paper!
|
| Author | Content |
|---|---|
| tuxchick Jan 23, 2008 12:55 PM EDT |
I've tested a number of password-keepers, and I always come back to the same one: paper. Keeping passwords on a computer when you need those passwords to use the computers seems a bit risk- hard drives fail, filesystems go berserk, anything can happen, and then what do you do? What if you forget the password to your password keeper? What if an intruder (co-worker, nosy sibling, etc.) acquires the password to your password keeper? It's entirely too fragile for my liking. I have over sixty logins that I track now; online services like banking and shopping, various remote computers, local system passwords, and such. I have a master login file that gets locked away. It is in a folder that does not say "Logins for Carla's Stuff!! Don't look!!", but has an innocuous label. There is a place in one's security architecture for bits of useful obscurity. Then I have another copy that travels with me. Just a single sheet of paper all folded and tucked away, in my personal shorthand that I doubt anyone else could decipher. What I really really want are card-scanners built into keyboards, and user-controlled smart cards. Then we could keep all of our stuff in a nice reliable portable medium. Of course there is not one single proprietary vendor interested in this; what they want is to control our stuff, not give us tools to control our stuff ourselves. I keep thinking I should put some energy into sponsoring a FOSS project to develop this. |
| Scott_Ruecker Jan 23, 2008 1:05 PM EDT |
I do a similar thing Carla, but you give me a couple of good ideas to make it better..obscure file names..I like it.. |
| Sander_Marechal Jan 23, 2008 2:17 PM EDT |
Quoting:What I really really want are card-scanners built into keyboards, and user-controlled smart cards. Then we could keep all of our stuff in a nice reliable portable medium. We have that. It's called an USB stick :-) I keep a GPG encrypted file under an innocent name on my USB stick. I have a backup copy on paper safely tucked away at home (in case my USB stick is fried), along with a paper copy of my GPG key (which I can OCR in case of disaster). The only passphrase I really need to remember is my GPG passphrase. |
| tuxchick Jan 23, 2008 4:42 PM EDT |
USB sticks are pretty cool and useful, all right. Still, I like the idea of having a smart card that can go in my wallet. Nice and easy, and I envision having this nice stout smart card that won't fail, just like my credit cards that have been shamefully abused still work fine. When I scan it on my keyboard scanner it pops up a form that asks for my login. Maybe I won't password-protect it at all; I don't password-protect my paper records or paper money either. Then it opens a list of my logins, I click a checkbox, and it automatically fills in the information for me. This won't require a standardized format- this was tried before, and it failed because vendors can never agree, and were trying to trap us in their own stupid centralized systems, and spammers were all over them anyway. Instead the user will customize each login, so a standard form won't be required. |
| Scott_Ruecker Jan 23, 2008 4:47 PM EDT |
You guys are so smart..I'm just going to listen.. :-) |
| Sander_Marechal Jan 23, 2008 10:14 PM EDT |
Quoting:Still, I like the idea of having a smart card that can go in my wallet. Not me. There are so many cards in my wallet already that it hardly fits in my back pocket anymore. Not to mention when I have coins in there too. I have a small USB stick on my keyring so I always carry it with me. What I would like is some way to use that USB key as my login, and to store my desktop keyring database on there. The login could work a bit like SSH private key logins. I start the computer and insert my USB stick. A popup comes up with all the private keys on the USB key. I click the one I want and enter my password. Then the system logs me in. After that it sets up gnome-keyring-manager or the KDE keyring manager to use the database on my USB stick. Which reminds me. I'd wish the Gnome and KDE guys got together and created a single standard for the keyring database so I could use the same keyring on both platforms. It would be even better if they created a common API for the keyring-manager as well. That way the KDE applications on my Gnome desktop could use the gnome-keyring-manager. Or the Gnome applications on your KDE desktop could use the KDE keyring manager. Perhaps this is something for freedesktop.org to look into. |
| Scott_Ruecker Jan 23, 2008 10:29 PM EDT |
And to think, here I am just keeping them all in my head...what a waste... ;-) |
| Bob_Robertson Jan 24, 2008 8:18 AM EDT |
> I'd wish the Gnome and KDE guys got together and created a single standard for the keyring database so I could use the same keyring on both platforms. It's not like Kwalletmanager _couldn't_ have it's default _and_ be able to decrypt the GNOME wallets, and vise versa. That doesn't even take sharing, just admitting that the user might use the other guys stuff too. |
| Abe Jan 24, 2008 8:41 AM EDT |
Piece of paper & thumb drives can be stolen.
Have you guys forgotten about the fingerprints readers, voice recognition and eye scanners? Ultimate security. |
| Bob_Robertson Jan 24, 2008 9:25 AM EDT |
> Ultimate security. Except for stolen fingers, stolen eyes, and voice recorders. There is no "ultimate" security, only levels of inconvenience that are worth the effort. |
| tuxchick Jan 24, 2008 9:40 AM EDT |
Sander, what about a single user-programmable smart card that contains all of your credit cards, rewards cards, and whatever else is loading up your wallet? Obviously a person would want to protect this VERY carefully. But what a convenience! Bob, way back when during an unhappy summer long ago, I worked as permatempdroid at Microsoft. There was a team next door working on biometric IDs, and they were all excited and sure it was the cure for everything. Until the gloomy guy (every team has one gloomy guy, doesn't it?) said "oh great, now instead of stealing your wallet, they'll rip out your eyeballs." They were considerably subdued after that. |
| Abe Jan 24, 2008 9:43 AM EDT |
Quoting:There is no "ultimate" security, only levels of inconvenience that are worth the effort. It will remain ultimate until you find a better way. Do you have one? |
| NoDough Jan 24, 2008 10:11 AM EDT |
Security (or, to be more precise, authentication) systems are composed of one or more of three categories: Something you know (i.e. a password) Something you have (i.e. a smart card) Something you are (i.e. a fingerprint) Many people refer to the "something you are", or biometric security as the ultimate because the other two categories can be stolen. Someone can come to know your password through social engineering or technological thievery. Someone can come to have your smart card (or key, or USB device, or magnetic stripe card, etc.) through robbery. But they cannot become something you are. The problem with this theory is it ignores the possibility of technological thievery. That is, the encrypted value can be stolen and a fingerprint, retinal image, palm print, etc. can be reverse engineered to generate the same value. It also ignores the possibility of capturing and duplicating the print or image. Some organizations use multiple techniques. For example, you are identified with biometrics, and are then required to provide a password and/or a smart card. However, to date there is no form of authentication which cannot be beat. The real question is, "How secure is secure enough?" |
| Bob_Robertson Jan 24, 2008 10:12 AM EDT |
> "oh great, now instead of stealing your wallet, they'll rip out your eyeballs." Because no one read _Thunderball_? ...or saw the movie? How about the Schwa-chan movie _The 6th Day_, where Our Hero takes the female hit-man's thumb? Examples abound. What they did when I worked at NASA was use little key-fobs with 8 digit constantly changing numbers. The server and the fobs were matched, and I would put in the 8-digit number and my 4 digit PIN as my login password. If I added 1 to my 4 digit PIN, so if it was 1234 I put in 1235, it would pretend to have gone "out of sync", "Please enter the next number on your fob:" and if I put in the altered PIN again it would log in, but it would send a code that "Bob Is Logged In Under Coercion" to the security team. Cool, ne? So if tortured, I just give them the "wrong" PIN. Bwaahahahaha! |
| Abe Jan 24, 2008 10:36 AM EDT |
Quoting:The real question is, "How secure is secure enough?" Add to that "what does it take to make authentication practical?" |
| DarrenR114 Jan 24, 2008 12:50 PM EDT |
I don´t use passwords ... to much hassle ... I also leave my doors unlocked on my car and house ... If we were meant to have passwords, the Bill Gates would have programmed Windows to have them by default. |
| Sander_Marechal Jan 24, 2008 1:29 PM EDT |
Quoting:It's not like Kwalletmanager _couldn't_ have it's default _and_ be able to decrypt the GNOME wallets, and vise versa. That doesn't even take sharing, just admitting that the user might use the other guys stuff too. Add to that XFCE, E17, the other desktop environments and oh, lets throw in a console password manager as well. Sharing does work, but it becomes impractical when the number of implementations increases. I'd far prefer a single, shared database and API. Quoting:Sander, what about a single user-programmable smart card that contains all of your credit cards, rewards cards, and whatever else is loading up your wallet? Obviously a person would want to protect this VERY carefully. But what a convenience! I wouldn't feel safe carrying that around :-) The problem with my wallet is that more and more things switch to teh credit-card shaped piece of plastic. Passport, drivers license, travel insurance. Everybody switches to these plastic cards because they are supposedly "convenient to carry around". Well, up to four maybe. Currently I carry 10 of them and I need them all on a regular basis. Back on the topic of computer security... Quoting:If I added 1 to my 4 digit PIN, so if it was 1234 I put in 1235, it would pretend to have gone "out of sync", "Please enter the next number on your fob:" and if I put in the altered PIN again it would log in, but it would send a code that "Bob Is Logged In Under Coercion" to the security team. I love that idea! |
| jezuch Jan 24, 2008 2:51 PM EDT |
Quoting:"oh great, now instead of stealing your wallet, they'll rip out your eyeballs." "Limes Inferior", Janusz Zajdel, 1982. This guy was brilliant. |
| Scott_Ruecker Jan 24, 2008 2:53 PM EDT |
So Seriously, Am I the only person here that just keeps them all in their head? |
| Sander_Marechal Jan 24, 2008 2:58 PM EDT |
Scott: I tried that. It worked well until I hit 40 logins or so. I have well over 100 now. No way I can memorize that all if I use different passwords everywhere. |
| tuxchick Jan 24, 2008 3:11 PM EDT |
Quoting: Am I the only person here that just keeps them all in their head? Scott, this is the part where you hitch your britches, adjust your hat, and say "no brag, just a fact." Unless the number of logins you're remembering can be counted on one hand! |
| Scott_Ruecker Jan 24, 2008 3:16 PM EDT |
A hundred logins!?!?! You got me there, my head would explode. One Hand? I wish! about twenty or so |
| Bob_Robertson Jan 24, 2008 3:30 PM EDT |
I did read a missive from a security "expert" to the effect that brute-force and dictionary attacks are far more of a threat than breaking-and-entering, so it is a better trade-off to use good passwords _and_ write them down than to use something easy to remember, weak, or repeatedly. Seems pretty obvious when put in those terms. Or put them in a pgpgpg flat-file. Having a common-format cross-platform encrypted back-end to the wallet manager of your choice is pretty good too. |
| Sander_Marechal Jan 24, 2008 10:18 PM EDT |
If you keep a paper backup of your passwords and SSH/GPG keys, get a small fireproof safe. |
| jacog Jan 25, 2008 1:03 AM EDT |
My cell phone has a handy "Code Memo" feature that you can use to keep passwords and kewl secret agent stuff in... unlocks with a 4 digit code. |
| NoDough Jan 25, 2008 4:42 AM EDT |
> So Seriously, Am I the only person here that just keeps them all in their head? You mean your eyeballs; right? |
| NoDough Jan 25, 2008 4:47 AM EDT |
Defeating brute force is easy with a little imagination. Just use a passphrase instead of a password. If your password is "walnuts" it can be easily broken with a dictionary or brute force attack. If it's "I like walnuts." then neither dictionary nor brute force will be effective. |
| Abe Jan 25, 2008 5:57 AM EDT |
Quoting:Defeating brute force is easy with a little imagination. Add to that a simple and easy system, like adding one special character (* $ etc.) in specific locations, and possibly changing it periodically. This way you can even write your passwords somewhere safe without the special character, which you insert when you use the passwords. The objective is to make it as secure as you want it but keeping it practical. |
| gus3 Jan 25, 2008 8:14 AM EDT |
1337-5p34k! N0 d1ct10n4ry h45 411 th353 w0rd5! |
| techiem2 Jan 25, 2008 8:28 AM EDT |
Sadly, I translated that quite quickly.... |
| azerthoth Jan 25, 2008 9:02 AM EDT |
techiem2 I hadnt noticed that I had translated it until I saw your post. Thats sad, I really need to break my IRC addiction. |
| jdixon Jan 27, 2008 7:20 PM EDT |
> So Seriously, Am I the only person here that just keeps them all in their head? Scott, that only works for people who wouldn't leave their head behind if it wasn't attached. Which doesn't include me. |
| Scott_Ruecker Jan 27, 2008 7:34 PM EDT |
Quoting:Scott, that only works for people who wouldn't leave their head behind if it wasn't attached. Which doesn't include me. I must be lucky then, I end up forgetting my head in all kinds of weird places but I can still remember stuff, like Godzilla movie titles, the names of authors to books I haven't read yet.. oh, and my passwords too! |
| gus3 Jan 27, 2008 8:55 PM EDT |
Quoting:I can still remember stuff, like Godzilla movie titlesYou mean, titles like "Godzilla"? |
| Scott_Ruecker Jan 27, 2008 9:46 PM EDT |
Hey! You know that one too? How about Godzilla vs. Mechagodzilla? |
| Bob_Robertson Jan 28, 2008 3:48 AM EDT |
Or how about that gnarly Jason and the Argonauts, when Gidara shows up near the end? Wow. Didn't know the Japanese and Greeks were so close that long ago. |
Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]
Becoming a member of LXer is easy and free. Join Us!