That’s a lot of bits.

One of my responsibilities here at work is advising people on data security. I STRONGLY advise my users against using any sort of desktop critical data storage software. It seems too much like keeping all of your eggs in one basket.

1) If the critical data is stored in a file on your computer then if someone breaks in to your machine a copy can be made of the file and the bad buys have all the time and computing power they need back at home to crack it. This is less of a problem with Macs, but on the XP machines I support it's a huge issue.

2) if you lose the password to the software then the data stored in it is useless to you. I have had users keep the ONLY copy of their passwords in packages like this. When my users forget the one they need to get into the file, they then spend the rest of their day (or in some cases several days) resetting all of their passwords. On the other hand if they keep a spare copy of the password somewhere else, then they might as well keep all of them somewhere else.

I keep my passwords on a handwritten card I keep with me. No one can grab them over the net. If they break into my machine they don't have the password for anything. If they break into my office they don't have the password for anything. If the card gets stolen they have the passwords but the card just has 50 or so character strings without any indication (that they know of) of what they go to so they still can't get anywhere.

To me this software and the similar packages for Windows are like storing all of the keys to the building in a box next to the front door and using a single padlock to secure the box. Better to keep all the extra keys in another building.

FWIW I have ~50 passworded systems I have access to and I change all of my passwords quarterly. Yes it's a pain in the @$$ but until we go to some sort of dual key authentication around here for all of our systems it's what I need to do. Even them on line sites like TMO will still have their own password that I'll have to keep with me.

Quote

geoduck wrote:

I keep my passwords on a handwritten card I keep with me. No one can grab them over the net. If they break into my machine they don't have the password for anything. If they break into my office they don't have the password for anything. If the card gets stolen they have the passwords but the card just has 50 or so character strings without any indication (that they know of) of what they go to so they still can't get anywhere.

Some good advice, but carrying passwords written on a card, etc., can violate security rules at some companies. (It would have violated security rules in the US Air Force during my career.) This was a plot device in one Law & Order-Criminal Intent episode, if I remember correctly. Someone observed a colleague using such a card and noted where she kept it, then snuck a look.

Suppose your wallet/bag/briefcase is stolen? Do you have a backup somewhere?

Quote

gslusher wrote:
Suppose your wallet/bag/briefcase is stolen? Do you have a backup somewhere?

If the card were stolen I'd just have to start resetting passwords. But I'd know I'd need to reset them. Even if someone could look at the card, or even steal it the passwords are listed in a way such that I know which PW goes with what, but no one looking at the card would.

Yes, this would violate policies in a lot of businesses or govt agencies. I'm lucky in that I set the standards for around here rather than some Policy Group that only knows what they read in the eWeek.