[LINK] How to manage passwords?

Robin Whittle rw at firstpr.com.au
Sat Aug 14 22:10:07 EST 2004 

Here is how I set up my password system, with some notes on what I think
it achieves and why I don't want to use Passwordsafe.

This is effectively a zero-cost arrangement, without any dependence on
special hardware.

I got a 1996 100MHz Pentium II laptop - a Thinkpad 760EL, with a 5 Gig
HD and 32 Megs of RAM.  It is no good for a modern OS.  I installed
Win98 SE and use it solely for this password function.  It is never
connected to the Net - communication is via the floppy drive.

I installed Windows Privacy Tools (Win-PT), which contains Gnu Privacy
Guard - the actual encryption program - and provides a GUI for it.  I
also installed the Code Genie text editor.  I generated a key-pair and
exported the public and secret keys to floppy.  Those keys are text
files, and WinPT seems to need to import the public one before it is
possible to import the private one.

On the Thinkpad, using Code Genie (though any text editor will do,
including Word or whatever) I write all my passwords in a text file,
saving it with a name which includes the date in the file name.  By
right-clicking the Win-PT icon in the System Tray, I bring up its File
Manager - and drag and drop the text file to that window.  Then I
encrypt it with my public key, saving the result as a text file.  I copy
the result xxx.txt.asc to two separate floppies, and leave it in the
Thinkpad.  All this work in the Thinkpad is in a smallish partition D:,
which I fill with stuff so it only has a few tens of megabytes free.

Once I am confident I have copied the encrypted file (and the first time
I did so, I used it and the keys to decipher the original text on
another computer) I delete the text file, empty the recycle bin and
scrub the D: partition's free space, using a batch file:

  sdelete z D:

The programs I use are:

  WinPT       http://winpt.sourceforge.net/en/
  Code Genie  http://www.code-genie.com
  SDelete     http://www.sysinternals.com/ntw2k/source/sdelete.shtml
              (This includes source and seems well conceived.)

To read the passwords, I double-click the xxx.txt.asc file and decipher
it, giving my passphrase.  After reading it, I repeat the delete, empty
recycle bin and scrub operation before shutting the machine down.  To
change the file, I save it with a different name and do the above
procedure for saving the encrypted version to floppies.

The overall scheme is to have the encrypted data in four places:  the
Thinkpad, two floppies in different locations and also emailing them to
an offshore email account.  The keys are in the Thinkpad, on two
separately stored CDRs (which also contain the Win-PT program), and also
mailed offshore.

Assuming the cryptography is strong, in principle, in key-length and in
its implementation, and assuming that my pass-phrase is long and weird
enough to resist all practical key searches, then it seems I have
achieved my goals:

1 - No cleartext form of the password file ever exists on a
    Net-connected computer.

2 - The keys and ciphertext are both in four locations - all of which
    are unlikely to be got by a hacker, since they are not on
    Net-connected computers.  (However, the offshore email company
    could, if they wanted, read it - as could the US NSA, who supposedly
    read and analyse a lot of Internet traffic.  Best send them in a
    zip file to keep away prying eyes.)

3 - A physical burglary is the most likely way anyone could get the
    ciphertext or the keys, and I figure the average burglar isn't
    going to be wise to them.

4 - I have four-way physical redundancy of the ciphertext and keys.

A better implementation would be not to email to a remote commercial
server, but to use SSH and another layer of crypto to put it them on a
distant server.  I did this to make it easy for another trusted person
to access them in the event I am incapacitated.  If the ciphertext and
keys fall into the hands of an attacker, then the whole game rests on
the secrecy of the pass-phrase.

This system should be fine at home.  To access it remotely is trickier -
but in principle I could have GPG, the keys and the ciphertext on my
remote server and do it all via SSH.

As I understand it, the main advantage of using Passwordsafe:

  http://passwordsafe.sourceforge.net/

is to run it on a Net-connected computer, with the obvious
benefits of using copy and paste for filling in passwords and I guess
account numbers etc.

Without looking at this program at all, it seems that the problems of
this approach include:

1 - A hacker program continually reading the keystrokes, clipboard
    or screen in order to find passwords or especially the master
    password.

2 - A hacker program modifying or replacing Passwordsafe with something
    which behaves the same, but captures the master password and so
    reveals all the passwords to the remote hacker.

I am not absolutely sure I can keep hackers out of my Windoze box,
or detect the presence of their programs for certain.  I would be much
more confident on a Linux machine, but not absolutely.  Since
Passwordsafe would probably be a program specifically targeted by
hackers, my inclination is to do all password operations on a computer
or other device which is never connected to the Net.

More information about the Link mailing list