
Password management finally possible (JoS) - raghus
http://www.joelonsoftware.com/items/2008/09/11b.html
======
d0mine
An alternative pair of products: Wuala and KeePass (Windows, Linux, MacOS X,
PocketPC, J2ME (Symbian), BlackBerry)

<http://wua.la> \-- online storage (files are encrypted on your computer
before uploading, GUI is more clattered compared to DropBox, 1GB by default,
additional space can be bought (money) or traded in exchange for local space
(free))

<http://keepass.info> \-- password manager (it works almost everywhere)

~~~
gregwebs
KeePass proper only works on windows, there is a port called KeePassX that
works on Linux and Mac. I'm not sure about mobile devices. They all read the
same database file, so this setup will work. I have achieved what Joel is
talking about with a flash drive on my keychain that has the database file,
keepass, and keepassX. Too bad my flash drive broke yesterday...

KeePass on windows is the best password manager I have ever seen, featuring
programmable auto-typing.

------
pasbesoin
For the web site, I find that I can switch to an SSL/TLS-delivered log on page
by clicking the unsecured front page's log on button without entering
credentials. However, the SSL/TLS-delivered page is broken in that some
elements used in its composition are not secured. My understanding (not may
area, so feedback welcome) is that this opens up security concerns; those
unsecured elements allow the possibility for the page and its functionality to
be compromised.

I really dislike the more recent trend to "fancy up" submissions of secure
information. Give me an SSL/TLS-delivered page with a valid certificate and
which the browser can confirm as being (entirely) secured. Don't hide the
security behind scripting and the like and ask that I take it on faith.

UPDATE: I tried again, and this time the page was completely secured. So maybe
my original concern is not present; however, it would appear that the site may
be unstable to some degree.

Again, not my area of expertise. But I figure here is as good a place as any
for feedback to reach the developers, and/or to be corraborated by others'
experiences.

------
jodrellblank
Yet here -> <http://www.joelonsoftware.com/items/2008/05/01.html> Joel
couldn't be more scathing of file synchronisation, writing:

"It's a way to synchronize files.

Jeez, we've had that forever. When did the first sync web sites start coming
out? 1999? There were a million versions. xdrive, mydrive, idrive, youdrive,
wealldrive for ice cream. Nobody cared then and nobody cares now, because
synchronizing files is just not a killer application. I'm sorry. It seems like
it should be. But it's not."

among other things. Has he changed his mind and now sees it as a killer app,
or is it some anti-Microsoft/Ray Ozzie stereoype bias that doesn't apply to
dropbox?

------
Haskell
What amazes me most is that people will trust all their passwords to a piece
of software and they don't really know what it is doing.

If you want to install this Password Gorilla thing in your MacOS, how do you
know if it isn't trojaned? Where is the checksum for you to verify it?

Do you remember that even an security researcher and openbsd developer got his
box hacked and his software trojaned? <http://tinyurl.com/3owcj7>

Remember what your mother said: Don't accept candy from strangers. So I hope
you all are checking the source code and compiling it your selves.

Not that checking the source code would be enough. When was the last time you
checked the source code from anything you downloaded?

Ok, so you checked the source code to see that there's no backdoor sending
your password over the internet, but do you yet remember the debian SSL
vulnerability?

Yes, there could be a similar, subtle, but maliciously introduced flaw in
cryptographic algorithm used by the password manager. So it's just a matter of
an attacker having access to the cloud storage, not that that would be
difficult either (remember the hacked Fedora and Redhat servers?), and
"deciphering" all of your passwords.

------
jacobscott
It's great that dropbox launched (MIT pride!) but were they really the
"missing link" that made this possible? What about something like WebDAV?
Also... looking at PasswordSafe, it doesn't seem to integrate with the
browser, which makes it a bit of a pain to use for websites.

Finally -- would you store your (encrypted) private ssh key on DropBox?
Because I'm not sure I would, and this is basically what Joel is suggesting.

~~~
spacecowboy
I believe what Joel was recommending was that you place the physical encrypted
PasswordSafe data file on your Dropbox account. You still need to have the
PasswordSafe utility on your computers to access the encrypted data file on
DropBox AND use your PasswordSafe password to decrypt the data file. Your
PasswordSafe password is what becomes the crucial piece of data - without it,
no one should be able to decrypt the contents of your PasswordSafe data file.

~~~
gcv
That's precisely the equivalent of putting a passphrase-protected ssh private
key on Dropbox. Probably worse, since personal banking data is more valuable
than any Unix box most people log into.

------
delackner
Forgive me for being thick-headed, but you have a password to access dropbox,
right? Presumably one that, since you have to remember it, someone might
brute-force, just like any other password you have to remember.

If they get your data file, then they can just offline brute-force that, and
again, since it is protected by a password that you have to remember, this
should not be too hard, right?

So we have 2 memorable-length passwords, one of which the enemy can brute-
force offline. So we really only have the protection of 1 memorable-length
password, the one to get into the account itself, which is slightly harder to
brute-force.

So how is this any more secure than just memorizing one strong password and
using it for everything that is important? Any service that isn't trustworthy
enough to get that password is also not trustworthy enough to get your
personal data in the first place...

~~~
trickjarrett
Joel's point is that this now allows you to put an additional layer between
you and the security weakness. No this isn't foolproof but it's better than
what most people have.

love, sex, god, secret, password - sad how many people use these still.

------
DenisM
Speaking of which, we ( <http://www.memengo.com> ) created a two-tier password
manager:

one tier is an iPhone app. Handy for debit card PIN codes, luggage combination
locks etc.

the other tier is a cloud service with AJAX front end.

both tiers support client-side AES256 encryption. iPhone app can be synced to
cloud, or used stand-alone.

~~~
mrtron
How does this compare to using 007 as my luggage combo locks and PIN code
(0007)? :)

Interesting app you created though.

~~~
DenisM
1\. Different sites may impose different requirements, and some even more than
one. Esp different "secret questions".

2\. If you use same password everywhere, you can't selectively share it. E.g.
if I want to share the iTunes account with my GF, I have to tell her what the
password is.

3\. Internet access point user id/password sometimes is given to you. E.g.
Farimont presidential club gives you free internet at their hotels, but you
need to remember a 10-digit code.

4\. You don't want to have same password on digg and on your bank. The
probability of password leak is proportionate to its use frequency.

------
tdavis
I cheat... I use 1Password and only have Macs.

------
LogicHoleFlaw
Can the dropbox client be run off of a USB stick? Sort of like the
PortableApps binaries.

Do these password managers integrate with firefox?

------
tptacek
I trust DropBox as much or more than Bank of America why?

~~~
reitzensteinm
He's talking about storing an encrypted file on DropBox - it's useless without
a master password, which means that should DropBox be compromised for whatever
reason then your passwords aren't in danger.

~~~
tptacek
I missed that. Thanks!

------
jhancock
more dropbox pandering!!! I certainly hope this dropbox thingy is actually
easy to use as advertised by SO MANY!!! But seriously, the ONLY thing it can
offer is something easier for shared file storage. Something that's been done
many times over...now we get to see if dropbox has done it well enough to
attract a long term user base. But Joel's post is OVER THE TOP in pandering!!!
Does he have equity in this thing?

