![]() |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
Richard Pieri wrote: > Try this little thought experiment. Take all of the passwords that you > use on a daily basis. Put them into KeePass or whatever... > Now, for one entire day, every time you need a password you MUST use > the the [safe] to retrieve it. But that would be silly. Security is relative to the threat scenario and the value of what is being protected. I use Keepass to generate and store my password for Ubuntuforums, so it is strong, unique, and I know where to find it, but I don't retrieve my password from there for every login. For an inconsequential site like that, I'm perfectly fine with having Firefox remember the password, and retain an authentication token in a cookie. I have no concern that someone will walk up to my unlocked computer and do something malicious with my Ubuntuforums login, nor that a hacker will dream up a cross-site-scripting attack to obtain it. (It seems most hack attempts we hear about lately have been against fairly inconsequential sites, where the hackers must be primarily after validated email addresses, and hoping users have reused passwords on multiple sites.) > No cheating: no "remembering" your passwords. Other than my password safe pass phrase, desktop login, and a few inconsequential LAN-local services, I don't know any of my passwords. -Tom -- Tom Metro Venture Logic, Newton, MA, USA "Enterprise solutions through open source." Professional Profile: http://tmetro.venturelogic.com/