February 9th, 2009
I got an email today from some software company.. Trying to sell me a password management tool. I used to use KeePass which was pretty effective. This one is considerably more expensive. Among its features, it boasts:
I’ve got issues with all three five points above.
The other thing that’s at the front of my mind now, is what password do you use to lock the password safe? Do you use a long, complex, difficult to break one, which you’ll probably never remember, and will need to write it down (therefore making it totally pointless anyway), or a simple short password like your first pet’s name, and some thoughtful numbers after it.
Sidenote to point 3. 307 years on a 1GHz Pentium.. What about a dual-quad core Pentium Xeon. Or a distributed attempt across 256 nodes of dual-quad core Xeons. Still, it’s reaching a bit far, but it doesn’t mean that this password is unbreakable. Not by a long way.
Uh, right.. So this software is going to prevent me from putting a PS2/USB hardware keylogger between the PC and the keyboard? I think not. And if it claims to protect against software keylogging, how could you prove that it wasnt a keylogger itself. It would be a pretty ingenious way to harvest credentials, make the user believe they’ve just bought a security enhancement, really they’re buying a back door. (I’m not saying that’s what they’re doing, but it’s certainly enough to make me want further verification of the publisher’s honesty.)
I really don’t like the sound of this software, actually, I’m not keen on this “credentials management” type thing at all. There’s too many unanswered questions. And that’s before we get onto the rather open question of the use of biometrics for passwords. There seems to be a growing trend at the moment where biometric data (fingerprints, webcam images, iris scans) provide the password data, as opposed to the identity data that is then confirmed with a password.
Private keys and passwords are easy to change when compromised, but how do you change your fingerprint, facial shape, or iris detail when your credentials are compromised?
Some of these may be partially falsified, but Tom doesn't know either.