Slashdot Mirror

What I use is a text file on a thumb drive also backed up on several local drives.

The text file contains the first half or so of the password, enough to remind me of what the password is should I forget. The rest is stored in my brain.

For rarely used passwords and places I will put a hint under the half pass.

I am trying to get away from these long 20 character passwords though... I really wish some one would invent a better system. Maybe a thumb drive that combines storage and a thumb print scanner in one package.

Youy mean like this?

Yeah, they're a bit pricey, but not totally out of the ballpark for the concerned user :)

Excuse me, but if it were like Tor, it would be shuffling your donation around several times between a network of thousands of volunteers' accounts, hoping it will be passed on.

And also, a non-trivial number of financial agencies participating in the fund transfer chain will actually be owned by unfriendly government agencies which are monitoring transactions and building audit trails to de-anonymize stuff they don't like.

See also the TOR Hostile Exit Node problem.

I was wonderin, but... http://www.pocket-lint.com/news/43868/victorinox-ssd-swiss-army-pictures has 3k for the price, though unofficial. I'd love to hear how swiss army came up w that $ sum.

I say this because... swiss army knife = $15 on a good day, 1 tb usb drive = $10 on any day, granted the hardware encrypted and shock proof ones are more expensive, but https://store.ironkey.com/personal = $80 and if anybody wants something like http://www.amazon.com/1TB-Encrypted-Slim-Drive-256BIT/dp/B0036TVX94 they're just being stupid and trying to rip you off. So, $100 v 3k? why???

Already done. https://www.ironkey.com/trusted-access

Apparently even protects against man-in-the-middle attacks and keyloggers.

The Ironkey flash drive ( https://www.ironkey.com/ ) was developed for the military. It features DOD standard encryption on the hardware level and a pre-installed version of firefox with a vpn tunnel provided by Ironkey itself. A.D.B.

Here is the best that I have found. As the story goes nothing is 100% secure as long as it exists. https://www.ironkey.com/

They offered their original non-encrypted drive in a 'without-a-knife' option.

But if you really want a USB stick that's just a USB stick with some encryption, I'd go with a IronKey. http://www.ironkey.com./

Here's the "ads by google" that shows up for this article:

https://www.ironkey.com/l-gov-evaluate-1?ik_c=USA_Branding_Content_CPC_Image&ik_t=IronKey-Gov&ik_s=google&ik_k=Content&ik_v=yro.slashdot.org&ik_ad=true

I'm glad he didn't try to swallow that one!

IronKey D200 and S200 models are validated to the much more demanding FIPS 140-2 Level 3. The products that are the subject of this hack are validated to Level 2. They are all in fact manufactured by SanDisk. Previous authors are correct, their architecture has serious design flaws. They are relying on the host PC to do password verification, and essentially using a static code to tell the device to unlock. Basically it's a back door to all of those affected SanDisk, Kingston and Verbatim devices. I will be posting an FAQ later today on the https://www.ironkey.com/ website describing the flaws and how IronKey's architecture does not have these issues. IronKey validates all passwords in hardware. We have password replay prevention and encrypted USB command channels. We also use a hash of the password to decrypt the data AES key, so it's cryptographically impossible to unlock an IronKey without the password. Finally, IronKeys store encryption keys and brute force counters in a hardened CryptoChip. The SanDisk, Kingston and Verbatim products store them in Flash memory, which isn't even part of their FIPS 140-2 security policy. Dave

I have my netbook using full system encryption with TrueCrypt, with KeyPass for a further level of safe password storage. I also now have an OpenVPN server at home I can connect through.

However before I set up the OpenVPN server I used an IronKey flash drive for safer and more anonymous web browsing. This is a flash drive with built in hardware AES encryption. It comes with a modified version of Mozilla Firebird set up to use that encryption to go through a private TOR network gateway set up by the company. A subscription is included free with the IronKey. It slowed things down a bit but seemed to work. http://www.ironkey.com/personal/.

- Tom

https://www.ironkey.com/

I've been thinking almost the same thing for a little while now. One of the solutions I think might work is an IronKey. While remembering passwords isn't so much of an issue for me it will be for my wife if, heaven forbid, something should happen to me.I'd very much like her to have easy access to important information -- things like banking passwords, insurance and retirement accounts come to mind. I'd also probably put scans of important documents on there -- not that you could use a printed copy -- but more of a database to make ordering new documents easier if there was an emergency and those documents were lost. It is also important that it be as cross-platform as possible, since I may not be around to get it to work. :\ I haven't really come across a software-only solution that fulfills most of these criteria.

https://www.ironkey.com/enterprise

I'm surprised nobody has mentioned this device yet.

I'd keep all my sensitive files on an Ironkey https://www.ironkey.com/ and do a full-disk encrypt on the system drive of the netbook... That way if they jack your netbook, it's pretty much useless, and if they jack your Ironkey, it self destructs after 10 incorrect password attempts.

This might be a bit of overkill, and personally it is not something I've tried myself (yet). Install a user un-friendly version of Linux (just to confound the criminal) and use an Iron Key to run a super small Linux distro on. Keep all of your important data on the key. Don't store the laptop and the key together.

Added bonus - if you are around a desktop or a laptop better than a netbook, you can run your OS and all your documents through the drive.

I partially agree with you, although some people on the go may demand a compromise between usb storage convenience and security. More to your point though- this tool, solution, toy, -pick your reason- is not perfect. I am not an expert at anything, but I've learned over time that as long as there is a unique challenge and the barriers aren't too high, enthusiastic hackers around the world will take it on. The more services, conveniences what-have-yous built into this stick https://www.ironkey.com/compare , https://www.ironkey.com/ikdocs/datasheets/s200/IronKey_S200_Enterprise_Server.pdf; the more touted it is for being secure by the company "the world's most secure flash drive; the only level 3 FIPS 140-2 flash drive"; the more security professionals say they use it and how cool it is https://www.ironkey.com/sdkform; the more likely someone will find a vulnerability with it, one of its dependencies, or one of its features and break it. period.

I partially agree with you, although some people on the go may demand a compromise between usb storage convenience and security. More to your point though- this tool, solution, toy, -pick your reason- is not perfect. I am not an expert at anything, but I've learned over time that as long as there is a unique challenge and the barriers aren't too high, enthusiastic hackers around the world will take it on. The more services, conveniences what-have-yous built into this stick https://www.ironkey.com/compare , https://www.ironkey.com/ikdocs/datasheets/s200/IronKey_S200_Enterprise_Server.pdf; the more touted it is for being secure by the company "the world's most secure flash drive; the only level 3 FIPS 140-2 flash drive"; the more security professionals say they use it and how cool it is https://www.ironkey.com/sdkform; the more likely someone will find a vulnerability with it, one of its dependencies, or one of its features and break it. period.

I partially agree with you, although some people on the go may demand a compromise between usb storage convenience and security. More to your point though- this tool, solution, toy, -pick your reason- is not perfect. I am not an expert at anything, but I've learned over time that as long as there is a unique challenge and the barriers aren't too high, enthusiastic hackers around the world will take it on. The more services, conveniences what-have-yous built into this stick https://www.ironkey.com/compare , https://www.ironkey.com/ikdocs/datasheets/s200/IronKey_S200_Enterprise_Server.pdf; the more touted it is for being secure by the company "the world's most secure flash drive; the only level 3 FIPS 140-2 flash drive"; the more security professionals say they use it and how cool it is https://www.ironkey.com/sdkform; the more likely someone will find a vulnerability with it, one of its dependencies, or one of its features and break it. period.

O use an Ironkey. It's waterproof (potted with epoxi), and you get encryption as a bonus too.

It's a nice idea, but any attacker with half a brain would pull the drive and work on the data using a trusted computer and trusted software, with all those pesky "self destruct" routines disabled.

Duress passwords and self-destructing volumes can work, but only if the mechanism is inseparable from the data like in the IronKey.

Ever tried the Ironkey?

Alternate product you could use without admin rights is Iron key - https://www.ironkey.com/ I've read / heard some good reviews about this product though never used it myself.

You should look into the Ironkey. No admin rights required. The only real drawback is that it is expensive (A 4GB flash drive is $149), but the extra features are worth it.

Actually I'd tend to agree, especially if it's in the same geographic area. Except I'd use an IronKey flash drive to maintain security.

And in response god created the iron key...
https://www.ironkey.com/

Now this might look like spam, but I have no affiliation with IronKey.

https://www.ironkey.com/

IronKey is rather cool, the memory chips are drained in epoxy, so you cant open it.
It's a nice piece of security engineering.

We're not prepared to discuss in a public forum which processors we are using. Might be competitors lurking about :-)

We will publish benchmarks on speed, but it's faster than any software crypto we've tried. You are missing a number of advantages. Did you read the whitepaper on why hardware encryption is better than software???? https://learn.ironkey.com/docs/IronKey_Whitepaper- Benefits_of_Hardware_Encryption.pdf You fail to mention: - prevents brute-force password attacks (this is a big one) - prevents offline attacks on the encrypted data (because there is no .img file to copy and crack) - strong key generation and storage - no software or drivers to install, and works in non-admin mode on Windows (TrueCrypt installs a driver and required Admin-mode) - always on, cannot be disabled by user error or malware (unlike software crypto) As far as your disadvantages: 1. you're free to run an open source software crypto package on the device as well as the hardware crypto. 2. We are doing a FIPS-140 certification, whereby a third party is reviewing our code. 3. Possible, but if malware is power cycling your computer, you've got other things to worry about than it trying to DOS your IronKey.... like it would probably just erase your hard drive, no? Thanks for your comments and questions. - Dave @ IronKey

Thanks to everyone for your really interesting comments and questions. We will update our website to make it more clear that we have a FAQ section that answers many of the questions posed here on SlashDot. https://learn.ironkey.com/faqs We also have a whitepaper that describes how our hardware encryption works, the threat models, and how it is better than software encryption. https://learn.ironkey.com/docs/IronKey_Whitepaper- Benefits_of_Hardware_Encryption.pdf We released Windows versions first, as the majority of the market is using that OS. We are working on Linux and MacOS versions. Thanks, Dave Jevans @ IronKey

Thanks to everyone for your really interesting comments and questions. We will update our website to make it more clear that we have a FAQ section that answers many of the questions posed here on SlashDot. https://learn.ironkey.com/faqs We also have a whitepaper that describes how our hardware encryption works, the threat models, and how it is better than software encryption. https://learn.ironkey.com/docs/IronKey_Whitepaper- Benefits_of_Hardware_Encryption.pdf We released Windows versions first, as the majority of the market is using that OS. We are working on Linux and MacOS versions. Thanks, Dave Jevans @ IronKey

Sorry, your "dd" attack will not work on an IronKey. We do not mount the secure volume until the password is correctly entered. In fact, we present as 2 devices to the computer. Your data is stored as a removable media. We don't "insert" the media until the password is entered correctly. That is one aspect why it's better than a regular USB key. Our security whitepaper gives a description of how it works, and the benefits of the approach over software implementations. https://learn.ironkey.com/docs/IronKey_Whitepaper- Benefits_of_Hardware_Encryption.pdf Oh yeah, we wanted to put some thermite into it, but it wouldn't pass CE safety tests. Thanks, Dave Jevans. IronKey

You can learn more about why hardware encryption is better than software encryption in our whitepaper: https://learn.ironkey.com/docs/IronKey_Whitepaper- Benefits_of_Hardware_Encryption.pdf Briefly: - it is 5 to 10 times faster than software encryption, which is important if copying large files or running portable applications off the device - the key storage is far more secure. IronKey stores randomly generated AES keys in a tamper-resistant chip which will destroy itself if physically or electrically tampered with. - there is no way to prevent brute-force password or key guessing attacks with software encryption. I can eventually crack any TrueCrypt encrypted data. IronKey manages password unlocking in hardware and cannot be brute forced. Also the storage volume is not mounted until the password is correct, unlike TrueCrypt on a regular flash drive (Imagine if I copy your TrueCrypt files onto 100,000 bots, and start cracking in parallel....) - no drivers and no administrator rights are needed with hardware encryption. - we can use the same cryptochip secure storage to manage stored passwords, which makes it more secure than software password managers. To address your issue with malware on the host killing the drive with 11 bad password attempts... we prevent this by requiring the drive to be physically unplugged and re-plugged in after 3 bad password attempts. If malware is on the computer, it copying your password is the least of your worries. Once you log into the device, it can copy all your files. Nothing you can do about that. We have designed a keylogger proof IronKey, but this will be coming in a future hardware design. Dave Jevans. IronKey

The key storage IS tamper resistant. The chip will self-destruct if tampered with physically or electrically. This chip is separate from the flash memory where your data is stored AES encrypted. You are correct that the flash memory will not destroy itself if tampered with, but all data in there is AES encrypted. It is most important that the AES key be destroyed. Note that the devices are sealed with epoxy potting compound, which makes it extremely difficult to get the chips off the board without physically destroying them. To help you in your determination of shiny turdness, try reading our whitepaper on the security model and crypto employed. https://learn.ironkey.com/docs/IronKey_Whitepaper- Benefits_of_Hardware_Encryption.pdf Thanks, Dave Jevans. IronKey

https://learn.ironkey.com/faqs they should have put this on the home page but from what i read they've got their shit together....