[Discuss] KeePassX

Kent Borg kentborg at borg.org
Wed Jul 24 15:43:00 EDT 2013 

On 07/24/2013 01:40 PM, Rich Braun wrote:
> most people have just plain given up trying to follow best-practices

The whole term "best practices" annoys me. It is so much like a school 
yard taunt: "MY practices are better that yours!" "No they are not! Mine 
are Best Practices."

(Who the hell signs the certificate that makes one set of practices best 
and how do I file an appeal?  Is all innovation to stop once someone 
utters "best practices"?)

Computer security is a good example of how silly the idea is. Details 
are changing by the day and hour, and the general landscape changes from 
year-to-year such as to be unrecognizable after awhile.

Everyone has known (for decades!) to "never write down your password".  
Except those who disagree.  Ignorant people you should ignore (not), 
such as Bruce Schneier.

The world has changed. Where I once had one password (yes, I am that 
old) and it didn't matter much, I now have scores of passwords and my 
entire life dangles from them.  The stakes and the particulars have changed.

I use an electronic approach, but I do not recommend it to others who 
ask.  I say use paper: Because of the endpoint security problem.  Unless 
one is going to extraordinary lengths (such as a dedicated "phone" that 
is never used as a phone nor anything else nor ever connected to the 
internet; and a computer that is shared with no one running nothing 
Microsoft and not even anything commercial and mostly no Javascript and 
no Java and never logged into except at its own keyboard...) it is 
better to use paper. Really.  Paper.

Want another violation of Best Practices?  Here it is: If you do go 
electronic, throw some security-through-obscurity in the mix. Everyone 
knows security-through-obscurity is worse than nothing at all.  But I 
disagree.  Try to use good security, but don't be part of a uniform 
monoculture, find ways of making your circumstance different from standard.

What you should fear most is not the dedicated and clever attack that 
figures out how to target you.  (I am assuming you are unimportant, 
sorry.)  You should be worried about the automated attack that can be 
cheaply deployed against millions of targets to see what comes up.  
Being on Linux or BSD protects you enormously because there are easier 
and more plentiful alternatives for the bad guys to hit (security 
through obscurity!). Putting your secrets on an Android device does not 
offer such benefits.

Unless you enjoy the geeky intellectual problem of how to not let your 
electronic secrets leak out, and are willing to spend some time on it, 
if you want your passwords to fit in your pocket, you should probably 
use paper.

-kb

More information about the Discuss mailing list