• Thanks for pointing me to the SQL Inject Me and XSS Me plugins, those will definitely help test the web apps.

    I was curious, and was hoping you could elaborate as to how you manage your passwords securely.

    February 03, 2010
  • Personally, I prefer the password wallet systems. I generate a secure password for each site and store it in a wallet. Wallets should use secure encryption (like AES or Twofish).

    Generally speaking, I distrust the “store it in the browser” option. I know that it’s more convenient and that modern browsers use decent encryption on their password stores… but in order to function, they must be able to read the store. This means that it is theoretically possible for a flaw in the browser to expose the store to an attacker via web page.

    That’s not to say that my solution is perfect. In particular, it is vulnerable to password sniffing by keylogger and accidental account lockouts due to mis-entered passwords. However, when I compare those risks to those of native browser storage, the native browser solution seems riskier. (This is just a feeling… I’ve not researched it… yet ;)

    Basically, my philosophy is similar to the Unix philosophy. Most systems do one thing well. Browsers, be they IE, Firefox, Opera or Chrome are really good at browsing. They’re getting better at security, but it’s still not their core focus. There is a lot of security in simplicity, so a simple password wallet with good market history (and that is being actively maintained) is probably better then security in a browser.

    I use Gnu Keyring on my Palm and am considering 1Password should I move to the iPhone. I don’t know what’s available in the Blackberry and Android spaces, but I’m sure that they exist there too.

    February 03, 2010
  • I was just doing a little searching and ran across http://lastpass.com – very wide compatibility, including linux. This Ubuntu forum question and response by a team member of LastPass was encouraging as well: http://ubuntuforums.org/showthread.php?p=5896494

    I was considering 1Password as well, but they have completely ignored an Android version for a long time, continually saying they’ll get to it eventually – plus, they don’t support any OS other than OSX.

    February 03, 2010
  • Hmm, LastPass does look promising. I agree with what you say about 1Password. It is a very good solution, but only in the OSX/iPhone space. I just haven’t researched anything else in any details, as the solution I have right now is working.

    I expect that I’ll be looking a lot come this time next year when it’s time to pick out a shiny new phone. :)

    February 03, 2010

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.