I'm really not hot for this kind of software. While it is admittedly better than just having one password for all your services, it's still really bad. The former is really heinous as any of your services getting compromised results in a total compromise of all your services, but the latter is still bad as the compromising of this one particular environment will result in total compromise. Better to have your exclusive common password storage area be your brain, so that the only way it can be "cracked" is with a blow torch and a pair of pliers by a really callous person.

If you are going to use something like Password Safe, at least make sure that you do it on a machine where you and only you have superuser privileges. On any other machine it is a potentially dangerously irresponsible assumption to make that the tty/keyboard/whatever is not being snooped. This also logically entails that it is a bad idea to ssh from machine to machine to machine, unless you are the exclusive super user on each hop along the way. Instead, always connect directly to the machine on which you want to work so that the only one capable of seeing your cleartext password is the system actually validating your credentials.

Admittedly, having to maintain a different password for each of many services can be difficult, but there is a way to generate very strong passwords there aren't difficult to remember. Pick a good, long sentence from a book, and then use the first letter from each word as your password. Thus, my last sentence would become the password paglsfabatutflfewayp. The English language is sufficiently noisy and random that this generates strong, virtually unguessable passwords (it also helps that you can't grep dead trees), but even if you forget your password, you could ostensibly go and retrieve it just by remembering the page of the book from which you created it. Just don't make it the first sentence on the first page of the book that you go around propounding as your favorite book ever. :-)

There are similar programs available for PDAs, which I vastly prefer to keeping it on one computer. Not just because I have near-complete control over physical access to my PDA, but also because I have to move from various systems throughout the day, and need something that can be kept with me.

----
I wanted to explore how Perl's closures can be manipulated, and ended up creating an object system by accident.
-- Schemer

Note: All code is untested, unless otherwise stated

A PDA is definitely a safer way to go. If it ever gets "hijacked" in any way, you're probably not going to ever see it again, so snooping software is not a big concern. On the other hand, simply using the Password Safe program at all renders you vulnerable to a known ciphertext attack. I don't know anything about the particulars of the algorithms it employs, so I can't comment in any greater detail. Even your setup would still make me a little worried, but I'm way more paranoid than most people, though not for any particularly good reason.

I actually like to use my PDA to carry around a list of SSH key finger prints, so I can verify that when SSHing into a machine for the first time that I'm not having the connection hijacked via a packet rewriting attack. Of course, I'm hardly ever on a computer where a key isn't already cached, as I refuse to type in passwords at other people's computers. Typically the need only arises when I build a new machine, or rebuild a machine from scratch, wiping out the list of cached host keys.

The only effective attack against my fingerprint storage and verification mechanism would be to generate "fuzzy" fingerprinted keys, i.e. ones that had fingerprints very close to mine, put those on a machine, and not only hijack my connection with packet rewriting on some router, but also to momentarily steal my PDA from my pocket and rewrite the file that holds the fingerprints. This seems ridiculously implausible, even by my standards. :-p

This is a common discussion at work... No security system is completly error-proof, or has holes in it. It's a matter of where you want to be able to have trust. If you trust your computer and your file system, then it's reasonable to have an encrypted file to store passwords, especially with a relativly strong encryption method such as blowfish. If you *don't* trust your hardware, then methods that you have suggested work better, though storing passwords with a strong password still provides some stability. (Even then, you do change your passwords every other week right? ...)

----
Zak
Pluralitas non est ponenda sine neccesitate - mysql's philosphy

It's a matter of keeping proper perspective. There is no such thing as perfect security, just different levels of dilligence. Even though I am incredibly dilligent with my security practices, I am still vulnerable.

Someone could conceivably tamper with my desktop machine at work while I was home for the evening. They could take out the hard drive, attach it to another computer, read its contents, write stuff to its file system, install a keyboard tracer internal to the case so I wouldn't notice it, etc. Of course, this would be an extraordinarily high risk operation for very little reward, and thus it isn't in anyone's interest to try said shenanigans.

A much more likely attack would be to install software on it were I to let someone sit down at my login prompt and bang away, either intentionally without properly monitoring what they were doing, or acidentally by having someone sneak a session at my desk. Simply locking my workstation when I am away from it takes care of this. Had I missile codes on my machine, more security regarding my hardware would be in order, but as it stands the best someone could do with a password hijacking would be to steal a few thousand dollars from me, or deface my web site, neither of which is worth the kind of resources it would take to pull off such an operation.

"No security system is completly error-proof"

You are absolutely correct...the errors are usually generated by humans ;-)

Argh, java! (couldn't resist)... otherwise cool.

----
Zak
Pluralitas non est ponenda sine neccesitate - mysql's philosphy

Makeshifts last the longest.