Re: Password security

2002-12-05 Thread Jim Choate 

On Tue, 3 Dec 2002, Martin Crandall wrote:

 I've been thinking about and investigating the issue of password
 management.  Passwords are the weak link in any computer security
 system.
...
 What are your thoughts?  Am I off-base here?  Are there better
 solutions I've missed?

See factotum and secstore...


 --


We don't see things as they are,  [EMAIL PROTECTED]
we see them as we are.   www.ssz.com
  [EMAIL PROTECTED]
Anais Nin www.open-forge.org

Re: Password security

2002-12-04 Thread Nomen Nescio 
Martin Crandall wrote:

 I've been thinking about and investigating the issue of password
 management.  Passwords are the weak link in any computer security
 system.  The problem is that following the standard recommendations --
 choose long, random passwords, and never recycle them for use with
 multiple accounts -- quickly overloads the memory capacity of all but
 the most dedicated.  Here are some solutions that I've been

I wonder what universe you live in, Martin?  What systems allow you to
enter a pass PHRASE?  I have accounts on dozens of web sites and online
services, and all of them take only a pass WORD.  You can't use diceware
or some other system that's going to generate a 10 word sentence that
you can write down or memorize.  The systems won't accept such a long
password.

I suggest you climb out of the ivory tower and visit the real world for
a few days.  I think you'll find that there are a lot worse problems in
security than choosing and memorizing super-high-entropy pass phrases.
Security is essentially nonexistent today.

Password security

2002-12-04 Thread Martin Crandall 
I've been thinking about and investigating the issue of password
management.  Passwords are the weak link in any computer security
system.  The problem is that following the standard recommendations --
choose long, random passwords, and never recycle them for use with
multiple accounts -- quickly overloads the memory capacity of all but
the most dedicated.  Here are some solutions that I've been
investigating, intended to be practical for unsophisticated computer
users.  I'd like your comments.

1. Use Diceware (www.diceware.com) to generate passphrases.  The way it
works is that you use physical randomness (rolling dice) to generate
groups of five numbers in the range 1-6.  For each group of five numbers
you then look up the corresponding word in a list of 7000+ of the
shortest English words.  Your passphrase is the sequence of words thus
generated, separated by spaces.  I have found that the passphrases
generated using this method are much easier to memorize than random
alphanumeric strings of equal entropy.  You get a shorter sequence of
symbols by choosing from a larger -- and semantically rich -- alphabet
(the list of 7000+ words).

2. Use something like Bruce Schneier's Password Safe (now an open source
project at http://passwordsafe.sourceforge.net) to keep track of your
passwords, so that you only absolutely, positively have to remember
one.

3. The problem now is that Password Safe only runs on the notoriously
insecure Windows operating systems.  Even if it were to be ported to
something more secure (Linux, *BSD), there are still plenty of security
bugs found every day even on these systems, and it's not inconceivable
that someone hacking into your system could catch your master password
as you type it into Password Safe.  I'm very uncomfortable with the idea
of leaving my password database on any network-connected machine.  This
leaves two possibilities:

  3a. Keep your password database as a handwritten list on physical
paper.  This is secure from network attacks, but physical security is
minimal.

  3b. Use a Palm OS-based PDA with PDA Defense (www.pdadefense.com)
installed to store your password database.  I'm not sure yet if you
can use that to encrypt important databases, or if it's aimed more at
securing the entire device.  If the latter, use a Palm OS port of
Password Safe (doesn't  yet exist :-( ), or use one of the encrypted
PDA password managers at Tucows.com.  Backup the encrypted password
database onto a removable expansion card, NOT on your PC.

What are your thoughts?  Am I off-base here?  Are there better
solutions I've missed?

-- Martin Crandall