BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] deadmanish login?
- Subject: [Discuss] deadmanish login?
- From: kentborg at borg.org (Kent Borg)
- Date: Sat, 4 Feb 2017 12:25:36 -0500
- In-reply-to: <BD3AEAF8-C3A9-425E-A1DF-313491C25856@horne.net>
- References: <iydoKFG1q6EvZNl6T2sztfNEyMK3eE7jp_2ZXrcPTgVFK1IPE5deLwZcViB_xDQMcb16enHDIBp9gek18AIxu5VrLtdgSHK6qEOO91dh2nA=@protonmail.com> <20170131014651.GA21915@newtao.randomstring.org> <1cca093a-2f5b-c105-0288-5f435c11104e@borg.org> <e94de5ff-7644-d501-ccb4-fd4a6b32ff7a@napc.com> <565bdd82-c70e-3e64-6786-63f9b8de12da@borg.org> <e480dec0-22f0-99be-dbc0-fa3f75ddd1fe@gmail.com> <a47bda52-ca1f-15ab-2f57-3ab5d1519a48@borg.org> <ecfa4f25-9416-ddcc-d92f-7979136fdf96@borg.org> <837eb7de-a956-c4bb-63f4-e1bcfa0e3861@gmail.com> <tbN2QQ83ucZDZ2xH0ViweZ0fyzyKl9Z2Nlt8YVDNJsOM7bzx7PO-4rYhaE1-Fv36WdtcadddIwUeoDmROxv1eb-DxHx2I2dDk_eMsTfGBzQ=@protonmail.com> <BD3AEAF8-C3A9-425E-A1DF-313491C25856@horne.net>
On 02/04/2017 09:31 AM, Bill Horne wrote: > Readers please state your preferences for Keepass, Password Safe, or other programs/methods for storing passwords. You knew I would have something to say... I would recommend security over convenience. For example, I recently saw the someone is forking Keepass because they want to add move convenience features, I think it was auto-fill of passwords in web pages. I think this is a bad idea. Recently there was news of web pages tricking browser auto-fill features into submitting credit card numbers in hidden fields. Moral? Avoid inherently dangerous auto-features. Less automation the better, less delegating of responsibility the better. I don't trust computers. For software? Commercial products and software are scary, even when they are fully buzz-word compliant. Because who knows what you are buying? And the sellers are selling whatever it takes to get you to part with money, not necessarily the best security design and implementation. Open source isn't guaranteed to be perfect, but at least there is more hope. Also, if there is a program that has compatible versions and ports that's a good sign...it means more eyes have looked at it. For software, worry about the environment in which it will run. Is there Microsoft and Adobe software, games, Skype, this-really-cool-program-you-found, also running on the same machine running as the same user as the password software? Scary. Run any password software in as bare and conservative an environment as you can. Want to run a compatible password program on your phone? Oh, scary! Phones are a wild, wild frontier of new software and new attacks. Maybe buy the smallest dirt-cheap Android phone you can find specifically for running password software--and nothing else. Don't let it on the internet at all, don't put a SIM card in it, and you are pretty safe. The passphrase you use to protect your master collection of all the passwords in your life...should be pretty damn good. And that isn't very practical. So keep even your encrypted copies very tightly controlled, run extra layers of encryption: Run an encrypted file system on you computer. Encrypt the data on the dedicated-use Android you get. And still worry over it. And do backups. But how are you protecting the backups? Are they encrypted? How? Why should you trust it? All very scary. To the extent you use computers and delegate responsibility to those computers you are at risk from software attacks. And unless you can completely air-gap them (hard to do, ask the Iranians) you are at risk of being attacked by anyone, anywhere in the world. Maybe go manual... Most people should write down their passwords on paper, by hand. Obfuscate them so they aren't obviously useful to someone who might find them. Maintain another handwritten backup. Do everything manually (NO modern technology, no photocopies even, unless you have an ancient analog copier) and you are pretty much bullet-proof secure from a software breach of your system. And keep your lists separate and secure, they are important. -kb
- References:
- [Discuss] deadmanish login?
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] deadmanish login?
- From: kentborg at borg.org (Kent Borg)
- [Discuss] deadmanish login?
- From: kentborg at borg.org (Kent Borg)
- [Discuss] deadmanish login?
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] deadmanish login?
- From: sillystring at protonmail.com (Eric Chadbourne)
- [Discuss] deadmanish login?
- From: bill at horne.net (Bill Horne)
- [Discuss] deadmanish login?
- Prev by Date: [Discuss] deadmanish login?
- Next by Date: [Discuss] deadmanish login?
- Previous by thread: [Discuss] deadmanish login?
- Next by thread: [Discuss] deadmanish login?
- Index(es):