project idea: portable password safe

Bas Wijnen wijnen at debian.org
Sun Sep 15 13:11:50 EDT 2013


On Sun, Sep 15, 2013 at 03:55:38AM +0200, EdorFaus wrote:
> To be honest, I'm not so sure that this is really any better than
> simply returning an error or not responding at all. I think the idea
> is based on an idea I saw somewhere for stopping forum/comment
> spam[2], so I'm not sure if the idea is really valid for this use.
> It does kind of feel like security by obscurity, since it's based on
> hiding what's actually going on.

No, it's better than that.  Using such a defense alerts the user that the PC is
infected, which is very valuable information.  Apart from that, it doesn't
allow access to the passwords when it shouldn't be allowing that, so that's
regular security, not "by obscurity".  It would be security by obscurity if you
would implement some custom protocol for getting to the real passwords, and
hope that nobody finds out about it.

> One negative aspect of this would be that the actual password
> management program wouldn't be able to tell the difference either,
> so if the user had locked their device and forgot about it, they'd
> probably be a bit puzzled as to why their passwords weren't
> manageable anymore.

If they know they're locking their device, they should recognize the symptoms
of that mistake soon enough. :-)

Thanks,
Bas



More information about the discussion mailing list


interactive