
Password Advice - soundsop
http://www.schneier.com/blog/archives/2009/08/password_advice.html
======
jzdziarski
I respect Schneier as a security expert, but he seems to have completely
failed at conceptualizing the threats involved in using password managers.
Other than your basic problems, such as malware, screen spying, and the like,
whenever you use your password manager, all of your passwords will be
decrypted in memory and displayed on the screen. This leaves your passwords
exposes in two places. Cold boot attacks make it very easy to grab this from
memory, especially on desktop machines where they might remain in memory for a
good while. On the iPhone, screen leaking is of particular concern as the
device has several things going on in the background transparent to the
application. These include a keyboard logger which caches input into insecure
fields and a screenshot utility which takes screen snaps to process animations
and transitions, among other things. I've seen some password managers that
input your passwords into normal, insecure fields where your password winds up
in the keyboard cache in plain text. I've also seen plenty of passwords show
up in screen shots taken by the iPhone unbeknownst to the user.

It's far better to adopt the good habit of committing passwords to memory, and
reduces your risk of exposure greatly. And if your data is that important that
you absolutely have to protect access to it, you should be using one-time
passwords or RSA keys.

