[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Interesting question: how to safely keep passwords online
At 11:40 AM 2/18/97 -0800, Ed Falk wrote:
>Here's a question that's been on my mind lately: Often, you like
>to keep external passwords stored on your personal computer. As a quick
>example, Eudora will remember your POP password for you so you don't
>have to enter it every time. Obviously, Eudora keeps this on disk
>somewhere.
>The question is: is there any (relatively) safe way to do this?
Depends on your threat models....
The relatively safe way is to use an encrypted disk volume,
so everything stored on it is "safe", though any time the
disk volume is open, you're obviously at risk. My laptop is
relatively secure, unless someone has physical access to it;
if I used a boot password and encrypted disk volume it would require
an active attack to get the information, rather than simple theft.
(NT has a password, but it's not worth much if you've got the disk.)
Another popular approach, which PGP uses for storing private keys,
is to store the keys in an encrypted file, and use a passphrase for access;
variants include one passphrase for the whole file, or one passphrase
per record. Of course, if you can replace the "PGP" program with a
trojan version, you can still steal the passphrase. Or you can use a
keystroke sniffer to store any password-like input.
Of course, an even more popular approach is to ignore the problem,
and just leave the password around in plaintext in an INI file or Registry,
or encrypt it with some Really Secure KeyLess Proprietary Algorithm,
like rot13 ("We'll fool them - we'll use rot39! It's 3 times as secure!")
If you've got off-machine storage, e.g. a SecureID-like calculator
or other smartcard with on-card PIN entry, you can do actual security.
Even then you need to be careful about all the protocols; it doesn't do
much good to have a 4096-bit RSA key if a trojan shim can replace the card's
response of "Not OK" with "OK" before the real application reads it.
# Thanks; Bill
# Bill Stewart, +1-415-442-2215 [email protected]
# You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp
# (If this is a mailing list, please Cc: me on replies. Thanks.)