project idea: portable password safe
edorfaus at xepher.net
Sun Sep 15 14:31:04 EDT 2013
On 09/15/2013 07:11 PM, Bas Wijnen wrote:
> On Sun, Sep 15, 2013 at 03:55:38AM +0200, EdorFaus wrote:
>> To be honest, I'm not so sure that this is really any better than
>> simply returning an error or not responding at all.
>> It does kind of feel like security by obscurity, since it's based on
>> hiding what's actually going on.
> No, it's better than that. Using such a defense alerts the user that the PC is
> infected, which is very valuable information. Apart from that, it doesn't
> allow access to the passwords when it shouldn't be allowing that, so that's
> regular security, not "by obscurity".
Well, OK, but I don't think either of those are different with this
feature vs just returning an error instead, so the point about not
providing any *additional* (regular) security still holds.
I'm assuming that that alert would be shown on the device itself, since
the PC can't be trusted at this point, and the device could just as
easily display an alert and return an error as it could display an alert
and pretend it's allowing the access.
>> One negative aspect of this would be that the actual password
>> management program wouldn't be able to tell the difference either,
>> so if the user had locked their device and forgot about it, they'd
>> probably be a bit puzzled as to why their passwords weren't
>> manageable anymore.
> If they know they're locking their device, they should recognize the symptoms
> of that mistake soon enough. :-)
Well, yes, and for the first-timers (or those who forgot about locking
it) the symptoms probably shouldn't be too hard to search for.
And if we show a security alert on the device, they can just look at
that to understand what's going on (I'm assuming the alert would say
something like "Attempted access to locked device detected").
More information about the discussion