I'm really not hot for this kind of software. While it is admittedly better than just having one password for all your services, it's still really bad. The former is really heinous as any of your services getting compromised results in a total compromise of all your services, but the latter is still bad as the compromising of this one particular environment will result in total compromise. Better to have your exclusive common password storage area be your brain, so that the only way it can be "cracked" is with a blow torch and a pair of pliers by a really callous person.

If you are going to use something like Password Safe, at least make sure that you do it on a machine where you and only you have superuser privileges. On any other machine it is a potentially dangerously irresponsible assumption to make that the tty/keyboard/whatever is not being snooped. This also logically entails that it is a bad idea to ssh from machine to machine to machine, unless you are the exclusive super user on each hop along the way. Instead, always connect directly to the machine on which you want to work so that the only one capable of seeing your cleartext password is the system actually validating your credentials.

Admittedly, having to maintain a different password for each of many services can be difficult, but there is a way to generate very strong passwords there aren't difficult to remember. Pick a good, long sentence from a book, and then use the first letter from each word as your password. Thus, my last sentence would become the password paglsfabatutflfewayp. The English language is sufficiently noisy and random that this generates strong, virtually unguessable passwords (it also helps that you can't grep dead trees), but even if you forget your password, you could ostensibly go and retrieve it just by remembering the page of the book from which you created it. Just don't make it the first sentence on the first page of the book that you go around propounding as your favorite book ever. :-)

In reply to Re: Re: Security: Technology vs Social Engineering by skyknight
in thread Security: Technology vs Social Engineering by chunlou

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.