RE: Security of Password-Managers

From: Vertical Rave (verticalrave@hotmail.com)
Date: 05/11/02


From: "Vertical Rave" <verticalrave@hotmail.com>
To: security-basics@securityfocus.com
Date: Sat, 11 May 2002 03:11:11 +0000

Another way that you could keep yourself secure is to group passwords into
certain databases, with a specific seperate password for each. That way if
one password was compromised, you would still have at least another set to
be compromised before you took action.

Personally, I don't like to keep everything in one database, it may seem
like a good thing to do, but unless I come up with the largest password on
Earth to protect it, and the biggest and baddest cipher then its not going
to be possible for me :)

My two cents.
If you're looking for a good cipher, go with anything that is 128bits or
above. 1024 should be hard to crack security. If you're offered DES, dump
that and go with Triple DES.
Verty
verticalrave@hotmail.com
You're not alone. I'm 16. I started working on computers at 7 before the
internet was large, so I don't have that oppertunity that you did. :)
SSNet/FreeLinuxCD Administrator

>From: "Sullivan, Glenn" <GSullivan@DavidClark.com>
>To: 'Adam Shephard' <adams@firstfederalbanking.com>, "'Jonas V.'"
><jonas-v@gmx.net>, security-basics@securityfocus.com
>Subject: RE: Security of Password-Managers
>Date: Thu, 9 May 2002 15:23:18 -0400
>
>To "kick it up a notch" (bam!) I have borrowed from a suggestion on one of
>the security mailing lists:
>
>I have a password manager program (can't remember the name right now... it
>is for reference only, in case I get hit by a bus or get amnesia) but I
>keep
>two copies of the database on USB Memory Sticks. One copy is attached to
>my
>keys, which are janitor-chained to my belt, and another copy is in the
>vault
>with rest of the critical info.
>
>Glenn Sullivan, MCSE+I MCDBA
>David Clark Company Inc.
>
>
>-----Original Message-----
>From: Adam Shephard [mailto:adams@firstfederalbanking.com]
>Sent: Wednesday, May 08, 2002 5:47 PM
>To: 'Jonas V.'; security-basics@securityfocus.com
>Subject: RE: Security of Password-Managers
>
>
>Jonas,
>
>I've only read a bit about Oubilette in the past but it sounded like the
>encryption provided there was not bad-Blowfish, if I remember correctly.
>However, anytime anybody can get to all your passwords by cracking one of
>them you lose a certain amount of security.
>
>Basically, you have to balance what you want to protect against how much
>work you need to do to protect it. If it's something that should be highly
>secure, I wouldn't use a password manager at all.
>
>By the way, your English is fine. Considering that you are 12 and you have
>some basic knowledge of the concepts of password security and there are
>many
>English-speaking, network-managing adults who aren't even aware that you
>shouldn't install IIS if you don't need to serve web pages, you can speak
>any way you want!
>
>Adam
>
>-----Original Message-----
>From: Jonas V. [mailto:jonas-v@gmx.net]
>Sent: Tuesday, May 07, 2002 11:37 AM
>To: security-basics@securityfocus.com
>Subject: Security of Password-Managers
>
>
>Hello!!
>
>I want to use a password-manager like "Oubliette".
>Is this very insecure?
>I can choose a very hard master-password with more than 96 bits lenght.
>What encryption-algorithm and key-lenght use a program like this?
>
>Thanks for everything!
>
>Jonas Vondran <jonas-v@gmx.net>
>
>Please don't laugh about my english!
>I'm german and 12 years old.
>

_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail.
http://www.hotmail.com