| View previous topic :: View next topic |
| Author |
Message |
frozenJim
Guru
Joined: 18 Jun 2004
Posts: 341
Location: Montreal, Quebec, Canada
|
 Posted: Sun Jun 11, 2006 6:03 pm Post subject: |
 |
|
| Chris W wrote: | | I use Password Gorilla. I keep Linux and Windows binaries (no install required), along with the encrypted password file on a USB flash drive. |
I have been looking for a solution that fits my needs for a couple of years now. Chris W hit the nail right on the head here.
WHERE did you get your windows and linux binaries of password gorilla? I'm just at the stage where if it isn't in Portage then it is hopeless.
------------------
edit:
Oh... I see. There IS NO installation required. I have downloaded the binaries from the link Chris provided to my usb key and presume that it will run just fine in Windows. Now my only problem is how to run a tcl app in linux.
If I can figure out how to command-line my tcl (which is aparently emerged already) then this should be perfect.
_________________
Who controls the past, controls the future. Who controls the present, controls the past. |
|
| Back to top |
|
 |
sokai
n00b
Joined: 26 May 2004
Posts: 23
Location: Germany - Potsdam
|
| Posted: Sun Jul 09, 2006 6:03 pm Post subject: pwsafe |
|
|
To use the password-file, you created by using Password Gorilla or MyPasswordSafe, under the Linux-console you can try pwsafe.
So I handle my passwords under Windows, Linux and the Linux-console across our net with a lot of Workstations and Servers. |
|
| Back to top |
|
|
Simius
Apprentice
Joined: 26 Oct 2002
Posts: 219
Location: Budapest, Hungary
|
| Posted: Tue Aug 29, 2006 12:07 pm Post subject: Off-computer device |
|
|
Well, I have put some thought into this password device idea...
However, I'm not entirely sure that it would be the most practical - and safe - method.
What do we need?
- portability
- security
- reliability
The keypair encryption is maybe the best method in terms of security, so let's start out from here.
Having the private key on the very same unit the encrypted file is on - a workstation connected to the Internet -, defeats most of the security overhead keypair encryption offers. This setup can be called fair when we encrypt for transmission, but not for storage.
So I think we should have the private key in two copies - a paper hardcopy (honestly, I don't trust CDROMs enough to call them a hardcopy) and on a USB flash drive. Sure this can be stolen, but then again, your front door keys can be stolen too. And if it IS stolen, you do the same thing you would in the case of the front door keys - change the lock. That is, take the hardcopy, key it in, issue cancellation certs to all your communication partners, and re-encrypt any stored data with a new key.
(To defeat even the slight chance that the key might be stolen when it is in use on a computer, one could create a small computer that does all the encrypting, decrypting and signing via USB, and has different ports for uploading the key and for standard data traffic. This way, the key can only be stolen in a physical manner. Maybe there's already something like this on the market.)
The encrypted password file could even be kept on the Web, so you can access it from anywhere, and you could take the private key on the USB flash drive with you in your wallet... |
|
| Back to top |
|
|
nielchiano
Veteran
Joined: 11 Nov 2003
Posts: 1283
Location: 50N 3E
|
| Posted: Tue Aug 29, 2006 4:29 pm Post subject: Re: Off-computer device |
|
|
| Simius wrote: | | (To defeat even the slight chance that the key might be stolen when it is in use on a computer, one could create a small computer that does all the encrypting, decrypting and signing via USB, and has different ports for uploading the key and for standard data traffic. This way, the key can only be stolen in a physical manner. Maybe there's already something like this on the market.) |
Yep, it's called "smartcard", you probabely have one under the name "credit card" or something similar.
| Simius wrote: | | The encrypted password file could even be kept on the Web, so you can access it from anywhere, and you could take the private key on the USB flash drive with you in your wallet... |
This won't help against an installed keylogger that takes screenshots every 2 seconds. They'll know where you store your keyfile, AND all passwords that were on the screen... |
|
| Back to top |
|
|
tgh
Apprentice
Joined: 05 Oct 2005
Posts: 221
|
| Posted: Wed Aug 30, 2006 12:38 am Post subject: |
|
|
In general, if the box is rooted or otherwise untrusted, you shouldn't use it for secure operations.
...
I go for the KISS principle with password storage. A GPG/PGP public key pair with a good, longish passphrase. I then encrypt the contents of individual text files, one per website / service. Easy to back up, I can encrypt certain passwords with multiple keys, and I can print out the ASCII armored text blocks to paper (or send them to a g-mail account, or hide them in the corner of a web/ftp site...).
The problem then becomes how to keep the secret key and the passphrase private, which is easier to do then keeping a few hundred account files secure. |
|
| Back to top |
|
|
frozenJim
Guru
Joined: 18 Jun 2004
Posts: 341
Location: Montreal, Quebec, Canada
|
| Posted: Fri Sep 01, 2006 12:44 pm Post subject: |
|
|
| tgh wrote: | | I go for the KISS principle with password storage. A GPG/PGP public key pair with a good, longish passphrase. I then encrypt the contents of individual text files, one per website / service. Easy to back up, I can encrypt certain passwords with multiple keys, and I can print out the ASCII armored text blocks to paper (or send them to a g-mail account, or hide them in the corner of a web/ftp site...). |
Great idea!
I've gotten Password Gorilla working for me now, and I'll keep using it for the time being, but I like your idea too.
The Password Gorilla install problem was simple, you don't install it. You just "use" it. I keep my Windows binary, my TCL binary, my Password Gorilla binary and my password file on a usb key. When I need a password, I simply use the correct binary for the OS in use on that particular machine. It's simple.
The way I set it up for Gentoo is easy enough for anyone to make a package (can someone do so?) I copy the binaries to the right location and simply make an icon in a menu to access them. I copy the Gorilla files and tclkit to /opt/gorilla, then I make a symlink to tclkit in /usr/bin. Then, for simplicity, I create a bash script called "gorilla" that does the work for me:
| Code: | james@thorn ~ $ cat /usr/bin/gorilla
#!/bin/bash
tclkit /opt/gorilla/gorilla-1.3.kit
|
It's brainless, portable and secure enough for my needs. The benefit being that my passwords are stored neatly in an intuitive heirarchy that makes it possible to keep thousands of passwords at my fingertips.
_________________
Who controls the past, controls the future. Who controls the present, controls the past. |
|
| Back to top |
|
|
Aurisor
Guru
Joined: 20 Sep 2003
Posts: 361
Location: Boston MA
|
| Posted: Fri Sep 01, 2006 1:39 pm Post subject: |
|
|
I have a piece of paper I keep in my wallet. I figure if I lose my wallet I'm going to have to get new driver's license and credit card, so the hassle of changing all my passwords isn't that bad in comparison.
_________________
The problem with seeing too much is that it makes you insane. --Phaedrus |
|
| Back to top |
|
|
frozenJim
Guru
Joined: 18 Jun 2004
Posts: 341
Location: Montreal, Quebec, Canada
|
| Posted: Fri Sep 01, 2006 1:46 pm Post subject: |
|
|
| ishan wrote: | | I have a piece of paper I keep in my wallet. I figure if I lose my wallet I'm going to have to get new driver's license and credit card, so the hassle of changing all my passwords isn't that bad in comparison. |
Well, my luddite friend, that only works for a few passwords that do not change - I have hundreds that change frequently. Also, I am not comfortable with a wallet-thief possessing the many passwords of my clients. Losing the driver's license would be insignifigant by comparison. What a disaster THAT would be! Also, forgetting the router password for a client would be embarassing at least.
So my requirement includes bulk, changeability, accessability, security, portability and backup. It's really a tall order and I'm pleased to have found a tool that handles it.
But your point is good - it really depends on what you need.
_________________
Who controls the past, controls the future. Who controls the present, controls the past. |
|
| Back to top |
|
|
figueroa
Apprentice
Joined: 14 Aug 2005
Posts: 182
Location: Ohio-USA
|
| Posted: Tue Nov 28, 2006 3:47 pm Post subject: Re: How do you store your passwords? |
|
|
| aeris wrote: |
I was thinking about keeping them in a text file encrypted with gpg (symmetric) and to fetch the entry I want with something like the following:
| Code: | | gpg -d pw.gpg | grep "Entry" |
As a side note is it easy for someone who knows what he/she is doing to see what I had on my clipboard after I've replaced it with something else? (I'm not using Klipper). And the same goes for my konsole after I've closed it?
/ mikael |
After looking at all these posts and trying some of the software, I really do like the simplicity of this approach. After all, there are several layers of security a hacker has to go through just to get into my network and onto my system, and then find the well hidden file that contains my passwords. So I'm thinking this might be good enough. What think you all now?
_________________
Andy Figueroa
andy@andyfigueroa.net |
|
| Back to top |
|
|
nielchiano
Veteran
Joined: 11 Nov 2003
Posts: 1283
Location: 50N 3E
|
| Posted: Tue Nov 28, 2006 3:53 pm Post subject: Re: How do you store your passwords? |
|
|
| Code: | | gpg -d pw.gpg | grep "Entry" |
| figueroa wrote: | | After looking at all these posts and trying some of the software, I really do like the simplicity of this approach. After all, there are several layers of security a hacker has to go through just to get into my network and onto my system, and then find the well hidden file that contains my passwords. So I'm thinking this might be good enough. What think you all now? |
That this restricts you is at least 3 ways:
- only 1 line per entry is allowed; which might be impracitcal to store AND a BIOS-password, AND the GRUB password AND the root passwodr AND your user-password
- you can't (easily) browse the list of entries
- It's not an "offline" viewer: an infected computer can screenshot/keylog your session and at least know that ENTRY's password, maybe all of them
But as you say... the simplicity is wonderful |
|
| Back to top |
|
|
figueroa
Apprentice
Joined: 14 Aug 2005
Posts: 182
Location: Ohio-USA
|
| Posted: Tue Nov 28, 2006 4:27 pm Post subject: Re: How do you store your passwords? |
|
|
| nielchiano wrote: |
That this restricts you is at least 3 ways:
- only 1 line per entry is allowed; which might be impracitcal to store AND a BIOS-password, AND the GRUB password AND the root passwodr AND your user-password
- you can't (easily) browse the list of entries
- It's not an "offline" viewer: an infected computer can screenshot/keylog your session and at least know that ENTRY's password, maybe all of them
But as you say... the simplicity is wonderful |
Generally concur, but I can also pipe through more or less which gives me a nice browsing capability.
_________________
Andy Figueroa
andy@andyfigueroa.net |
|
| Back to top |
|
|
nielchiano
Veteran
Joined: 11 Nov 2003
Posts: 1283
Location: 50N 3E
|
| Posted: Tue Nov 28, 2006 4:32 pm Post subject: Re: How do you store your passwords? |
|
|
| figueroa wrote: | | Generally concur, but I can also pipe through more or less which gives me a nice browsing capability. |
which would change item 3 to:
| nielchiano wrote: |
* It's not an "offline" viewer: an infected computer can screenshot/keylog your session and at least know a screenful of passwords |
|
|
| Back to top |
|
|
elpeor
n00b
Joined: 06 Sep 2006
Posts: 32
|
| Posted: Mon Dec 18, 2006 10:11 am Post subject: nice app |
|
|
I found a nice app that just takes fpm database:
admin/kedpm
Latest version available: 0.4.0-r1
Latest version installed: 0.4.0-r1
Size of files: 60 kB
Homepage: http://kedpm.sourceforge.net/
Description: Ked Password Manager helps to manage large amounts of passwords and related information
License: GPL-2
_________________
--ELPEOR-- |
|
| Back to top |
|
|
djdunn
Guru
Joined: 26 Dec 2004
Posts: 546
Location: Under the moon and all the stars in the sky.
|
| Posted: Mon Dec 18, 2006 8:09 pm Post subject: |
|
|
I keep my passwords in a piece of paper on my desk, the chicken scratch i write with is better than any encryption...
_________________
Now, with penguins, (cuddly such), "contented" means it has either just gotten laid, or it's stuffed on herring. Take it from me, I'm an expert on penguins, those are really the only two options.
--Linus Torvalds |
|
| Back to top |
|
|
quag7
Apprentice
Joined: 12 Aug 2002
Posts: 288
Location: Marana, Arizona - USA
|
| Posted: Tue Dec 19, 2006 7:53 pm Post subject: |
|
|
I used to carry a paper in my wallet that had what appeared to be notes from a college literature class. Each two bullet points had a hint which would help me remember a password. If stolen, it would look like a bunch of literature notes.
For example, I had a password which was !z00ey451 as:
* In what ways did the Glass family embody Salinger's Buddhist beliefs or principles?
* For what reason are Salinger's books commonly subjected to censorship?
The first question = Glass Family = Zooey Glass from J.D. Salinger's Franny & Zooey
The second question = censorship = book burning = Heinlein's Fahrenheit 451
Now of course I had to be vaguely familar with the passwords I chose. These would simply help me to remember them and pair together numbers and names.
I don't have that paper anymore, but I was able to store almost 30 passwords via this method. There was no way of telling that the paper was anything other than a list of assignments or notes. I forget how I tied the passwords to specific systems or resources, but I was able to, through encoding that into the bullet points.
All passwords had set of rules which applied universally to add additional characters in - like if the password begins with a letter, then it would have an exclamation point at the front...or something along those lines.
This sounds complicated but it worked for me for about 5 years.
There are probably lots of ways of encoding meaning into something that looks like a grocery or "to do" list - or even graphically.
_________________
http://www.dataswamp.net |
|
| Back to top |
|
|
nielchiano
Veteran
Joined: 11 Nov 2003
Posts: 1283
Location: 50N 3E
|
| Posted: Tue Dec 19, 2006 8:02 pm Post subject: |
|
|
quag7's method looks nice... but I don't think it's practical for random passwords... since that would require too much bulets/passwd.
Also: loosing your wallet/paper ruins your passwd database... |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
