[nycbug-talk] password repository
Peter Wright
pete at nomadlogic.org
Thu Dec 31 14:15:28 EST 2009
On Dec 30, 2009, at 1:26 PM, Chris Snyder wrote:
> On Wed, Dec 30, 2009 at 3:37 PM, Isaac Levy <ike at lesmuug.org> wrote:
>> On Dec 30, 2009, at 2:50 PM, Chris Snyder wrote:
>>
>>> On Wed, Dec 30, 2009 at 2:35 PM, Okan Demirmen <okan at demirmen.com> wrote:
>>>
>>>> truecrypt is analogues to disk/volume encrypting bits we already have in
>>>> bsd - but it doesn't help if this image is mounted on a server
>>>> somewhere..and say someone doesn't un-mount it after use...
>>>
>>> Sort of. The point of using something cross-platform is that devs /
>>> admins mount the image locally on their Win/Mac workstations. And you
>>> don't need to explain openssl to the Windows guys...
>>
>> Just to be clear- Is that the only benefit of Truecrypt, Windows
>> compatibility? I've never used it and I'm just curious... (perhaps I
>> should *try* it)
>
> For this, yeah: Mac/Win/Linux compat and GUI.
>
> TC has a plausible-deniability mode that embeds an image within an
> image, so that in theory you could give out the "outer" password if
> someone held a gun to your head, and keep the inner password secret.
>
> By the way, I'm not sure if they use a password salt or not, I seem to
> recall warnings about saving .tc files in version control because they
> might leak info if attacker has many versions of the same file. For
> that reason alone the openssl approach is better if you're a unix
> shop.
I am using password-safe currently for shared passwords:
http://www.schneier.com/passsafe.html
we save our files in psafe3 format which is supported by the native NT client...there is a pwsafeV3 compatible CLI utility available, and password gorilla works on X11. For OSX I use a pwsafe Java GUI called PasswordSafeSWT.
pwsafe3 files are checked into our SCM. It seems to work well with the obvious issues of still having a shared password to unlock the password save.
-pete
More information about the talk
mailing list