0

I want to keep only a few copies of source of password hashing and logins for the database & other sites physically with me for maximum security.

How can I edit and compile the source without a copy ever making it onto disk. In other words, is there an unix editor that won't copy the file automatically to disk memory, and can g++ be prevented from storing a copy on the disk during compilation?

  • This reeks of paranoia and security through obscurity. –  May 25 '13 at 23:37
  • @delnan so you'd say this is overkill? –  May 25 '13 at 23:37
  • 1
    A good hashing algorithm does not need to be closed in order to be secure. – cdhowie May 25 '13 at 23:39
  • Nobody can tell without knowing *what* data you're trying to protect, and *why* you think it's necessary. But from the looks of it, you may be paranoid about espionage, and/or you may be relying on secrecy of algorithms for security (see cdhowie's comment). –  May 25 '13 at 23:40
  • @cdhowie if an intruder has the source of the hashing, assume scrypt, and access to the passwords, they can't get the passwords immediately? –  May 25 '13 at 23:44
  • @Sulla If by "access to the passwords" you mean the hashed passwords, yes, that is the entire point of hashing. The set of outputs from the hash function is bounded; the set of inputs is not. It therefore follows that the number of inputs that will generate a specific output is infinite. If you can look at the output and the hash function definition and derive the input, the hash function is useless from a cryptographic standpoint. – cdhowie May 25 '13 at 23:47
  • @cdhowie if my particular source that uses scrypt and *is* accessible along with the database storing the hashed passwords can be immediately converted to the real passwords then the intruder can be just as fast in breaking into the true passwords without that source? –  May 25 '13 at 23:52
  • I would add to cdhowie comment that a hashing algorithm that needs to be closed in order to be secure is already weak. – JBL May 26 '13 at 00:04
  • @JBL but can't the true passwords be accessed immediately if an intruder has access to the application's source code that uses a hashing algorithm to store hashed passwords and to the hashed passwords themselves? –  May 26 '13 at 00:09
  • 1
    @Sulla **No.** A hashing algorithm is one-way. Consider the following equation: x mod y = z. If you know that z is 25 and y is 100, what was x? The answer is that you don't know -- x could be 25, or 125, or 225, and so on. But with hashing algorithms it's even more complicated, as hashing algorithms are designed such that if you are given an output it is not feasible to derive a possible input to match it without trying *every possible input* until you find one with the correct output. (The security of Bitcoin, for example, relies on this principle.) – cdhowie May 26 '13 at 01:29
  • @Sulla Note that rainbow tables (precomputed (input,output) pairs) against popular algorithms like MD5, SHA1, SHA2, etc. mean that it *is* possible for passwords to be quickly derived from the hash -- *unless* you use a random, per-user salt. If you are using per-user salt in your hashes then rainbow tables become completely ineffective. – cdhowie May 26 '13 at 01:31
  • @cdhowie ty, i FINALLY understand the basics of encryption...i think. ty much! –  May 28 '13 at 03:11

1 Answers1

1

If you absolutely need to do this I suggest that you do two things.

Install drive encryption software and use the strongest algorithm possible. Then encrypt a USB stick and stash the private key in a safe deposit box. This takes care of accessing and storing the sensitive data in a portable "take it with me" fashion.

If you want to be excessively paranoid and prevent the file from being copied to an unsecure drive the second thing you can do install a RAM disk and do all of your work on that. You may still have some data stored on disk through virtual memory (which you can turn off if you like) but all operations to the file will occur in RAM. You can then copy the changed files back over to the USB stick or do some sort of syncing. Perhaps a Git repository on the USB stick so you can do a pull into the RAM disk and push changes back out to whatever your active development branch is.

A third option. Get a cheap laptop, encrypt the entire drive and take that with you. It's everything all wrapped up into one!

Captain Obvlious
  • 19,754
  • 5
  • 44
  • 74