Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 07-11-2011, 01:45 PM   #1
Registered: Jul 2004
Distribution: Arch, Debian sid, Kubuntu, Slackware 11
Posts: 324

Rep: Reputation: 30
Is this password scheme worth the effort?

Hello good people!

Recently one of my mobile devices was stolen and I have had to reset quite a few passwords on various accounts. That's why I thought that it was perhaps time for implementing a new password scheme.

Up until now I have been using a system where I have a certain number of pre-defined passwords (for the most part random number/letter/sign-combinations) that I have memorized. When registering a new account I would pick out a random password from this list. This means fewer passwords to remember, but also that some of them are used for several accounts.

I am wondering if the following system is more secure:
* there are a number of sites I frequent every day, these will be protected by passwords I remember at any given time; each password is unique for each account
* all other passwords are random with varying length
* all of the passwords are stored in a bcrypt-encrypted file (blowfish 448-bit)
* none of the passwords are stored by any browser

The quirky part here is that while not stored unencrypted on my linux box, some of the passwords are stored on my mobile devices. I do understand that this somewhat undermines the whole scheme, but in certain cases I cannot disable this and in most other I wouldn't really want to.

My main question is - even with passwords stored on a mobile device, will my new password system be better than my previous one? If so, is it worth to go through all the trouble implementing it, or are trade-offs too slim? Also, how much additional protection does the randomization of all other passwords than most frequently used confer in this scheme?

Thanks in advance!
All input and commentary is kindly appreciated!
Old 07-11-2011, 02:16 PM   #2
Registered: Aug 2010
Distribution: Unbuntu 11.10 beta
Posts: 78

Rep: Reputation: 10
I use KeePassX for my password safe.
It is cross platform compatible so I can use KeePass on my windows machine at work and KeePassDroid for my android phone.
I store the encrypted database file in a dropbox folder that is synced between all of my devices. Any changes or additions I make to my database is thus made when the file is accessed from any platform.

I use a very easy to remember, but extremely secure 29 character passphrase to open it.
I simply picked a sentence and a year and combined them.
For instance the passphrase could be generated from the phrase "I graduated high school in 1987" , and my password would be "Igraduated1high9school8in7", or something along those lines.

Very secure, and the least painful for me.
Hope this helps.

Old 07-14-2011, 09:05 AM   #3
LQ Guru
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 8,684
Blog Entries: 4

Rep: Reputation: 3025Reputation: 3025Reputation: 3025Reputation: 3025Reputation: 3025Reputation: 3025Reputation: 3025Reputation: 3025Reputation: 3025Reputation: 3025Reputation: 3025
And I use "Password Safe," which also has a handy free iPhone app available ("PasswordSafes").

This is also a good place to use "ssh agent," known in Windows circles as "Putty agent" or simply "pageant." This is a daemon that runs on your local account and that supplies passwords. (A very nice feature of Macintosh OS/X is that their agent integrates with your "Keychain," which is an encrypted store provided by the operating system.)

For SSH, I invariably use digital certificates which are encrypted using passwords, which are in turn supplied by the agent so that I only have to remember one master password (the one which unlocks the encrypted password store, which automatically re-locks itself after two minutes). The SSH daemons are configured so that they won't accept passwords.

For the passwords or encryption-keys themselves, I use randomly-generated passwords ... another nice service of tools like Password Safe and its brethren.

For very large-scale deployments involving many servers, the use a centralized authentication authority, such as the ubiquitous LDAP (nee Microsoft Open Directory), or the somewhat-older Kerberos, becomes a pragmatic necessity.

Ironically, the most secure arrangements are also most convenient for their authorized users. If you find yourself using words like, "effort," then it probably isn't the most secure.
Old 07-14-2011, 05:05 PM   #4
Registered: Jul 2004
Distribution: Arch, Debian sid, Kubuntu, Slackware 11
Posts: 324

Original Poster
Rep: Reputation: 30
Thank you both for your answers!

@sundialsvcs: Wow, this sounds like a phenominal idea! I have looked around and found that I prefer the pwSafe app - which is both for iPad and iPhone. It also (apparently) supports syncing the encrypted DB file to/from dropbox which means that passwords are synced across devices and computers...

But I do have one question: There is a beta version of Password Safe for Linux; is it my best option, or are there any third-party programs that are better for Linux?
Old 07-15-2011, 12:13 AM   #5
Registered: Jul 2004
Distribution: Arch, Debian sid, Kubuntu, Slackware 11
Posts: 324

Original Poster
Rep: Reputation: 30
Also: what about password to your desktop? Do you then use one of your mobile devices to get the password when you turn it on?


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Is 64bit worth the effort? texasone Linux - Distributions 5 08-07-2010 05:53 PM
LXer: Windows 7's XP Mode - Virtually worth the effort LXer Syndicated Linux News 1 05-02-2009 03:37 PM
LXer: Is Linux Worth the Effort? LXer Syndicated Linux News 0 01-02-2008 04:10 PM
raid 0: worth the effort? garba Linux - Hardware 4 09-09-2005 08:23 PM
Help, is it worth the effort? Jackcnd Mandriva 1 03-06-2004 12:24 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:41 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration