> Is there a good impartial (i.e. non-marketing) guide for how to select > and evaluate a password vault program/system? > > If you use a vault that gets cracked, then you're in even more danger > than you are now if you use the same password on LinkedIn and your > bank. If you use the same password everywhere, the bad guy has to > guess > where else you have accounts and what your login is. If your vault > gets > cracked, they have everything they need to do a lot of damage quickly. > > I don't feel confident enough in my own knowledge of > cryptography/security to be sure that I've made the right decision on > a > vault system for myself, let alone be confident in what I'm > recommending > to my users who may have different requirements than my own.
I wrote a blog entry about this a few years back. I tested a number of solutions such as KeePass and ended up settling on a home grown solution where I store my passwords in a simple text file, encrypted with GPG, and stored on an IronKey. If I can't remember a password, I just look it up. I only _truly_ need to remember 2 passphrases/passwords: one for my IronKey and one for my GPG key. To be fair, I am playing the ultimate paranoid in that I'm not trusting a program (online or standalone) to manage my passwords for me. Without extensive testing and validation, how am I to know that I can fully trust one of those programs not to leak my information, intentionally, or otherwise. Ryan _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
