[nycbug-talk] password repository

Peter Wright pete at nomadlogic.org
Thu Dec 31 14:15:28 EST 2009

On Dec 30, 2009, at 1:26 PM, Chris Snyder wrote:

> On Wed, Dec 30, 2009 at 3:37 PM, Isaac Levy <ike at lesmuug.org> wrote:
>> On Dec 30, 2009, at 2:50 PM, Chris Snyder wrote:
>>> On Wed, Dec 30, 2009 at 2:35 PM, Okan Demirmen <okan at demirmen.com> wrote:
>>>> truecrypt is analogues to disk/volume encrypting bits we already have in
>>>> bsd - but it doesn't help if this image is mounted on a server
>>>> somewhere..and say someone doesn't un-mount it after use...
>>> Sort of. The point of using something cross-platform is that devs /
>>> admins mount the image locally on their Win/Mac workstations. And you
>>> don't need to explain openssl to the Windows guys...
>> Just to be clear- Is that the only benefit of Truecrypt, Windows
>> compatibility?  I've never used it and I'm just curious...  (perhaps I
>> should *try* it)
> For this, yeah: Mac/Win/Linux compat and GUI.
> TC has a plausible-deniability mode that embeds an image within an
> image, so that in theory you could give out the "outer" password if
> someone held a gun to your head, and keep the inner password secret.
> By the way, I'm not sure if they use a password salt or not, I seem to
> recall warnings about saving .tc files in version control because they
> might leak info if attacker has many versions of the same file. For
> that reason alone the openssl approach is better if you're a unix
> shop.

I am using password-safe currently for shared passwords:

we save our files in psafe3 format which is supported by the native NT client...there is a pwsafeV3 compatible CLI utility available, and password gorilla works on X11.  For OSX I use a pwsafe Java GUI called PasswordSafeSWT.

pwsafe3 files are checked into our SCM.  It seems to work well with the obvious issues of still having a shared password to unlock the password save.


More information about the talk mailing list