Ironkey Control Panel
Mark Kaelin is a CBS Interactive Senior Editor for TechRepublic. He is the host for the Microsoft Windows and Office blog, the Google in the Enterprise blog, the Five Apps blog and the Big Data Analytics blog.
Storing your password online is an option; note the checkbox. I wouldn't store my password where anyone else can get to it either. This is a system that is designed to defeat any measures to decypher the data you have secured by destroying the encrypt/decrypt chip. Software based encryption systems can't match the level of security Ironkey creates.
I did not see anything that said the hardware would destruct. Rather the data is securely overwritten so that it no longer exists. This only happens when you enter the password incorrectly 10 times. I don't know if truecrypt has this option, but I don't see why it couldn't. There is a couple of reasons why this is more secure (key generation handled by specialized hardware, and failed password counter is hardware based, tamper resistant hardware). The down side is that there appears to be no way to update the hardware if problems were found with the encryption cipher used (which appears to only be AES). I just did a quick browse of the ironkey website so some of this info could be incomplete. Just as a note, this article did not do much more than screen shots. I have learned more about the drive in 5 minutes on the ironkey web site than this article. Bill
Please keep in mind that this is just the supplement to the full Product Spotlight Review which is available here: http://blogs.techrepublic.com.com/products/?p=363
I don't see how the encryption would be different than what could be achieved using a software utility like TrueCrypt.
Password backup on the cloud is a mistake. It may be the owner can get away without storing there, perhaps using Mirek's very free PINs [http://www.mirekw.com/winfreeware/pins.html], and this goes straight to the point; somewhere along the line it is necessary to store a password, even if only using wetware. Storing in the cloud is IMNSVHO storing a problem for the future. Lately I have started using a TrueCrypt encrypted container on the USB drive I use for personal data. The password is long, complex, and stored nowhere outside of my wetware when I travel. If I cannot access the drive when I'm on the road, that is it, I have to wait until I return home. (That is, if I had for example suffered anterograde amnesia, a form of aphasia or any other form of wetware failure.) I find 'Cloud creep' a disturbing and dangerous phenomenon, as dangerous as the military and security services having internet facing servers linked to defence and other confidential mechanisms. I use very little online storage [for non confidential data only], no online applications (unreliable), I use it merely for transient purposes, and I would never store a password online for data whose retrieval might become a matter of urgency. I'm not alone in my cloud scepticism: http://sharetabs.com/65m The iron key might be alright otherwise, but any corporation that suggests using their cloud server on which to store your password has incorporated a flaw into their product. Would I trust them? Emphatically NO.
First a question: Do these things require the web to use them? If so, what happens if this company goes bust and the web site goes away? Is your data lost? That's a huge risk methinks. I believe I will stick with my TrueCrypt containers. I use it daily (it's even in my startup folder). It works so well I'm even considering encrypting my whole system and I don't have to worry about the company going bust. The on-line storage of passwords isn't a big benefit to me anyway. I use keyboard patterns so I don't have to remember the password; just where to start and the pattern to follow. The result is some very long and very secure passwords that don't require hints or sticky notes.
This is interesting, though I hope it only works off a live thumb: http://www.reghardware.co.uk/2009/04/29/biometric_usb_flash_drive/ As far as other comments are concerned, whereas when I experience troubled staff members I look further up the chain until I find the source of bad recruiting, when I see an insecure security suggestion - in this case the option of cloud storage of a master password - I question the hierarchy involved. If someone is so naive as to suggest this means of password retrieval then I expect to find other security loopholes. That was my point. I was not questioning my ability to resist using their 'facilities', merely the presence of a fashionable solution in their brochure, thereby encouraging insecure practises. Defence requires thought, from the beginning to the end of the process.