Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Recently one of my mobile devices was stolen and I have had to reset quite a few passwords on various accounts. That's why I thought that it was perhaps time for implementing a new password scheme.
Up until now I have been using a system where I have a certain number of pre-defined passwords (for the most part random number/letter/sign-combinations) that I have memorized. When registering a new account I would pick out a random password from this list. This means fewer passwords to remember, but also that some of them are used for several accounts.
I am wondering if the following system is more secure:
* there are a number of sites I frequent every day, these will be protected by passwords I remember at any given time; each password is unique for each account
* all other passwords are random with varying length
* all of the passwords are stored in a bcrypt-encrypted file (blowfish 448-bit)
* none of the passwords are stored by any browser
The quirky part here is that while not stored unencrypted on my linux box, some of the passwords are stored on my mobile devices. I do understand that this somewhat undermines the whole scheme, but in certain cases I cannot disable this and in most other I wouldn't really want to.
My main question is - even with passwords stored on a mobile device, will my new password system be better than my previous one? If so, is it worth to go through all the trouble implementing it, or are trade-offs too slim? Also, how much additional protection does the randomization of all other passwords than most frequently used confer in this scheme?
Thanks in advance!
All input and commentary is kindly appreciated!
I use KeePassX for my password safe. http://www.keepassx.org/
It is cross platform compatible so I can use KeePass on my windows machine at work and KeePassDroid for my android phone.
I store the encrypted database file in a dropbox folder that is synced between all of my devices. Any changes or additions I make to my database is thus made when the file is accessed from any platform.
I use a very easy to remember, but extremely secure 29 character passphrase to open it.
I simply picked a sentence and a year and combined them.
For instance the passphrase could be generated from the phrase "I graduated high school in 1987" , and my password would be "Igraduated1high9school8in7", or something along those lines.
Very secure, and the least painful for me.
Hope this helps.
And I use "Password Safe," which also has a handy free iPhone app available ("PasswordSafes").
This is also a good place to use "ssh agent," known in Windows circles as "Putty agent" or simply "pageant." This is a daemon that runs on your local account and that supplies passwords. (A very nice feature of Macintosh OS/X is that their agent integrates with your "Keychain," which is an encrypted store provided by the operating system.)
For SSH, I invariably use digital certificates which are encrypted using passwords, which are in turn supplied by the agent so that I only have to remember one master password (the one which unlocks the encrypted password store, which automatically re-locks itself after two minutes). The SSH daemons are configured so that they won't accept passwords.
For the passwords or encryption-keys themselves, I use randomly-generated passwords ... another nice service of tools like Password Safe and its brethren.
For very large-scale deployments involving many servers, the use a centralized authentication authority, such as the ubiquitous LDAP (nee Microsoft Open Directory), or the somewhat-older Kerberos, becomes a pragmatic necessity.
Ironically, the most secure arrangements are also most convenient for their authorized users. If you find yourself using words like, "effort," then it probably isn't the most secure.
@sundialsvcs: Wow, this sounds like a phenominal idea! I have looked around and found that I prefer the pwSafe app - which is both for iPad and iPhone. It also (apparently) supports syncing the encrypted DB file to/from dropbox which means that passwords are synced across devices and computers...
But I do have one question: There is a beta version of Password Safe for Linux; is it my best option, or are there any third-party programs that are better for Linux?