[sf-perl] OT: Secure password storage

Adam Masri masri at nolex.com
Thu Jan 15 16:32:13 PST 2009


SplashID is available for most platforms.

http://splashdata.com/

On Jan 15, 2009, at 7:26 AM, Daniel Lo wrote:

> Greetings,
>
> My old Palm Pilot: Tungeston-T died a week ago.
>
> Now I have to find a new method of password storage.  The problem I  
> am facing is
> that I can't find any devices suitable for password storage.
>
> What did I store on my PDA?
>
> Financial passwords. (Liability rests on me to keep it secure and  
> the company
> disclaims all liability for stolen passwords: of course)
>
> System passwords. (My job if these are stolen.)
>
> However, now all PDA's have wifi, bluetooth, USB ports, and Irfd and I
> evaluate these devices on what they are capable of, not what the  
> software allows
> for (Paris Hilton having all of her phone numbers stolen). So, when  
> I saw that
> the pocket PC came with Internet Explorer I overflowed my joy  
> buffer.  Storing
> my passwords on a device that is capable of silently sending out  
> information
> without any detection (and runs IE) isn't that great.
>
> All of my passwords are garblygook that I have a hard time  
> remembering for
> example: C:j2Tc3K9#@ would be a sample password.  And I use the same  
> method for
> those questions: Where were you born? "I was born in (c1)32CSF}"
>
> The only thing I can think of is to store my passwords in a pocket  
> PC in
> "PasswordSafe: http://www.schneier.com/passsafe.html" with an  
> additional
> mnemonic password encoding.
>
> So that C:j2Tc3K9#@ would be stuck with the following rules:
>
> Every 3rd character is incremented by its ordinal value by one.
>
> C:j2Tc3K9#@ would be C:i2Td3K0#@
>
> Now, if you have read this far, I'm sure most of you think I need to  
> be sent to
> the funny farm.  But what hacks have I seen/heard about in the last  
> 3 months?
>
> 1. IE: all password can be stolen
> 2. Adobe: buffer overflow execute allows for arbitrary code run.
> 3. DNS: hack.
> 4. That neat trick on how to extract memory on a computer after it  
> has been
> turned off. (That was really cool).
>
> And financial companies say push the liability for stolen passwords  
> on to the
> user.
>
>
>
> _______________________________________________
> SanFrancisco-pm mailing list
> SanFrancisco-pm at pm.org
> http://mail.pm.org/mailman/listinfo/sanfrancisco-pm


Adam Masri     masri at nolex.com
President      www.nolex.com
Nolex



More information about the SanFrancisco-pm mailing list