How to save passwords more secure?!

Enrico Weigelt weigelt at metux.de
Tue Jul 1 18:33:16 EDT 2008


* Bron Gondwana <brong at fastmail.fm> wrote:

> Yeah - that's a pain.  You need one of the security enhancing patches
> that provide further levels of separation between processes.  

Just use different uid's and proper permission setup should be enough.

> The nice thing about outsourcing responsibility for that to another 
> program (possibly even to the point of using copyfile() from a unix 
> socket to the password manager to the network connection) is that 
> any security improvements in that password manager are picked up 
> automatically.

You mean factotum ? 

-> http://plan9.bell-labs.com/plan9/factotum.html

> But it's true - if you have a virus with full access to your account,
> you're pretty much screwed regardless.  On the other hand, if something
> only manages to hijack an SMB or NFS session to your home directory
> you'd be safer not having passwords in the clear on file.

Well, if you're using an separate authentication server on its own
uid, you can at least make attacks quite hard. For example, if you
extend an auth server like factotum to understand the authentication 
handshakes of certain IM protocols over that part to it (and these
protocols use hash'ed secrets) - you just have to bridge the required 
traffic and the secret will never leave the auth server.


cu
-- 
----------------------------------------------------------------------
 Enrico Weigelt, metux IT service -- http://www.metux.de/

 cellphone: +49 174 7066481   email: info at metux.de   skype: nekrad666
----------------------------------------------------------------------
 Embedded-Linux / Portierung / Opensource-QM / Verteilte Systeme
----------------------------------------------------------------------




More information about the Devel mailing list