Re: Security of Password-Managers

From: Paul Hosking (phosking@networkcountermeasures.com)
Date: 05/15/02


From: Paul Hosking <phosking@networkcountermeasures.com>
To: "Jonas V." <jonas-v@gmx.net>
Date: 15 May 2002 04:22:43 -0500

On Sun, 2002-05-12 at 07:27, Jonas V. wrote:

> But I will never use that disk.
> I'll write the passwords on a simply piece of paper.
> No remote cracker can found my passwords (if he doesn't use trojans,
> sniffing, spoofing..., but I've got firewall and IDS)
> When I lose the piece of paper, I've got the disk.

A backup disk is a great idea. I always loose my pieces of paper
(unless I remember to stick it in my wallet).

Of course - now your piece of paper becomes a single point of failure.
If someone finds the lost paper (or reads it while sitting on the desk
next to your keyboard), those accounts are probably compromised. You
might want to consider the following idea.

One of the groups I worked with publishes a monthly wallet-sized
password cheat sheet for privileged accounts (root, admin, etc) they
work with. A typical entry would look like:

kerberos1: x56u@P

The sheets where physically handed to each member of the group along
with a verbal secret called "the cookie". The cookie was an identifier
within the password that would be used to alter it. In our example the
cookie could be the '@' and the modifier could be '17'. So then the
real password would be 'x56u@17P'. The cookie would show up at
different locations within each password listed. And the cookie would
not be the only duplicate character in each password.

The method is far from completely secure. But it is easy to remember
and less likely to be attacked by cryptanalysis (which could unearth
methods like simple substitution, ROT, or place-swapping, etc). It also
falls (very) roughly in line with a general rule of thumb for secure
identification systems:

A secure system should include at least 2 of 3 items:

1) Something you have (ie: a key or smartcard)
2) Something you know (ie: a PIN or password)
3) Something you are (ie: biometrics - fingerprint, cornea scan, etc)

Anyway... that is starting to get away from the original topic.
 
> "Bitte ein Bit" is a advertisement-phrase for a bear with the name "Bitburger".

Indeed it is! I used to live 20 minutes outside of Bitburg. There was
not a gasthaus in the area that didn't have the Bitburger logo and Simon
on its sign.

-- 

.: Paul Hosking . phosking@networkcountermeasures.com .: InfoSec

.: PGP KeyID: 0x42F93AE9 .: 7B86 4F79 E496 2775 7945 FA81 8D94 196D 42F9 3AE9