Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: password mgmt

From: Rick Smith <rick_smith () securecomputing com>
Date: Tue, 30 Nov 1999 16:25:25 -0600
At 02:23 AM 11/29/1999 PST, John Kirby wrote:

While not specific to firewalls, managing multiple passwords securely is 
certainly part of maintaining good security.

Has anyone used a PalmPilot for keeping track of assorted passwords?


If you feel comfortable putting the information on a yellow stickie near
your computer, then it's probably OK to store in your Palm. For example,
passwords for personal family Web sites, your New York Times freebie Web
ID, things like that, should be no problem, since you're unlikely to suffer
any major loss if someone snags a copy of your HotSynced files.

It's important to recognize that Palm's "private record" feature only
protects things when residing on the Palm itself. Once the data is
HotSynced, it sits on your PC in plaintext. And not all Palm desktops
demand a password before doing HotSync. So, passwords stored in
conventional Palm databases can probably be read if someone steals your
Palm or copies the HotSync files from your workstation.

A better alternative is to use an encryption package. I've heard people say
good things about a product called "ReadIt" that runs under HackMaster. It
has an optional encryption module that uses 128 bit IDEA, and it hashes
passphrases to generate keys. While this still isn't the strongest thing in
the world (many peoples' passphrases will probably turn out to be their
kids' names) it's worlds better than native Palm security.


Any other ideas that avoid having critical passwords recorded somewhere?


"Critical passwords should always be hard to remember and never be written
down."

My wife keeps hers on a slip of paper under her mouse pad. I won't let her
do that sort of thing with the housekeys, though.

I keep hearing about "wallets" and "keychains" from various software
vendors, but they're all proprietary and incompatible. Didn't someone
successfully attack the last incarnation of the Microsoft Wallet?

The Right Thing would be to have an open standard for a text
password/passphrase storage structure that could be unlocked on your
workstation or palmtop or wherever a compatible application would run. The
actual database just floats around in encrypted form. Maybe export control
will be relaxed enough next month to make such a thing practical.

Rick.
smith () securecomputing com
Previous By Date Next
Previous By Thread Next

Current thread: