[TriLUG] Password management software
Paul McLanahan
pmclanahan at gmail.com
Wed Aug 6 18:33:24 EDT 2008
On Wed, Aug 6, 2008 at 3:44 PM, Alan Porter <porter at trilug.org> wrote:
> Just email your passwords to me... it's OK, you can use my
> PGP key if you'd like. When you need them, just email or
> call, and I'll send them back to you.
>
> Gotta go... the bank closes in a few minutes...
I'll go ahead and send you my credit report too... easier that way ;)
All kidding aside though... Is it a horrible idea? The passwds db is
stored as an AES encrypted pack. After you login to the site w/ a
normal UN and PW combo, the encrypted pack (hence the name) is
transfered to your browser over SSL. After it arrives, a client side
implementation of the AES algorithm decrypts your pack after you give
it your encryption key. They never send your key across the wire. Are
you saying that AES encrypted files transfered over SSL isn't enough?
At the very least it isn't the low-hanging fruit, which is (in theory)
all encryption can ever really get you. Or are you saying that storing
passwords on computers is bad?
If you wanted to be really paranoid you could use KeePass and store
the database in a Hidden TrueCrypt volume in a normal TrueCrypt volume
on a USB Drive (The hidden volume is there incase you're coerced into
giving up your main volume key. http://www.truecrypt.org/). But that
seems less than convenient.
Paul
More information about the TriLUG
mailing list