[Gllug] need a password manager for passwords I do not care about

Dan Stevens (IAmAI) dan.stevens.iamai at gmail.com
Thu May 15 16:10:57 UTC 2008 

> So, I need a password manager. I am thinking that using the one in
> Firefox might be okay. Until this point I have shunned password
> managers. My feeling being that they add insecurity to something that in
> theory should be secure. I will not be using this for any site that
> holds more details about me than my name and email address.

What is it that concerns your about password managers with regards to
security? Two possibilities come to my mind:

Firstly, any effective password manager is likely to require a master
password of some kind, which, if compromised also compromised all your
passwords stored in or generated by your password manager. However, if
you use a strong password, which have memorised and not stored, and
have not used it for anything besides as your password manager's
master password, it will be very difficult for an attacker to
compromise the security of your password manager.

The second security concern is of password managers that store your
passwords in some form. Obviously, passwords managers that store
passwords in clear text are of grave concern. Passwords should be
encrypted based on a master password. However, if password managers
uses a strong encryption method and you use a strong master password,
I believe there is no reason for concern.

I use a password manager for Firefox called PasswordMaker
(passwordmaker.org), which, rather than storing passwords, encrypted
or otherwise, generates passwords as and when they are needed.
PasswordMaker comes with a number of selectable hashing algorithms
which, using your master password, the domain of the site and your
username as inputs, generate a password for to use on your first and
subsequent visits. The generated password is not store, but re-created
every time you visit the site. The advantages of PasswordMaker, in
addition to not storing passwords, is that it will generate strong
passwords saving you having inventing them or memorise them. As long
as I believe that my master password is safe, I am safe in the
knowledge that if one of my accounts is compromised no others are
because all of my accounts now use different passwords.

2008/5/15 Justin Perreault <justinperreault at dl-jp.com>:
> I am tired. I figure I'll just wrap a couple of things up in preparation
> for my install of Fedora 9 that I will do tomorrow. Check the emails
> posted here and the docs online. I try one of the commands from the
> online docs. It fails. I check that I have it right. I do. I try again.
> it fails. I tweak the command to what I think is likely right. It works.
> Docs online seem to have a typo. Figure I should report it. Hunt down a
> contact. Find docs at fedoraproject.org . Send an email. Email bounces back
> due to address not existing. Now I have two errors in the documentation.
> Check the contact page found previously. Find
> https://bugzilla.redhat.com/ . Go to the site thinking "Okay now I'll
> just post these two bug reports and I can go to bed." But lo and behold
> I need to register. TWITCH, TWitCH, twitch, twiTCH.
>
> I understand why leaving the the bug repository open would be very bad.
>
> Any reason I should be truly concerned about someone getting my login
> details for a bug repository? Presumably anyone could just create a
> bogus account anyways.
>
> I don't want to create a default password that I hand out all over the
> net. I feel that such a foot print would be just asking for trouble.
>
> I expect that if someone gets hold of my system the least I need to be
> concerned with is a list of passwords to a variety of places that would
> not have a big need for passwords if bots would stop messing up the
> Internet.
>
> So, I need a password manager. I am thinking that using the one in
> Firefox might be okay. Until this point I have shunned password
> managers. My feeling being that they add insecurity to something that in
> theory should be secure. I will not be using this for any site that
> holds more details about me than my name and email address.
>
> I would mostly use this with firefox for internet logins. I will want to
> be able to access the passwords in a format that I can migrate to a
> fresh install if need be.
>
> Anyone here find the Firefox password manager any good?
>
> Any suggestions for other password managers to look at?
>
> Justin
>
> ps this is a bit of a long post, please be sure to crop out bits that
> don't need to be part of a reply.
>
> --
> If you are an adult, you can choose to act like a child. If you do not
> accept being an adult, you are only a child. -JJJ
>
> --
> Gllug mailing list  -  Gllug at gllug.org.uk
> http://lists.gllug.org.uk/mailman/listinfo/gllug
>
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list