On Thursday 15 February 2007 3:18 pm, Tim Fournet wrote: > Sure, someone could conceivably hook up the device to a reader, > perform a hex dump of the contents of the memory, and > the passwords are probably visibly in there;
Everything falls apart at the weakest link, doesn't it? If you can't trust the desktop, what have you got? I assume the bad guys tools to read devices. If the user ever syncs the device through a usb hook up, everything in the device is visible if they do things like Palm and Handspring. I've used tools to look at and change just about everything on my Handspring. Projects like Kandy seek to read all kinds of cell phones for easy sync. The bad guys will have more sophisticated tools, but I'm not sure this is the main threat. With keyloggers on a large percentage of the wrong kind of desktop, is any user supplied password is safe? If it's the same password everywhere, it will be jumped on everywhere as soon as the desktop is compromised. What good is a finger print reader or a "smart card" when some guy in St. Petersburg is root? Wouldn't it be easier and more reliable for the cracker to match the correct fingerprint remotely than it will be for the user to actually scan their finger? LSU has forced complex email passwords on users that have nothing to do with the others. It is good that they finally separated the two because they don't encrypt pop or imap authentication! Because it's impossible to memorize and I consider it known anyway, I store it in a user read only text file. I imagine LSU has not moved towards better email password protection because lots of their users are on ancient versions of commercial email clients that will break.
