Personal Metadirectory for Passwords
Yesterday, I was fed up with my password mess. I had too many passwords, and despite my “method,” I was losing track of them all. I decided to work on upgrading my method. I started out looking for a replacement “password vault.”
Here are my requirements:
- is highly secure, using accepted standards (i.e. - PKI, DES, etc)
- works on/across multiple platforms (PC, Mac, Linux, BlackBerry)
- synchronizes across multiple instances/platforms (as automatically as possible)
- easy to access/use (i.e. - retrieve and use a credential, without too many hoops)
KeePass meets all those criteria, but the interface isn’t great.
I asked some friends and posted to a newslist. Answers came back including:
- KeePass
- vim -x
- Other encrypted text files (ex. Word doc, plus external encryption)
- Use a regular thumb drive with TrueCrypt
- Use a secure/encrypted thumb drive, like the Ironkey
This got me thinking along related lines.
Personal Meta-Directories
1. We all have these. Outlook, Notes, Thunderbird all have our email address books. We have our cell phone address book. We probably have a paper address book for holiday cards. Your spouse, children, boss and peers also have theirs.
2. Why don’t we keep our “Passwords” in the Address Book? Obviously because it’s not secure. Passwords should be expanded to include any required credentials (certificates, tokens, keys, etc.). But companies keep our credentials in corporate directories. Why shouldn’t individuals keep theirs in their own personal directory?
3. The KeePass is a file store with some directory-like characteristics. But it’s no real metadirectory. The address books I have are not real directories either. And in any case, many meta-directories have poor security.
But, wouldn’t it be nice to have a metadirectory with all your access credentials, as well as all your contact data? This is essentially all the data necessary to set up and negotiate the various types of communication channels you personally need and use.
What do you use?
We at LiveBolt would like to know what YOU, the reader, use for securing your “bits.”
We’ll select a user at random on July 1st from the comments below and send them a new IronKey Personal, 1GB Secure (not to mention waterproof) USB Flash Drive, by IronKey. (To the winner: we just ask that you write back and let us know what you think of it!)
To enter the contest, just reply with a comment to this post (before noon CDT on 7/1) and include your answers to the following questions:
1) How do you manage your passwords?
2) What software/hardware/methods do you use?
3) What would be your idea of a killer-app for personal “attribute” management?
Comments will be locked at noon CDT on 7/1 so we can pick a winner. Make sure to include your email address in your comment so we can contact you if you’re a winner. Good luck!!!
Edit: 1 entry per email address and/or IP address, duplicate entries will be disqualified.
Filed under: General, Legal, Privacy, Security, encryption
1) I manage passwords from memory.
2) If I forget a password I use the password reset or reminder utility from the website I am trying to login to.
3) A single sign-on hasp of some sort would be ideal. Something that would allow you to authenticate once and the handle all subsequent logins to other applications / sites.
1) Sticky notes! lol…
2) If I told you how I remember mine that would compromise my security… Sorry
3) I have actually been thinking of getting an Ironkey for about a year now for just the mentioned reasons. So even if I don’t win one, I still might get one. But then that leaves me with having to remember my Ironkey…. Getting old you know.
I maintain a text file that contains important information and encrypt it. The process is a pain, but I have a level of confidence that the data has a low risk of getting into the hands of someone else. The Ironkey solution looks very attractive because it simplifies the process of securing the data.
1) Memory, primarily.
2) Fragments of the passwords are stored in an encrypted text file as backup.
3) An ideal killer-app for identity management would be one that was accessible everywhere, open-source, and capable of changing my passwords to a temporary one while traveling, so I have the equivalent of a one-time pad while traveling.
[ Reposting. Comment didn't show up...? ]
1) How do you manage your passwords?
From home/office - KeePass secured with a alphanumeric 25+ character password to access the KeePass database on a heavily protected laptop, ie encrypted HDD with TrueCrypt, Comodo Firewall, and multiple anti-malware scanners.
Mobile - On a USB drive, KeePass database secured with a alphanumeric 25+ character password, all tucked inside of a TrueCrypt encrypted volume.
2) What software/hardware/methods do you use?
KeePass with a 25+ character password, with the database inside of a TrueCrypt file or volume (25+ character password on the file or volume)
3) What would be your idea of a killer-app for personal “attribute” management?
The way IronKey has been advertised seems like that would be a killer-app, no need to worry about TrueCrypt for the encryption (simplifies everything a bit)
For legacy systems that are inherently insecure via the limitations that they put on the length of passwords and the complexity there is not a whole lot you can do. However, for more modern systems, I like to use a phrase that means something to me in a somewhat obscure way and then substitute in numeric and special characters for something like: My Dog Got Eaten By a UFO = MyD0gG@t8ByaUFO
1) I use Keepass..
2) I use a layered approach.. very strong 20-30 letter password for my encryption keys/credit card/banking. strong email passwords and simple passwords for websites/forums/.. and the passwords get updated regularly on my keepass
3) I like the idea of Yubikey using a single-signon using a USB keyboard. something like that is a good option..
Security can get complicated. For my password management, I use a small (<10) set of passwords and phrases that satisfy basic strong password rules (length, special chars and numbers) and I rotate these password.
A personal attribute manager is a good idea, but it would need to address multiple audiences, specifically techs and non-techs. Non-techs are intimidated easily by what security professionals describe as good enough security, so the solution would need to be simple to be reusable (this is why many people still use sticky notes stuck to the bottom of their keyboard…it’s easy).
1. Recycling works very well
2. I don’t.. password resets help me out once in a while
3. I like apps as much as the next guy, but I’m not sure that anyone can help me.. lol. Really, an app that could allow me to combine a proximity solution and additional H/W token (USB key FOB) with a single 6 alpha-numeric to unlock it would be great. The solution should allow for SSO to all my apps.