« I just had a major | Main | decision-making »

Monday, 14 April 2003

Comments

kv
word. passwords are the dumbest invention ever. ok, maybe not The Dumbest, but they're up there.

PassSafe
I definitely have thresholds of passwords. Some for fun Web applications, some for banking applications, some for security programs like PGP. They escalate in complexity, and I definitely need a place to store them all. As you mentioned it's dangerous, and I've wiped out my p/w database before. (not fun.) If you're looking for software to help you out, try out PassSafe:

http://sourceforge.net/projects/passwordsafe/

Password repositories
Mac OS X has a nice password manager integrated into many of its apps, only there's one problem: it doesn't help me when I've booted into Linux or I'm using my Windows box at work. The fact that I use multiple computers in this manner makes any one central repository like this pretty useless.

Something like Microsoft Passport (without the baggage of Microsoft) would be nice for this kind of thing. Maybe something I could run on my personal server and access passwords from anywhere I had an Internet connection. Of course, that's fraught with peril as well, depending on the security of my server.

Better yet would be to store it in something I carried with me all the time, like a Palm Pilot. Only I don't carry a Palm Pilot with me...had one but found it too bulky. A keychain-sized apparatus would be ideal. Having it activated by my thumbprint would be ever nicer, in case my keys got lost or swiped. I'd still need an easy way to input passwords into the dongle...having it sync with OS X Password Manager using Bluetooth would be a wicked way to start.

Just wishful thinking...

Funny how the only way to protect passwords is to have more passwords--either to PassSafe (which, by the way, looks pretty neat, and may be more applicable than my excel spreadsheet that I started), or to a secret server or to a palm pilot. It's like chap stick that makes your lips chapped whenever you aren't using it. The meme of passwords has pretty good job security for now.

This issue just came up today with a new server that I'm sharing with Bill and we had to decide on a root password.

What about a handheld device that generated passwords for you, based on a key you use like a phrase combined with the username and name/address of the system?

For example, you're creating an email account on Yahoo. You give your device the address (mail.yahoo.com), the username (powerspammer) and your key phrase ("The dhydrated ocean is a very strange place, but not as strange as its fish." (Terry Pratchett)). It tells you what you should set the password to on Yahoo, but doesn't store it internally. If you don't remember that password, you enter those three values again.

That way, the password is different on every single account, easily retrievable, and not stored anywhere.

Don, I think that would work brilliantly--as long as the password that is generated satisfies the demands of that particular site. Unfortunately, though, there are so many different requirements for passwords out there and many of them are not compatible with each other (some need to be between 4 and 6 characters, some need to be more than 8, some need a number and a digit, some only take digits) that these edge cases would slowly creep in and require that you have yet another way to store those special passwords. Maybe this handheld device would let you program in answers to specific questions so that even if you didn't use the suggested password, you could use a variant of it and tell it to suggest that answer next time those three parameters are entered. On second thought... maybe it should just let you always specify the answer to those three parameters so that you could even use the same password for multiple locations.

Of course, this falls prey to that same curse--now you have to remember that key phrase, and if anyone finds out about that key phrase suddenly it becomes very easy for them to find out what all of your passwords are.

Hi Erik-
Was just reading your comments about passwords (so true!). I came across an app named passsafe (not the code from sourceforge) that seems to solve the problem. I've just barely started using it, and wonder what you think of their solution. www.passsafe.com

thanks for your input

The comments to this entry are closed.