Re: Are there any pocketable Hardware Password Vaults

From: Atom Smasher (atom_at_smasher.org)
Date: 11/26/05

  • Next message: Daniel Cid: "Version 0.5 of the OSSEC HIDS is available for download." 
    Date: Sat, 26 Nov 2005 14:47:08 -0500 (EST)
To: security-basics@securityfocus.com

    On Thu, 10 Nov 2005, felix.oxley@gmail.com wrote:

    > You could use your mobile phone.
    >
    > 1. It is protected by a PIN number
    > 2. It could run a java encryption app to provide additional security.
    > 3. It is always with you.
    > 4. It can be accessed from your PC via Bluetooth or USB.
    =====================

    call me paranoid, but i see #4 as a liability, not an asset. i do NOT
    store "sensitive" information on anything with a wireless transceiver
    built in to it... remember paris hilton's address book? i wouldn't cry if
    my address book was lifted from my phone, but my paypal password...

    regarding #1, a 4 digit PIN is *not* cryptographically secure. even if it
    did encrypt data (which it doesn't) instead of just "locking" it.
    unlocking data may take a few seconds; brute forcing a 4 digit PIN
    wouldn't take much longer.

    on my palm pilot (with IR link disabled) i run STRIP
    <http://zetetic.net/solutions/strip/>. among other features, it's the best
    real-world OTP calculator i've ever used.

    more stuff here - http://www.palmopensource.com/index.php3?category=31 

    -- 
         ...atom
  _________________________________________
  PGP key - http://atom.smasher.org/pgp.txt
  762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
  -------------------------------------------------
 	Bob Woodward:
 		"How do you think history will regard the war in Iraq?"
 	George "dubya" Bush:
 		"It won't matter. We'll all be dead."
  • Next message: Daniel Cid: "Version 0.5 of the OSSEC HIDS is available for download."