[conspire] CABAL meeting tomorrow (also, webmail security discussed here)
Rich Bodo
richbodo at gmail.com
Fri Sep 11 16:37:17 PDT 2009
> Actually, if you're willing to assume that Password Gorilla implements
> the Twofish symmetric cipher correctly, there's neglible security loss
> from putting copies of the db file on other computers -- temporary or
> not. And, of course, lots of benefit from doing so.
This is a problem. Although some of the features in password gorilla
would be very hard to live without (like copy field to clipboard on
double-click), I'm not enamored with TCL and there is no development
community for that app.
What I'm really looking for is a cross-platform password database with
a living development community that I can contribute to. I'll add the
features I need if the code is readable. I think there is a lot to be
done in this space.
> Sometimes, when I tell people about my Keyring strategy, people ask me
> if I'm not afraid people will steal the (3DES-encrypted) db file from my
> backups. My response is always "Not at all. I can always use more
> safety copies in more locations. Would you mind if I give you a copy?"
I tell my users something similar. It's not the end of the world if
you lose your password database if you are really sure you have a
solid password that only you know it.
> 4. Compromise the machine's OS environment where the code runs
> that reads the password db. This is why I don't leave
> Bluetooth or WiFI connectivity on, and am incredibly paranoid
> about what other code I'm willing to install on my PDA.
>
> Threat model #4 is where I win, over people using database-reading
> code on general-purpose computing environments
I agree. That's what freaks me out. I actually have more than one
password database now to reduce the number of passwords I have to
change when I use my db on a system I don't totally trust. I may pay a
hefty price some day for my impatience, but security is full of
trade-offs.
The HTC you mentioned in the previous post is a good option. So is
the nokia line of small linux boxen. You may eventually have to move
to a platform that you can upgrade with floss.
-Rich
--
-Rich
http://rbodo.blogspot.com
http://www.linkedin.com/in/complete
Skype: richbodo
irc: irc.freenode.net, rich
More information about the conspire
mailing list