[OT] Re: Tango heap is dangerous

Chad J gamerchad at __spam.is.bad__gmail.com
Thu Oct 16 19:48:10 PDT 2008 

BCS wrote:
> Reply to Walter,
> 
>> BCS wrote:
>>
>>> Reply to Walter,
>>>
>>>> There are a lot of sites I would post to, but don't, because I
>>>> just tire of the registration process, wait for the email, respond
>>>> to
>>>> the email, complete the registration, come up with a nick/password I
>>>> haven't used elsewhere, try to remember that nick/password, relogin
>>>> every time I wipe my cookies, etc. Bah.
>>> I use Password Gorilla to keep track of my passwords and use uuidgen
>>> to make them. Using GUIDs is a bit hard to remember but I figure they
>>> will be even harder to crack!
>>>
>>> http://www.fpx.de/fp/Software/Gorilla/
>>>
>> I don't use things like that because then all my passwords are
>> compromised if I just lose that one password. If I use different
>> nicks/passwords for every account, there is no vector from one to the
>> next. Each can only be compromised independently.
>>
> 
> The only copy of the password archive is on my own system. If they can 
> get to that, then they can get to my browsers's password cache so it no 
> worse than that. It's better because I can move it easier when I rebuild 
> my system.
> 
> 

USB Flash drives are REALLY useful for this.
They are (1) seldom connected to the internet or any network and (2) 
easy to back up (just buy a few and occasionally copy the contents).

This way if someone compromises my computer, they will have to be 
waiting for me to access my passwords before they even have a chance at 
it.  And that's if they even recognize what I am doing.  I suppose 
keyloggers are a threat here, but if you get successfully keylogged, 
well, you're done anyways.  (And you get to laugh if the keylogger 
forgets to listen for copy-paste events.)

The other way someone could obtain my passwords is to physically steal 
them from me.  This might be problematic if I am careless and leave a 
flash drive somewhere (yeah, happened once, no theft though afaik), 
which is why I encrypt the passwords with a master password.  If that's 
too weak, I believe there are solutions that provide plausible 
deniability.  Throw a bunch of music/anime/whatever on the drive and 
viola, no one would suspect a thing.  Also, important passwords like 
bank accounts and such can be changed in such a situation.

I often have stupidly long passwords with strange characters in them and 
the such.

It'd be interesting if anyone can find other flaws in this setup.  I've 
yet to hear of anyone else doing this, oddly enough.

Works well for flash drives:
http://keepass.info/

- Chad

More information about the Digitalmars-d-announce mailing list