On 2012-01-05 11:21 AM, Willie Gillespie <wgillespie@es2eng.com> wrote:
If the phone knows the password and I have the phone, then I have the password. Similarly, if I compromise the workstation that knows the password, then I also have the password.
Interesting... I thought they were stored encrypted. I definitely use a (strong) Master Password in Thunderbird to protect the passwords, so it would take some doing on the workstations.
Even if the user doesn't know the password, the phone/workstation does. And it has to be stored in a retrievable way.
Yes, if an attacker has unfettered physical access to the workstation/phone, it can be compromised...
That's what he's trying to say when he was talking about a "$400 post-it note."
Got it...
As I said, there is no perfect system... but ours has worked well in the 11+ years we've been doing it this way.
--
Best regards,
Charles