Protecting Secrets from Computers (2023)

hairyplanner · 2024-01-30T07:19:00

My biggest challenge as I’m getting older is remembering my long secret key.

Even with a password manager that requires me to remember only a few passphrases (personal and work being two), there is a non zero chance now that a fall and a concussion would lock me out of my password manager.

Anyone else have a solution or a suggestion for this problem?

Loic · 2024-01-30T12:54:03

My wife has my passphrases in her password manager and I have her passphrase in my password manager.

This is maybe not the most secure way to do it, but this is good enough for our threat model.

These are offline password managers.

Vecr · 2024-01-30T08:16:04

Wear a helmet and hip pads, but failing that split the password in half (as in literally the first half and the second half, don't try to get fancy with crypto) and give the halves to two people unlikely to collude. Your computer will no longer have 5th amendment protection, though.

kilmanio · 2024-01-30T10:22:36

Or better, use `Shamir's Secret Sharing`

https://en.wikipedia.org/wiki/Shamir%27s_secret_sharing

couchand · 2024-01-30T12:49:53

GP specifically called out, "don't try to get fancy with crypto" and I'm inclined to agree with them for this use case.

pclmulqdq · 2024-01-30T14:07:30

Shamir's secret sharing with 3 separate lawyers is kind of hard to beat if you have cryptocurrency or other similar assets that absolutely need a password to recover it, and it is a relatively easy algorithm to run. Give them the same instruction sheet on how to run the algorithm, plus a different second page with their fragment of the key.

Most of the time, though, the "call us" approach actually works, and you can give your relatives power of attorney to handle this.

JackSlateur · 2024-01-30T13:01:26

Use the good old post-it method

Remember poe : what's hidden in plain sight is never found (and nobody is looking anyway)

charcircuit · 2024-01-30T08:03:35

Write it down on a piece of paper.

SSNLF · 2024-01-30T08:18:55

You could try Entropy Keycrypt -> https://entropykey.com/features

sirsuki · 2024-01-30T12:12:41

Yes. Place the secrets in a secured (symmetric encrypted) document. Then print the password for that document and hand it to a loved one, trusted family member/friend, or lawyer.

a_imho · 2024-01-30T11:31:38

Biometrics?

WolfeReader · 2024-01-30T02:54:52

Maybe I'm dumb, but how do you read the article?

WolfeReader · 2024-01-30T02:56:11

Ah, you click on "All Formats". Which is apparently a synonym for the verb "read".

ramon156 · 2024-01-30T06:54:07

No! you click on the pdf button which... uh... opens an empty firefox tab

montecarl · 2024-01-30T05:18:37

https://dl.acm.org/doi/pdf/10.1145/3623614

sophacles · 2024-01-30T03:01:43

Click the red PDF button. Or click the "view all formats" button to select your prefered option.

127361 · 2024-01-30T11:33:05

What about reducing our usage of the Internet and using local resources instead? Personally I have local mirrors of various code repositories, and thousands of ebooks. If you want to nearly eliminate all surveillance, then you can air-gap your computer?

So we shift back from the collective (networked) systems to a more individualistic local information store? We already have local AI models, which is a step in the right direction.

Clamchop · 2024-01-30T03:00:33

Still reading but this is an interesting position to juxtapose with the repeated axiom that thou shalt not roll thine own crypto.

Instead, the claim here is that you cannot trust crypto that you didn't roll yourself. Indeed, maybe you should compute it by hand!

Ha! I love having my beliefs challenged.

Completely impractical but very fun.

chaxor · 2024-01-30T05:35:10

Only keep your passwords in your head. That way only one person can know them - you. And then, you can forget them, and now no-one knows them.

As we continually have told to and is pushed upon us by IT - this is the most secure system to have.

The one that no one can use.

chaosite · 2024-01-30T06:27:44

Passwords are useless if only you know them.

You can use private keys like that, but people are not expected to remember them.

Klaus23 · 2024-01-30T08:19:15

Is there a good pen-and-paper OTP authentication mechanism?

bandie91 · 2024-01-30T09:36:40

otpw PAM module does this.

https://manpages.debian.org/buster/libpam-otpw/pam_otpw.8.en...

Klaus23 · 2024-01-30T12:47:16

I was talking about a point discussed in the article. There is an attack on OTP because the attacker can change the message if there is no hash-like authentication of the message's correctness. I asked if there was a pen-and-paper way to authenticate an OTP message.

Logans_Run · 2024-01-30T20:17:27

* Pricing

Pricing and access depends on your membership or subscriptions with ACM. Purchase this Article Purchase this Article: Protecting Secrets from Computers Terence Kelly

    Purchase Article
    Purchase Article
    Non Member$15.00
    ACM Professional Member$10.00
    ACM Student Member$5.00

    Already an acm Member? Sign In or become a member

deepdyve logo Available at DeepDyve

The Largest Online Rental Service for Scholarly Research

Price: $0.00 *

I.A. or similar link kindly requested please. TYIA

knowaveragejoe · 2024-01-30T21:47:10

All you have to do is click "all formats" and select one.

https://queue.acm.org/detail.cfm?id=3623614&doi=10.1145%2F36...