[ale] OT - New encryption technology using a piece of paper

Michael H. Warfield mhw at WittsEnd.com
Sat Sep 3 20:02:18 EDT 2011 

On Sat, 2011-09-03 at 19:33 -0400, David Tomaschik wrote: 
> On 09/03/2011 06:35 PM, Michael H. Warfield wrote:
> > All,
> >
> > I'm sorry, but I'm going to top post on this one...  This will be a bit
> > of a rant (and long) but mild for me and I'll keep the math level
> > reasonable...
> > <cut>
> >
> > I do eat my own dog food.  I really do use systems like these.  They
> > work.  They work well.  Just pisses me off when I have to change one for
> > no bloody good reason.
> >
> >
> > Regards,
> > Mike

> Mike,

> Good response.  Reminds me that its about time for me to change my
> passwords.  (As much as I hate password change requirements, I can't
> trust most websites to not have lost hashes at some point.)

> I understand you have an incredible memory (wish I did) but is it good
> enough for all your passwords, or do you store them somewhere?  If so,
> what do you use to store them?

Is my memory good enough?  Oh, hell no.  Not even close.  Seriously?
Not a prayer.  I wouldn't even pretend.

My best guess is that I have well over a few thousand passwords
scattered across various sites, services, and protocols.  Passwords like
my mailman passwords, I could care less if they are hardened crypto.
Things like my PGP keys, LUKS keys, IPsec keys - exact opposite (and
those I DO remember).  It's almost ironic that the super high security,
really strong, passwords, I have committed to memory but they are few,
while the ankle biter passwords like web sites, I don't even try and
just store them in a password safe.  At that, I have something like 20
populated categories, all with passwords under them, in my password
safe.

> I currently use KeePassX, and my only complaint is that it has no
> browser integration (thought that might be a good thing, depending on
> the attack scenario).

Oh!  Well I mentioned it but only in terms of its password generation
and strength checking.  I use Revelation.  I know there's been some
grousing from some really good people (developers) about how well they
seed the AES encryption they use to encrypt the database but I still
find that Revelation is better than most of the others and it's got
several different supported types including a "web site" type that will
integrate with the browser.  I have very few complaints with it (one
being it doesn't give me a "strength" option when I generate a password
and another that it doesn't directly support an OPIE calculator).  Now
the password to THAT thing IS one of the $#@$#@%! strong passwords that
I have committed to memory.  It also has some reasonable import/export
capability (which is why I chose it).  I saw some password package for
Android where the author even wrote an export plugin for Revelation that
would create a file he could import.  Use with caution but Revelation is
nice.  I worry about it even less simply because it resides on a LUKS
encrypted partition so, when the machine's off, Revelation may be the
"keys" to the kingdom, so to speak, but they have bigger problems to
solve first.  :-)

> -- 
> David Tomaschik, RHCE, LPIC-1
> System Administrator/Open Source Advocate
> OpenPGP: 0x5DEA789B
> http://systemoverlord.com
> david at systemoverlord.com

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20110903/01ff29d4/attachment.bin

More information about the Ale mailing list