Dogbert the Security Consultant Strikes Again: Online Storage of Passwords

Posted on March 6, 2008. Filed under: Auditing, General | Tags: , , , |

Ok maybe I need to rethink associating all Online Password Storage groups in the same realm as Dogbert. Think think think think…hmmmm….NOPE!

A nice aspect of the blog that I put out for me is the backend shows me where a referral comes from and recently one came from http://www.notsorelevant.com/2008-01-30/is-giving-away-passwords-cool-again/ while the information with in the article was interesting especially the new German application Allyve I thought the author missed the mark comparing this product to OpenID or OAuth. Allyve works more along the lines of any of the top 3 hits that Google brings back when searching for Online Password Storage. Agatra – Comodo – Handypassword

While I won’t go into detail about these applications directly I would like to talk about their overall purpose. All 4 of these previous listed applications are truly designed to store your password online and make them accessible from anywhere. This, as a security officer, absolutely scares me from a couple of different angles.

First and foremost in my mind is; why would I ever want to create an attack vector for Mr. BadGuy that is available 24×7. A fundamental rule of security is, never store your key where an avenue is accessible for both the key and the area that the key unlocks.

Second, why would I want to utilize a service that holds my digital identity with out reparation. If a company held my most valuable information and is unwilling to put their financial butt on the line for offering these services I would recommend taking a second look. Most of them list this information in the Terms of Service that everyone automatically checks as read when they first sign up.

While perhaps not for the individual user online passwords alternatives are OpenID or OAuth. At least with both of these tools your organization still retains control over your passwords. On a negative note you could become responsible for your users personal passwords. It is all ugly!!

The best solution once again comes down to policy and I would advise all organizations to not allow online password storage for any corporate assets.

Make a Comment

Make a Comment: ( 1 so far )

blockquote and a tags work here.

One Response to “Dogbert the Security Consultant Strikes Again: Online Storage of Passwords”

RSS Feed for secauditor speaks: hmmmm…Security – Imagine That Comments RSS Feed

nice work, bro

Chasgj
March 23, 2008

Reply

Where's The Comment Form?

    About

    “The soft and the pliable will defeat the hard and strong.” Lao Tzu

    RSS

    Subscribe Via RSS

    • Subscribe with Bloglines
    • Add your feed to Newsburst from CNET News.com
    • Subscribe in Google Reader
    • Add to My Yahoo!
    • Subscribe in NewsGator Online
    • The latest comments to all posts in RSS
    • Subscribe in Rojo

    Meta

Liked it here?
Why not try sites on the blogroll...