I created my own password manager.
The master password must kept in the RAM.
To protect it against attackers I like to generate a key that is device depending, lost after reboot and not completely stored at the RAM nor the HDD or a combination.
Multiple parts:
- Stored on HDD like Registry-Entry
- Stored in RAM like a variable
- Generated on runtime like initalized random seed or ASLR (no rebuild if not saved during runtime)
That protects against RAM-Dump und HDD-Clone.
Do you have any idea what to use for the last point (runtime)?
Need it for Linux (Debian-based) and Windows.
Something that is static at runtime (not changing with time) but lost after reboot.
My ideas (on linux):
- ip addr (does not change)
- lspci (does not change)
- echo "$PATH" (does not change)
- hostname (on HDD)
- echo "$USER" (on HDD + BruteForce)
- who -b
- last (may be contained or extracted out of logs)
- who
All not realy random nor secure.
At Windows:
- Using the sid of the user (too less bits random?)
Aucun commentaire:
Enregistrer un commentaire