[Dshield] password security

[David Brodbeck]

On Feb 5, 2009, at 5:56 PM, Dr. Daniel Carras wrote:

> I view encryption as the "locking the keys in the safe", approach to
> security. If you loose the key to the safe, or the lock is broken,
> you've locked all that information in with no way to get it out.

That's a good point.

I deal with the "locking the keys in the safe" problem by printing a  
copy of the password file and storing it in my firebox.  If someone  
breaks into my house and opens the firebox, I'll know about it and can  
change the passwords.


On Feb 6, 2009, at 7:59 AM, Valdis.Kletnieks at vt.edu wrote:
> Common errors
> include not realizing that the program's data in RAM can end up out  
> on an
> unencrypted swap area

Which is, of course, one of the flaws in using an encrypted file that  
I hinted at, but didn't list.  So is the fact that data in RAM can,  
itself, be vulnerable to being read by malware, and in some cases can  
even persist after the machine has been shut off.

> "There are two kinds of cryptography in this world: cryptography  
> that will stop
> your kid sister from reading your files, and cryptography that will  
> stop major
> governments from reading your files."

Very true.  I'm mostly interested in cryptography that will stop a  
casual script kiddie from reading my files, which isn't very far above  
the "kid sister" level.

Frankly, if a major government is after you there probably isn't a  
level of cryptography that's sufficient.  The path of least resistance  
is probably just to beat you until you give up the key.  This XKCD  
sums it up pretty well:
http://xkcd.com/538/

Of course, the government isn't too interested in my credit card  
number or my online banking password.  They have other ways to get at  
that data.

-- 

David Brodbeck
System Administrator, Linguistics
University of Washington