[Dshield] password security

Peter Stendahl-Juvonen peter.stendahl-juvonen at welho.com
Sat Mar 7 16:03:57 GMT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Matt, Valdis et al.


PINs would appear somewhat similar to Password Safe.

Matt, could an OSI Certified Open Source Software tool like this be
applicable and tailored for your needs?

It would appear that it is no longer developed, after March 2003. A
complete product?   ;-)

Using a strong master pass phrase, how safe would you estimate the tool
to be (using 448 bit Blowfish encoding)?

At least, it would appear to be very easy and straight forward to use
for, e.g. storing and using login and other passwords.

Cheers,
Pete

      "In theory, research requires more brains than means."
  Severo Ochoa (1905-1993); Spanish biochemist and Nobel Prize winner



More info at: http://www.mirekw.com/winfreeware/pins.html

"PINs is a free feature-rich Windows program for safe and comfortable
storing of any secure information like passwords, accounts, PINs etc.
PINs uses a secure 448 bit Blowfish algorithm to ensure the data are not
crackable. The password used for securing access to stored data is not
saved anywhere.
PINs does not require installation and does not need any special dlls,
drivers or system files which can mess up your system. This means that
PINs can run directly from floppy - including data files - without
installing anything. This is extremely useful if you wish to easily
access your data on other computers as well.
PINs is OSI Certified Open Source Software. It's freeware, but your
donations are gladly accepted.
Selected features

    * Secure 448 bit Blowfish encoding.
    * Unlimited number of entries and data files.
    * A clear tree-like data organization which allows logical grouping
      of systems and accounts.
    * Automated login into Internet services (SuperPaste).
    * A powerful random passwords generator.
    * Safe files wiping using Gutmann, DoD and custom methods.
    * Embedded hyperlinks launching.
    * Unlimited in size, multi-line descriptions.
    * A flexible data import/export in text format.
    * Multiple user accounts on a single PC.
    * Accounts sorting using any column as a sort criteria.
    * Comfortable accounts adding, editing, and deleting.
    * Compatibility with popular clipboard extenders.
    * Passwords masking.
    * Copy logins and passwords to the Windows clipboard.
    * Find/find next functions.
    * Expired passwords tracking.
    * Running from a floppy without saving settings to registry.
    * Multilingual versions.
    * Full source code available.
    * And more..."





6.2.2009 17:59 (GMT+2/UTC+2, EET), Valdis.Kletnieks at vt.edu kirjoitti/wrote:
> On Fri, 06 Feb 2009 08:35:40 +0100, Stephane Grobety said:
>> When I had to solve that problem for myself, I wrote a small text
>> editor that incorporates both strong encryption, an FTP client, a
>> rudimentary version control system and an automated downloader.
> 
> Kids, don't try this at home. ;)
> 
> It's amazingly easy to get this sort of thing terribly wrong. Common errors
> include not realizing that the program's data in RAM can end up out on an
> unencrypted swap area, or creating temporary work files that aren't themselves
> encrypted, using a strong crypto algorithm in a weak manner, and various
> other ways of leaving the master key around in plaintext format so a miscreant
> can get it.
> 
> As Bruce Schneier said:
> 
> "There are two kinds of cryptography in this world: cryptography that will stop
> your kid sister from reading your files, and cryptography that will stop major
> governments from reading your files."
> 
> If you think you've designed the latter, you're almost certainly wrong...
> 
> (As an object proof, I'll point out that Bruce himself attacked this
> "save a user's passwords" issue: http://www.schneier.com/passsafe.html
> 
> And somebody found a hole in version 1 and 2:
> 
> http://www.securiteam.com/windowsntfocus/6C0022AEVQ.html
> 
> And a different hole:
> 
> http://www.webhostingtalk.nl/bugtraq-mailing-lijst/27482-leak-information-counterpane-bruce-schneiers-now-open-source-password-safe-program.html
> 
> And yet another different hole in version 3:
> 
> http://www.derkeiler.com/Mailing-Lists/VulnWatch/2006-03/msg00012.html
> 



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkmymu0ACgkQQ21KCihDnSRQ7gCdG1nWt7aaBpnHWlCiiFxnTyiw
uykAnRvQ2ifYd+GE9TXN/QCwbjgFt39o
=fmtW
-----END PGP SIGNATURE-----

More information about the Dshield mailing list