yeah, I remember having a thorough review done by a couple of outside third parties, including the founder of CPS, security engineer from ?filenet? can't remember, they did all the authentication for POS for visa?

Anyway, if I recall there was essentially a small DMZ on the card. the biometric would authenticate with the server and allow access for the LOCAL MACHINE to access the information from the CARD. The local MACHINE would validate the authentication and pass access as "open" to the direct client with a simple user name, which would call up the network share for that user. Then, the user would have to re-authenticate with a password sign on which was simply network based as usual. At first there was a second step to authenticate back to the DMZ of the card but it wasn't really necessary.

or something like that. Losing the CARD was a pain to deal with as everything would have to be rebuilt.

Sure, everything is hackable. And local files are arguably no less so. Plus, with local files, what do you do when your hard drive crashes, or if you're using a different computer that doesn't have the file on it? My point is that an online service like LastPass, which from everything I can tell uses well-implemented procedures and standards, is as secure as your master password.

If you want absolute privacy, keep everything in your head and don't write anything down...but what will you do when they send you to Guantanamo?

Sure, fair enough. But nobody can use my LastPass info, since LastPass doesn't have my password. All the encryption/decryption happens on my computer. So it's the convenience of anywhere-access, and the security benefits you ascribe to local-only files. Seems like a win-win to me!

Tell you (or anyone) what: anyone who wants to try getting into my LastPass account is welcome to try. PM me for my email address logon. I'll tell you that it's a 9 character password with upper- and lowercase letters and at least one number.

Thanks for your support, Mark. We really appreciate it!

We also have eWallet GO! ( http://www.ewalletgo.com) It's a great solution for folks looking for a simpler, low-priced solution for storing passwords.

Marc
Ilium Software
www.iliumsoft.com

PS: I'm a really person - not a bot! Not trying to spam anyone here. Just saw Mark's post and wanted to suggest eWallet GO! as well. A lot of folks who don't need all the features in eWallet really like eWallet GO!

That's not doubly vulnerable; lastpass sends your computer the same stuff 1password or keepass would store locally, and there's nothing stopping an attacker who gets access to that information from storing it for an offline attack (which would still take thousands of years).

Really, any password manager that allows you to use long and difficult passwords without the fallibility of human memory and randomization is fine. If somebody really wants to get you, they'll always be able to use rubber-hose cryptanalysis, and anybody who wants to just do wanton damage will find other peoples' crappy passwords first.

Not only that, if LastPass was free and open source maybe I'd consider it. The fact I have to PAY money to have a private closed source program to store my most sensitive data - no thanks.

Open Source + Free is always best for personal security solutions, unless I'm the developer that developed the program myself and charge people to use it, with my closed source program code.

KeePass is open-source: http://keepass.info/

Have fun with your auditing!

Oh about passwords, the IronKey will also generate them for you. Also you can back it up on your computer and also online.

IronKey

I've been using eWallet for quite some time. It's secure and syncs wirelessly with my iPhone.

LastPass generates passwords too.

LastPass is free unless you want the mobile apps. Then it's something like $10/year.

deleted.... saw the existing recent thread about passwords