On Tue, Apr 28, 2009 at 5:15 PM, James Winzenz <james.winz...@pulte.com> wrote: > ... the database is triple encrypted for added security ...
Triple encrypted! Wow, that's three times as good as regular encryption! /SARCASM :-) I'm looking at their website, and their security explanation seems bogus. They invite an independent audit, but don't publish any real details about the security kernel, so there's nothing to audit. The diagram doesn't explain what those arrows mean, and without such the diagram is nonsensical. It smells like security snake oil to me. Note that this doesn't mean they're trying to swindle anyone, just that the their public claims regarding their security design are suspect. For all I know they hired Bruce Schneier to write their security kernel, but if so they're surprisingly tight-lipped about it. http://en.wikipedia.org/wiki/Snake_oil_(cryptography) FWIW: For personal use, I keep passwords protecting low-value resources in text files or in my browser's password-saving mechanism. Moderately sensitive passwords get recorded in text files stored on a USB flash drive and normally kept unmounted. I've never felt a need to, but if I had something really sensitive, I'd encrypt it using GnuPG (PGP). Of course, the private key is kept on that same removable media. I've got a strong passphrase, but XKCD "Security" applies (http://xkcd.com/538/). At work, the more sensitive corporate passwords (e.g., domain admin) are recorded on paper log sheets, which are kept in a locked file cabinet in a locked office. They are never kept in an electronic file. (Obviously, the hashes are stored in the authentication database, but that's not the same thing.) For systems under government security jurisdiction, keeping passwords anywhere but in your head is generally prohibited. Should it be allowed, any password record must be protected to a level commensurate with the information the password protects. So if you write down a password on a Post-It Note, and that password protects TOP SECRET information, then the Post-It Note should thus be protected as TOP SECRET. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~