiple passwords securely is certainly part of maintaining good security. Has anyone used a PalmPilot for keeping track of assorted passwords?
If you feel comfortable putting the information on a yellow stickie near your computer, then it's probably OK to store in your Palm. For example, passwords for personal family Web sites, your New York Times freebie Web ID, things like that, should be no problem, since you're unlikely to suffer any major loss if someone snags a copy of your HotSynced files. It's important to recognize that Palm's "private record" feature only protects things when residing on the Palm itself. Once the data is HotSynced, it sits on your PC in plaintext. And not all Palm desktops demand a password before doing HotSync. So, passwords stored in conventional Palm databases can probably be read if someone steals your Palm or copies the HotSync files from your workstation. A better alternative is to use an encryption package. I've heard people say good things about a product called "ReadIt" that runs under HackMaster. It has an optional encryption module that uses 128 bit IDEA, and it hashes passphrases to generate keys. While this still isn't the strongest thing in the world (many peoples' passphrases will probably turn out to be their kids' names) it's worlds better than native Palm security.
Any other ideas that avoid having critical passwords recorded somewhere?
"Critical passwords should always be hard to remember and never be written down." My wife keeps hers on a slip of paper under her mouse pad. I won't let her do that sort of thing with the housekeys, though. I keep hearing about "wallets" and "keychains" from various software vendors, but they're all proprietary and incompatible. Didn't someone successfully attack the last incarnation of the Microsoft Wallet? The Right Thing would be to have an open standard for a text password/passphrase storage structure that could be unlocked on your workstation or palmtop or wherever a compatible application would run. The actual database just floats around in encrypted form. Maybe export control will be relaxed enough next month to make such a thing practical. Rick. smith () securecomputing com
Current thread:
- password mgmt John Kirby (Nov 30)
- Re: password mgmt Rick Smith (Nov 30)