[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-devel
Subject: Re: IBM Applies for Password Manager Patent
From: George Staikos <staikos () kde ! org>
Date: 2003-11-13 18:04:20
[Download RAW message or body]
Quoting Jeff Stuart <jstuart@computer-city.net>:
> AHH I see you know my life better than I do. Ok. :) Let me make it clear.
> :)
> I live alone. I am single. Therefore, yes, my root password is...
> "password". And yes, I have complete unlimited access. If someone gets
> physical access to the computer, am I screwed? Yup! However, I make 3 phone
You are not the only user of KWallet.
> Why? Because what's on the servers is 1000x more important than what's on MY
>
> computer!
If the password for your server is stored on your desktop and it gets
compromised, you may have bigger problems.
> > You might be surprised to know who's been 0wned lately. If KWallet
> used
> > the login password, all this person's passwords would be compromised too.
> >
>
> Are you saying that KWallet is insecure then? Are you saying that there's a
>
> backdoor in KWallet that you've programmed in? Or are you saying that you've
>
> hacked my machine? :) (Note: for the humor impared, this is a joke. Though
>
> I am interested in exactly WHAT you mean here George.)
It would be particularily insecure if it used the login password because
that password would be passed around. This is partially why I will not
implement it. If you use the login password, honestly, you might as well use a
textfile and set your login password to "password". Your choice, but you don't
need KWallet in that case and that was not my design goal when implementing it.
Furthermore, it was never mentioned in the past year during development.
If you use the login password, then the wallet has to remain unlocked at all
times or the password has to remain on disk or in memory. Anyone who gets
access can either grab the wallet contents or grab your login password (most
likely both). The current scheme generally prevents this as long as you don't
force the wallet to remain open at all times.
What it boils down to is that we picked a scheme that is relatively secure,
relatively easy to use, and flexible. I don't want to see too many confusing
options here, and the KControl module is already quite loaded for such a simple
feature. I will read a patch that anyone sends to enable this, but I will be
very discriminating in what I accept. There are much more important things
still to deal with in KWallet than this anyways.
--
George Staikos
KDE Developer http://www.kde.org/
Staikos Computing Services Inc. http://www.staikos.net/
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic