Re: Password safes c. (was: Dear Linkedin,)
Original Message - From: Lyndon Nerenberg lyn...@orthanc.ca The only way to ensure your personal passwords are never compromised is to kill yourself after destroying all physical copies of those passwords. While ultimately secure, you won't be able to do your daily online banking. No, but on the positive side, the issue will be less pressing to you. User-side authentication security is a multi-dimensional problem, and it is probably not theoretically possible to optimize any given instance for all of the possible vectors simultaneously. Different individuals need to make their own threat estimate, and decide what approach they want to take to it. Of course, 95% of the affected audience wouldn't know what the phrase threat estimate meant, even if you threatened them. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
Password safes c. (was: Dear Linkedin,)
On Fri, Jun 08, 2012 at 01:30:42PM -0700, Michael Thomas wrote: PS: when security is hard, people simply don't do it. I think this is exactly right. The idea that we are going to train everyone on earth to keep eleventy billion distinct passwords in their heads -- or in a password safe that is either (1) under someone else's control because it's a web service or (2) inaccessible half the time because it's on their laptop and they're using their phone now and OMG -- is preposterous. (This without mentioning that they also have to remember the username that goes with it, which is _also_ variable.) We have an engineering challenge here, and the PKI we have so far doesn't work. No, I have no magic answers. I'm not that smart. Michael Thomas is still right about this. Best, A -- Andrew Sullivan Dyn Labs asulli...@dyn.com
Re: Password safes c. (was: Dear Linkedin,)
KeePass, KeyPassDroid and Dropbox. I'm sure it will just get simpler as time goes on. My mom uses a key database just fine. On Jun 8, 2012 4:49 PM, Andrew Sullivan asulli...@dyn.com wrote: On Fri, Jun 08, 2012 at 01:30:42PM -0700, Michael Thomas wrote: PS: when security is hard, people simply don't do it. I think this is exactly right. The idea that we are going to train everyone on earth to keep eleventy billion distinct passwords in their heads -- or in a password safe that is either (1) under someone else's control because it's a web service or (2) inaccessible half the time because it's on their laptop and they're using their phone now and OMG -- is preposterous. (This without mentioning that they also have to remember the username that goes with it, which is _also_ variable.)
Re: Password safes c. (was: Dear Linkedin,)
On Fri, Jun 08, 2012 at 05:00:14PM -0400, Tyler Haske wrote: KeePass, KeyPassDroid and Dropbox. Yes, of course, I'll just upload all my passwords to a place totally under the control of someone (well, actually, _two_ other ones) else, and then pray that there never turns out to be a nasty attack against the programs and algorithms I used. (I'm more concerned about the programs. Obviously, if SHA-2 or whatever breaks, we gots bigger problems than all my personal passwords.) I'm not trying to be dismissive. Those are excellent stopgap measures. They're not a solution. Best, A -- Andrew Sullivan Dyn Labs asulli...@dyn.com
Re: Password safes c.
In my case I rely on Password Safe (http://passwordsafe.sourceforge.net/), Password Gorilla (https://github.com/zdia/gorilla/wiki/) and Dropbox. PasswordSafe has android and windows clients. The windows client will work under wine on linux if you really want, but it's a bit of a pain. Password Gorilla is a TCL app that is cross-platform that reads PasswordSafe files. There are a number of iPhone clients for passwordsafe mentioned on the Password Gorilla page linked above. Dropbox keeps the safe sync'd between locations (including phone). In each of them adding, fetching or changing a password is simple and involves only a few clicks. I've got somewhere approaching 200+ passwords in mine. On 06/08/2012 11:00 AM, Tyler Haske wrote: KeePass, KeyPassDroid and Dropbox. I'm sure it will just get simpler as time goes on. My mom uses a key database just fine. On Jun 8, 2012 4:49 PM, Andrew Sullivanasulli...@dyn.com wrote: On Fri, Jun 08, 2012 at 01:30:42PM -0700, Michael Thomas wrote: PS: when security is hard, people simply don't do it. I think this is exactly right. The idea that we are going to train everyone on earth to keep eleventy billion distinct passwords in their heads -- or in a password safe that is either (1) under someone else's control because it's a web service or (2) inaccessible half the time because it's on their laptop and they're using their phone now and OMG -- is preposterous. (This without mentioning that they also have to remember the username that goes with it, which is _also_ variable.)
Re: Password safes c.
On 06/08/2012 11:07 AM, Andrew Sullivan wrote: On Fri, Jun 08, 2012 at 05:00:14PM -0400, Tyler Haske wrote: KeePass, KeyPassDroid and Dropbox. Yes, of course, I'll just upload all my passwords to a place totally under the control of someone (well, actually, _two_ other ones) else, and then pray that there never turns out to be a nasty attack against the programs and algorithms I used. (I'm more concerned about the programs. Obviously, if SHA-2 or whatever breaks, we gots bigger problems than all my personal passwords.) I'm not trying to be dismissive. Those are excellent stopgap measures. They're not a solution. Best, A If you don't trust DropBox, try SpiderOak for an added layer of encryption.
Re: Password safes c. (was: Dear Linkedin,)
On 2012-06-08, at 2:07 PM, Andrew Sullivan wrote: I'm not trying to be dismissive. Those are excellent stopgap measures. They're not a solution. There is no solution. Security is about risk management, nothing more. The only way to ensure your personal passwords are never compromised is to kill yourself after destroying all physical copies of those passwords. While ultimately secure, you won't be able to do your daily online banking. --lyndon
Re: Password safes c. (was: Dear Linkedin,)
On Fri, Jun 8, 2012 at 2:00 PM, Tyler Haske tyler.ha...@gmail.com wrote: KeePass, KeyPassDroid and Dropbox. I'm sure it will just get simpler as time goes on. I second this! I deploy KeePass via MS GPO. No formal training on the application for the end-users but we do one-on-one with end users when we can. I have converted a bunch of users to Keepass. I personally use the KeyPassDroid and Dropbox which is good for end users even if they forget their windows sign-in or need a SSID login. We have some roboform users that think its great, which I don't doubt but I say to them I paid $0 for keepass how much did you pay? -- Joe