On Thu, Jul 13, 2006 at 10:14:31AM -0400, STeve Andre' wrote: > On Thursday 13 July 2006 09:50, Roland Dominguez wrote: > > Is anyone using or know of an open source password escrow package? > > Ugh. If you are talking about a way to hold passwords in case someone > gets hit by a truck, nothing beats writing it down, stuffing it in an envelope > and putting in an administrative persons secure area. > > I question using a PDA to do this. I know of a place that used one for a > password store area, and guess what--it got lost. It was lost for two+ > days before folks noticed. I leave it to the reader to imagine the hysteria > that ensued, realizing that systems with really sensitive data were in that > PDA...
Also, a little crypto goes a long way: if you want good security, use two or more pieces which will only provide the password if XOR'ed together. (More elaborate schemes are doubtlessly possible, including a scheme in which, say, any two people can access all systems but no single person can - in fact, I recall seeing such a system in Schneier[1].) However, such a project would be quite impeded over the typical freedom-loving attitude in the open source movement - it tends to stretch to a profound, and not always unfounded, distrust of those with power. See Stallman's documentation for su(1) for a particularly well-known example. Joachim [1] You'll have to make do with this incomplete cite, because I forgot if I borrowed Practical or Applied Cryptography; I am fairly certain it was the former, though.