>>>The correct solution, IMO, would be an encrypted password vault, > stored on a USB drive and only available through the use of a password > and some other form of identification (biometric, etc.) > > What about kiosks and other situations where it wouldn't be secure to > allow arbitrary people to insert USB keys? This vault requires a support > system of some kind; does there need to be software on the system to > read it? Do you trust that software? >
And even encryption solution have their problems as the key recovery from ram paper has shown... If we use public/private keys with SSH, why not use it with more services, like web ones ? :) Keys owners would have the responsability to manage their keys (password recovery procedures substituted by key procedures) and their passwords... Of course it would take a long time to deploy and teach the general public about it, but isn't that what security pros are trying to do for a long time ? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
