Re: [tlug] how do you 'web password' ?

[Josh Glover <jmglov@example.com>]

On 19/12/05, Evan Monroig <evan.monroig@example.com> wrote:

> In fact I was wondering if it could be improved. For example, when I
> have to use one of my password for my work computer for the first
> time, I need to decrypt the file, and then copy-paste the password
> into firefox. So someone standing behind me would be able to see it,
> and someone with access to the clipboard also..

Well, my passwords are significantly nasty that more than a quick
glance would be required to memorise them.

Here's what I do. It is not fool-proof, but it is good enough so far.
I welcome suggestions to improve the security of this system.

I reserve an xterm (or mlterm, as the case may be) for my passwords. I
decrypt the password file, and then immediately hit Ctrl-L to clear my
terminal. When I need a password, I use the terminal's scrollback
buffer to locate and highlight it, then I return to the bottom of the
buffer (so the passwords are not visible on the screen for more than a
second).

Problems with this system:

- Someone with root access to my machine could access the plaintext
passwords in memory--either the X yank buffer or the mlterm scrollback
buffer.
- Someone with a photographic memory might be able to remember a
password even if he sees it for only a second. (I attempt to mitigate
this with common sense; I do not access my passwords if someone is
standing behind me.)

And yes, I always lock my terminal when I leave my cube, even for a moment.

Cheers,
Josh