[security flaw] Ubuntu is a plain text offender

Jordon Bedwell jordon at envygeeks.com
Tue May 24 17:34:15 UTC 2011


On 5/24/2011 12:01 PM, Kevin O'Gorman wrote:
> I have a different take on this.

> If I had 800 distinct passwords, it would be unlikely I could remember
> all of the passwords just
> for accounts that hold money or other negotiable assets, especially if
> they were random, and I
> would have to carry a written list of more bulk than I like, obfuscated
> or not.  I would have to use
> the list regularly and risk both losing it and having it "shoulder surfed".

I don't know any of my 4 master passwords by heart.  As a matter of
fact, I deliberately pronounce them wrong in my head so that if I'm ever
attacked on the spot for one of my master passwords, I can tell them
what I say in my head.  I have an uncanny ability to action memorize
things without actually knowing I memorized them or being able to recall
that memorization and to head memorize a totally different thing.  What
I say in my head and what I see my hand doing are totally different than
what my hand is actually doing.

This was my demise not to long ago, one night I woke up in a freaked out
frenzy for some reason, well it was because somebody screamed something
that triggered me, I was just freaked out like something had been
compromised and I needed to go on the defense fast, I ended up resetting
my action memorization.  Anyways, the moral of my story is, I would
rather lose 800 passwords in a single database even to myself and have
to reset them as I need them rather than have any reoccurring passwords,
a compromise is a compromise, irregardless of what type it is. I am not
in the business of deliberately creating a hole in my own security.
I'll be damned if I'll create my own backdoor. Even if it's just a
password to my library account online.

Don't mind me though, I rather stern when it comes to this type of
stuff, I believe that compromises happen and you can't protect against
everything because eventually something bad will happen but when
negligence and ignorance is the hand of compromise, I am unforgiving,
and your case is a classic example of that.

> My point: match the effort and nuisance value of pw maintenance with the
> real sensitivity of
> the thing being protected.  As our lives to increasingly online, there
> will be more people with
> 800 accounts or more of one kind or another.  What's needed is a
> scalable system of pw management.
> A judgement call, of course, and preferences will differ. YMMV.





More information about the ubuntu-users mailing list