[LINK] How to manage passwords?

Robin Whittle rw at firstpr.com.au
Wed Aug 11 23:28:44 EST 2004 

Thanks Geoff - "USB Memory Stick" is the term.  You wrote:

> Have a look at: http://winpt.sourceforge.net/
> which is the windows porting of GnuPG that I use.  

This is what I installed.  I found it confusing at first, since it
wasn't clear that it included GPG - I thought it was just a user
interface.  So don't try installing GPG beforehand - and watch out if
you already have Control Alt D assigned to some other program.

>> Here is my rough plan, without using a PDA.  I have GPG installed on one
>> or more of my computers, and have a floppy disk or USB thingo as the
>> primary storage device for a single encrypted text file which contains
>> all the passwords.
> 
> Have been using a slight variant (in terms of backup of the master
> GPG-encrypted file and the fact that more than one HIGH-TRUST person has
> access to keys and passphrases) of your plan for over a year.  No
> problems yet.

Thanks for this.  My plan now is to use an old laptop (A nice Thinkpad
760EL) that is not up for real use with a modern OS, and has just a hard
and floppy drive.  I am installing Windows 98 and have no need of
updates, since it will never be connected to the Net.  I will use a
small D: partition as the primary place for the encrypted password file,
and will decrypt it there, view and edit it with Code Genie:

  http://www.code-genie.com

and back up to multiple floppies as I wrote earlier.  After deleting the
plaintext file, I will use this command line program - Secure Delete -
from a batch file, to scrub the unused sectors of D:, which can be made
relatively few by filling the partition up with guff:

  http://www.sysinternals.com/ntw2k/source/sdelete.shtml


Thanks Peter for the pointer to Passwordsafe:

  http://passwordsafe.sourceforge.net/
  https://sourceforge.net/projects/passwordsafe/

It is for Windows 2000 etc. and Windows CE.  A Linux (X) version is
MyPasswordsafe:

  http://www.semanticgap.com/myps/

Even though it was originally written by Bruce Schneier I am wary. It
still involves keystrokes and, in some form, clear data existing on a
computer which is on the Net and subject to being hacked.  Also, I don't
like programs that keep things in databases unless there is a very good
reason.  The advantages are considerable:  I could run it on my main
net-connected computer.  There is copy and paste to and from the program
and the Web browser.

I can still use my system on a Net connected computer when away from
home, and can decipher the file with command line GPG on my San
Francisco server via SSH.  To stop things being stored in the clear, I
could pipe the output of GPG's decryption into grep so that I only see
the line I want to see.

 - Robin

More information about the Link mailing list