2000-04-29-14:38:59 Roeland Meyer:
WRT: external access
These days, what I'd recommend is issuing laptops. If a larger screen isn't needed for any other reason, a Sony Vaio Picturebook would be just dandy; it's small enough to be with you nearly all the time. Secure the _heck_ out of them, and have the only remote-access provision be to use them. Define them to lie within your security perimeter, and plan your trust requirements accordingly. E.g. the credentials that are stored on a given laptop need to be clearly identified so they can be revoked if the laptop is lost. Given a laptop that will always be used for the external access, techniques like ssh and vpn and whatnot work way better. For the rabidly cautious, prohibit "nap" mode, and make sure the creds are stored encrypted, with a passphrase that must be entered by hand. Maybe use an encrypted filesystem if there's no other easy way to do the deed.
WRT: Passwd diversification
GNU Keyring <URL:http://gnukeyring.sourceforge.net/> is your friend. Store passwords in your Palm, with no fears for the security of the backups or the loss of the Palm. And it can generate nice passwords, too. Makes it _easy_ to use really strong (computer-generated random strings from nearly all the printables, you pick the length) and distinct passwords for every distinct security domain, including every separate website that you register on. -Bennett