Password manager?

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Saving$
Posts: 1842
Joined: Sat Nov 05, 2011 8:33 pm

Re: Password manager?

Post by Saving$ » Sat Nov 26, 2011 10:59 pm

Die Hard wrote:I have Password Keeper on my Blackberry Smart Phone. Haven't seen this mentioned.

Anyone know of any security concerns with this one? It's my work phone. If I ever left my job they would take the phone. Could it possibly be hacked then?
Switch to KeePass. I would be less concerned about others hacking it if you lose your job, than you losing your job AND your passwords. The other problem with the BB PW Manager, in addition to security concerns, is that you have to enter everything on the BB, and if your company switches to Android, it is a pain to reenter everything.

Just download the desktop version of KeePass, and the BB version, and sync to your home computer. Problem solved.

User avatar
ltuxl
Posts: 96
Joined: Mon Jun 20, 2011 11:48 am

Re: Password manager?

Post by ltuxl » Sun Nov 27, 2011 2:50 pm

If you are looking for a program already set up then there is a hefty list above but I am just throwing out an idea...

Encrypted Spreadsheet...

The Spreadsheet will hold everything you want as it is fully customizable and what platform does not have a free spreadsheet program? (Open Office)

Below is how I have mine set up
- Category i.e. Bank Accounts, Shopping Accounts, Entertainment Accounts etc.
- Passwords, Username, Security Images, Security Questions (w/ answers)

Also you can place this on a USB thumb drive and encrypt it - this is where the issue might come into play with smartphones and such. http://www.truecrypt.org/ is an amazing program but I have only used it on Windows/MAC/Linux OS - not so much smart phones. You can encrypt your spreadsheet (and anything else in the volume size you specify) with 256-AES encryption (very secure).

Just a tip!
- Mr. Tux

User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: Password manager?

Post by Epsilon Delta » Sun Nov 27, 2011 5:42 pm

ltuxl wrote:If you are looking for a program already set up then there is a hefty list above but I am just throwing out an idea...

Encrypted Spreadsheet...
This may be as secure as one of the password managers when the data is at rest (i.e. you are logged out and the passwords are just sitting there in an encrypted file) but will be less secure while you access the file.

Good password programs will protect against multiple threats, including taking steps to protect against spy-ware on your PC and against leaking information to other users on a shared systems or "cloud".

As an example, if a password manager or spreadsheet is swapped to disk while it is handling your passwords then the plain text of some of your passwords could be written to the page file. An attacker could snoop the page file to find your passwords. Password managers will take steps to avoid being paged out while they are handling sensitive data such as plain text passwords. In contrast a spreadsheet usually will not and cannot take the same steps.

This is just one example of the sort of design detail that goes into a good password manager.

User avatar
tadamsmar
Posts: 8582
Joined: Mon May 07, 2007 12:33 pm

Re: Password manager?

Post by tadamsmar » Tue Nov 29, 2011 4:07 pm

LastPass reported a possible security breach a while back:

http://news.cnet.com/8301-1009_3-20060464-83.html

User avatar
Bylo Selhi
Posts: 1119
Joined: Mon Feb 19, 2007 10:40 pm
Location: www.bylo.org in the Great White North
Contact:

Re: Password manager?

Post by Bylo Selhi » Tue Nov 29, 2011 4:44 pm

tadamsmar wrote:LastPass reported a possible security breach a while back:
Yes, and it was dealt with twice upthread.

Bottom line: False alarm, but they took the principled position of making everyone change their master password just in case.

stan1
Posts: 8015
Joined: Mon Oct 08, 2007 4:35 pm

Re: Password manager?

Post by stan1 » Tue Nov 29, 2011 8:04 pm

tadamsmar wrote:LastPass reported a possible security breach a while back:

http://news.cnet.com/8301-1009_3-20060464-83.html
Right, they reported a possible breach and took precautions to protect their customers.
How many companies have had actual breeches and never reported it to you?

I am sticking with the guys who did the right thing for their customers even through it likely hurt their business significantly (many of these customers don't pay a cent for the capability).

exeunt
Posts: 907
Joined: Tue Jan 08, 2008 6:54 pm

Re: Password manager?

Post by exeunt » Thu Dec 01, 2011 3:08 pm

As many others have said, KeePass + Dropbox.

Being open source is huge. Security through opacity, part of the cloak private vendors provide, is illusory.

User avatar
Teetlebaum
Posts: 457
Joined: Tue Apr 10, 2007 4:27 pm

Re: Password manager?

Post by Teetlebaum » Sat Dec 17, 2011 2:29 pm

I was a happy user of Lastpass until yesterday when it logged me out but wouldn't recognize my password. Since I couldn't log in, I've lost all my passwords. :evil:

As directed by Lastpass, I tried my old password & different browsers, and even a different computer, but all to no avail.

Goodbye to Lastpass forever.

If you insist on using Lastpass, at the very least, learn from my error and back up all your passwords.

User avatar
Drain
Posts: 1402
Joined: Mon Feb 26, 2007 1:27 pm
Location: Maryland

Re: Password manager?

Post by Drain » Sat Dec 17, 2011 3:40 pm

The thing about the possible breach at LastPass is that it wouldn't have mattered even if there had been an actual breach. LastPass has marketed its product that way from the start. They've always said that even if your data were stolen from their servers, it would be safe as long as you'd used a strong master password...and they're right. Add a second authentication factor, and it's a nearly bulletproof system. Not 100 percent, of course, but close enough for practical purposes.

Not sure what to make of the report of a master password ceasing to function. That would certainly be a big deal.
Darin

lightheir
Posts: 2415
Joined: Mon Oct 03, 2011 11:43 pm

Re: Password manager?

Post by lightheir » Sat Dec 17, 2011 4:00 pm

Teetlebaum wrote:I was a happy user of Lastpass until yesterday when it logged me out but wouldn't recognize my password. Since I couldn't log in, I've lost all my passwords. :evil:

As directed by Lastpass, I tried my old password & different browsers, and even a different computer, but all to no avail.

Goodbye to Lastpass forever.

If you insist on using Lastpass, at the very least, learn from my error and back up all your passwords.
Wow talk about a major fiasco.

If that happened to my Keepass, I'd be totally hosed - I have so many important passwords and logons and accounts on there that it's a godsend.

Fortunately, the backup files are also so small (<200k) that it's trivial to email them to yourself repeatedly after every update.

User avatar
Drain
Posts: 1402
Joined: Mon Feb 26, 2007 1:27 pm
Location: Maryland

Re: Password manager?

Post by Drain » Sat Dec 17, 2011 4:17 pm

lightheir wrote: Fortunately, the backup files are also so small (<200k) that it's trivial to email them to yourself repeatedly after every update.
How would backup files help if your master password weren't working?
Darin

lightheir
Posts: 2415
Joined: Mon Oct 03, 2011 11:43 pm

Re: Password manager?

Post by lightheir » Sat Dec 17, 2011 4:21 pm

Having your master fail is pretty near impossible if you use Keepass, as you have both the original application .exe to reinstall as needed, as well as redundant versions of prior backups (I have probably around 100 different copies in the past 2 years as I email it to myself after every new entry.) So to have a total loss would involve breaking all of those old copies or even the backup copies of the .exe.

User avatar
Drain
Posts: 1402
Joined: Mon Feb 26, 2007 1:27 pm
Location: Maryland

Re: Password manager?

Post by Drain » Sat Dec 17, 2011 5:48 pm

Same with LastPass, if you go with the default setup and you back up periodically. I don't think I would back up to an email account, though--partly because of security considerations, and partly because my personal email password was generated by and is stored in LastPass, so I don't know what it is.

I guess I'm taking some risk because I don't allow LastPass to keep a copy of my data on my local drive, so if something somehow got corrupted on their server...but even then, they have password recovery options. I have to admit that at this point, I'm having a problem believing this is a real issue. My apologies to the other poster, because I know how irritating that is, but until I see the problem becoming more widespread...I just can't get too excited about it.

Edit: I retract the statement about not backing up to an email account out of security concerns. It's really about not knowing the email password.
Darin

User avatar
GregLee
Posts: 1748
Joined: Wed Oct 27, 2010 3:54 pm
Location: Waimanalo, HI

Re: Password manager?

Post by GregLee » Sat Dec 17, 2011 7:10 pm

I used LastPass for a year or so, but I got nervous about trusting someone else with info important to me, so I transferred back all my password info to my local system and unsubscribed from LastPass. I would really like to find a way to handle passwords transparently, so I don't have to perform several manual steps each time I log on to a secure site. I haven't yet found one. Currently, I'm using four Firefox extensions to help me cope with this: (1) Autofill Forms keeps track of which user ID/email should be used for various sites (and other form-fill info), (2) Saved Password Editor lets me modify or delete the password used for any web page, (3) Secure Login lets me choose or modify the password to be used for a given web page, (4) "remember password" is a bookmark I can invoke to circumvent those web pages that tell Firefox not to remember the password for the page. I also tried an application "Roboform Lite" for Firefox, but it just didn't seem to work very well.
Greg, retired 8/10.

lightheir
Posts: 2415
Joined: Mon Oct 03, 2011 11:43 pm

Re: Password manager?

Post by lightheir » Sat Dec 17, 2011 9:29 pm

GregLee wrote:I used LastPass for a year or so, but I got nervous about trusting someone else with info important to me, so I transferred back all my password info to my local system and unsubscribed from LastPass. I would really like to find a way to handle passwords transparently, so I don't have to perform several manual steps each time I log on to a secure site. I haven't yet found one. Currently, I'm using four Firefox extensions to help me cope with this: (1) Autofill Forms keeps track of which user ID/email should be used for various sites (and other form-fill info), (2) Saved Password Editor lets me modify or delete the password used for any web page, (3) Secure Login lets me choose or modify the password to be used for a given web page, (4) "remember password" is a bookmark I can invoke to circumvent those web pages that tell Firefox not to remember the password for the page. I also tried an application "Roboform Lite" for Firefox, but it just didn't seem to work very well.
I'd go Keepass if I were you. Keepass will autofill logons and passwords for you quite readily. It doesn't do it insta-automatically as Lastpass might, but I actually prefer it that way, in the rare instance someone pilfers my computer while I'm not aware of it and opens the browser.

In Keepass, you pretty much just hit 'ctrl-v' from inside Keepass, and it'll cut and paste both the logon and password (separated by a tab) into the browser that's open. Works great.

Keepass is also way easier to store tidbits of random info that aren't necessarily passwords - that got really clunky in Lastpass and was a big reason I ended up not using it. Whereas on Keepass, it's painless - like simple text editor, and fast.

User avatar
Drain
Posts: 1402
Joined: Mon Feb 26, 2007 1:27 pm
Location: Maryland

Re: Password manager?

Post by Drain » Sun Dec 18, 2011 9:35 am

Except that the clipboard is vulnerable to hacking in itself. The clipboard is not protected at all, as far as I know.

You can set LastPass to not fill automatically.
Darin

lightheir
Posts: 2415
Joined: Mon Oct 03, 2011 11:43 pm

Re: Password manager?

Post by lightheir » Sun Dec 18, 2011 11:05 am

If you're that crazy about worrying about clipboard hacks on your own computer, you can just not autofill (not too complicated there.)

If you're worried even about key capture hacks, there's an easy plugin for Keepass that allows you to pop up an on screen keyboard for mouse-based keyboard entry.

I do think Lastpass has better browser integration, but at least for me, Keepass wins on all other fronts including ease of use.

Keepass also automatically defaults to erasing the clipboard after 10 sec. You can configure it quite easily to autoerase in a shorter or longer interval as well, or not use it at all.

User avatar
GregLee
Posts: 1748
Joined: Wed Oct 27, 2010 3:54 pm
Location: Waimanalo, HI

Re: Password manager?

Post by GregLee » Sun Dec 18, 2011 11:12 am

I appreciate that people who are worried that their systems will be hacked into want protections and are willing to go out of their way for the sake of extra security. But I'm not worried, and I want all the security stuff handled automatically, so that I am not inconvenienced. My ideal password manager would have "Just do it" as an option. I can conceive that my dog might find my computer unattended and order himself a million dog-treats from Amazon, but I don't think it's going to happen.
Greg, retired 8/10.

lightheir
Posts: 2415
Joined: Mon Oct 03, 2011 11:43 pm

Re: Password manager?

Post by lightheir » Sun Dec 18, 2011 11:21 am

GregLee wrote:I appreciate that people who are worried that their systems will be hacked into want protections and are willing to go out of their way for the sake of extra security. But I'm not worried, and I want all the security stuff handled automatically, so that I am not inconvenienced. My ideal password manager would have "Just do it" as an option. I can conceive that my dog might find my computer unattended and order himself a million dog-treats from Amazon, but I don't think it's going to happen.
Lastpass and even Keepass are as close to 'just do it' while keeping secure.

My Keepass is dead simple - open it, logon with the master password, and then you click on the link on the entry you like which opens the URL you've saved, and then hit 'paste' with right click, and you're done. It's trivially harder than opening your browser and logging onto email.

I'm not one for crazy over the top military-level security, but in the realistic scenario that someone steals my laptop at some point, I certainly don't want access to my myriad financial accounts and personal life info caused by my laziness. At the least, a reasonable length master password in Keepass or Lastpass is all you really need. (Both programs will automatically backup the file for you as well - I just make additional copies for my own peace of mind but it is not required.)

Pacific
Posts: 1329
Joined: Tue Mar 06, 2007 8:19 pm
Location: Lost in the middle of the Pacific

Re: Password manager?

Post by Pacific » Sun Dec 18, 2011 12:17 pm

I'm not sure I understand how this works. If I use something like KeePass, how do I access my accounts if I am traveling and trying to use my mother's computer in New Orleans or my daughter's computer in New Jersey?

Thanks.

User avatar
BigFoot48
Posts: 2759
Joined: Tue Feb 20, 2007 10:47 am
Location: Arizona

Re: Password manager?

Post by BigFoot48 » Sun Dec 18, 2011 12:24 pm

Pacific wrote:I'm not sure I understand how this works. If I use something like KeePass, how do I access my accounts if I am traveling and trying to use my mother's computer in New Orleans or my daughter's computer in New Jersey?

Thanks.
Dropbox! Just save the Keepass encrypted file to your Dropbox folder, and when at other locations just load Dropbox on their computers and access your file there. That's exactly what I do at the mother-in-law's house.
Last edited by BigFoot48 on Sun Dec 18, 2011 12:28 pm, edited 1 time in total.
Retired | Two-time in top-10 in Bogleheads S&P500 contest; 14-time loser

lightheir
Posts: 2415
Joined: Mon Oct 03, 2011 11:43 pm

Re: Password manager?

Post by lightheir » Sun Dec 18, 2011 12:26 pm

Pacific wrote:I'm not sure I understand how this works. If I use something like KeePass, how do I access my accounts if I am traveling and trying to use my mother's computer in New Orleans or my daughter's computer in New Jersey?

Thanks.
You would need a local copy. An easy workaround on 'safe' computers like at your relatives' house, is to just email the data file to yourself (it's <100k in most cases) and just install Keepass on their computer when you get there. (It's a very small, fast and free download.)

It's harder when you're on computers where you don't have installation privileges or are considered 'unsafe' like public terminals, but then again, you probalby shouldn't be trusting enough to open your personal finanical accounts on such computers in the first place for basic security sake.

User avatar
Drain
Posts: 1402
Joined: Mon Feb 26, 2007 1:27 pm
Location: Maryland

Re: Password manager?

Post by Drain » Sun Dec 18, 2011 12:29 pm

BigFoot48 wrote:
Pacific wrote:I'm not sure I understand how this works. If I use something like KeePass, how do I access my accounts if I am traveling and trying to use my mother's computer in New Orleans or my daughter's computer in New Jersey?

Thanks.
Dropbox!
As long as the files are encrypted before they're uploaded to Dropbox.
Darin

User avatar
BigFoot48
Posts: 2759
Joined: Tue Feb 20, 2007 10:47 am
Location: Arizona

Re: Password manager?

Post by BigFoot48 » Sun Dec 18, 2011 12:31 pm

Drain wrote:As long as the files are encrypted before they're uploaded to Dropbox.
I don't know if KeePass has an "unencrypt" option.
Retired | Two-time in top-10 in Bogleheads S&P500 contest; 14-time loser

User avatar
Drain
Posts: 1402
Joined: Mon Feb 26, 2007 1:27 pm
Location: Maryland

Re: Password manager?

Post by Drain » Sun Dec 18, 2011 12:38 pm

lightheir wrote:If you're that crazy about worrying about clipboard hacks on your own computer, you can just not autofill (not too complicated there.)
Yes, but LastPass fills your credentials without using the clipboard at all. That is, you can autofill without the clipboard risk. That's why the software was designed the way it was.

Honestly, I'm more concerned about clipboard data being stolen by malware than I am about data being stolen from encrypted files in the cloud.
I do think Lastpass has better browser integration, but at least for me, Keepass wins on all other fronts including ease of use.
I'd say the opposite is true. You are summarily discounting the very feature that makes LastPass more convenient, and then concluding that LastPass is less convenient. What makes it so easy is the autofilling. There is no way that's less convenient than pasting information, and it's certainly more secure, given that you're not using the clipboard.

Seems to me that if you're going to prefer KeePass, you're going to prefer it because (1) it's simpler in other respects (fewer bells and whistles), (2) it's open-source, and (3) your data can be stored only locally if you choose and if you believe that's safer (I do not). Oh, and (4) there's a key file option for a second factor--again, not something I care about personally, but a nice option to have.
Keepass also automatically defaults to erasing the clipboard after 10 sec. You can configure it quite easily to audtoerase in a shorter or longer interval as well, or not use it at all.
That's good. Might not help much against dedicated malware, but it will prevent someone who gains physical access to your machine from simply reading stuff off the clipboard.
Last edited by Drain on Sun Dec 18, 2011 12:41 pm, edited 1 time in total.
Darin

User avatar
Drain
Posts: 1402
Joined: Mon Feb 26, 2007 1:27 pm
Location: Maryland

Re: Password manager?

Post by Drain » Sun Dec 18, 2011 12:40 pm

BigFoot48 wrote:
Drain wrote:As long as the files are encrypted before they're uploaded to Dropbox.
I don't know if KeePass has an "unencrypt" option.
My original message didn't go through, and my re-type was overly terse. It was supposed to be a more general warning--i.e., not just about KeePass files.
Darin

User avatar
Drain
Posts: 1402
Joined: Mon Feb 26, 2007 1:27 pm
Location: Maryland

Re: Password manager?

Post by Drain » Sun Dec 18, 2011 12:44 pm

By the way, none of this is secure against malware that captures data as it's read by the browser. I forget what that's called, but it exists. Hopefully, a given browser will not typically be vulnerable to this sort of malware, but...?
Darin

lightheir
Posts: 2415
Joined: Mon Oct 03, 2011 11:43 pm

Re: Password manager?

Post by lightheir » Sun Dec 18, 2011 1:09 pm

Actually, Lastpass fails enough for me on the autofill that it was enough to completely turn me off from it. Yes, it works great in 90% of websites, but in a small group (2 of which I happen to use regularly), it doesn't work at all and I have to manually enter the data, which always is annoying as heck with Lastpass. I used Lastpass for 3-4 months and after that period concluded that for my uses, Keepass was simply far more reliable for my websites of interest.

Another thing that drove me nuts with Lastpass is the constant offers to 'save your password', which usually overlaps with the browser's request. I know you can turn this off, but that makes entering the passwords in the first place annoying as heck and confusing. I hated having all these random website passwords saved in what I consider a critical file - I prefer the Keepass model where I selectively pick and choose the important files to save, even if it takes more work up front.

And I mentioned this before, but entering and saving blocks of text like important info is really clunky in Lastpass, as it wasn't really designed for it. On Keepass, it's a breeze, and searchable.This was actually the main reason I bailed from lastpass, as I keep a lot of important text type info in my private file, and when I tried to do the same in Lastpass, it was agonizingly painful due to the field entry system.

asdfvcx
Posts: 20
Joined: Sun Mar 18, 2007 6:15 pm

Re: Password manager?

Post by asdfvcx » Sun Dec 18, 2011 8:40 pm

Pacific wrote:I'm not sure I understand how this works. If I use something like KeePass, how do I access my accounts if I am traveling and trying to use my mother's computer in New Orleans or my daughter's computer in New Jersey?
As already mentioned you could use Dropbox. This has the convenience of always being up to date, if it's set up properly.

For slightly more low tech, you could copy the data file to a USB key and take it with you. Or you could just mail a copy to an email account such as gmail or hotmail. The problem with these methods is that if you make changes to your main data file, you need to update all of your back up copies.


When you get to your mother or daughters place, just download keepass and install it on their computer. Then get you data file from wherever you have it stored and load it into keepass.

As long as your keepass data file has a strong password, you shouldn't be concerned with storing it using these various methods.

User avatar
Drain
Posts: 1402
Joined: Mon Feb 26, 2007 1:27 pm
Location: Maryland

Re: Password manager?

Post by Drain » Mon Dec 19, 2011 9:33 am

lightheir wrote:Actually, Lastpass fails enough for me on the autofill that it was enough to completely turn me off from it. Yes, it works great in 90% of websites, but in a small group (2 of which I happen to use regularly), it doesn't work at all and I have to manually enter the data, which always is annoying as heck with Lastpass. I used Lastpass for 3-4 months and after that period concluded that for my uses, Keepass was simply far more reliable for my websites of interest.
Once I learned the "Save All Entered Data" trick (if you want to call it that) in LastPass, I found that LastPass worked properly enough on almost every website. But it's not difficult to imagine that if you happen to use sites that give LastPass trouble (mostly Flash-based logins), then I get how it could be irritating.
Another thing that drove me nuts with Lastpass is the constant offers to 'save your password', which usually overlaps with the browser's request. I know you can turn this off, but that makes entering the passwords in the first place annoying as heck and confusing. I hated having all these random website passwords saved in what I consider a critical file - I prefer the Keepass model where I selectively pick and choose the important files to save, even if it takes more work up front.
There shouldn't be any overlap with the browser requests because the browser requests should be disabled. And I hadn't encountered a problem with random credentials being saved. So...I'm confused on this one, especially you acknowledge that you can turn the feature off.
And I mentioned this before, but entering and saving blocks of text like important info is really clunky in Lastpass, as it wasn't really designed for it. On Keepass, it's a breeze, and searchable.This was actually the main reason I bailed from lastpass, as I keep a lot of important text type info in my private file, and when I tried to do the same in Lastpass, it was agonizingly painful due to the field entry system.
You are probably right that this is easier in KeePass. I have no experience there. But "agonizingly painful"? Again, I'm not sure what you were doing. When I want to save a block of text in a secure note, I paste in or type in the block, and I save it. It may not be as well designed as KeePass is for that purpose, but I don't know what could be so awful about it. Primitive, perhaps, but the features that are there don't seem difficult to use.

I went with LastPass because I felt I was philosophically aligned with what they were trying to do. They wanted to build a password manager designed from the ground up to work via the cloud, and I've always been a cloud advocate. I also like that they try to do everything they can to avoid security holes from the start--e.g., they try to minimize exposure of plain text, unlike KeePass and the clipboard. They also heavily encourage the use of second factors. I just like the company, I guess, and since I don't want to switch between password managers all the time, that's important for the long haul. I think LP suffers somewhat from trying to accomplish too much--for example, the attempt to make the software as generally usable on different platforms as possible has made it clunky for certain specific logins (again, the Flash sites, although those may be dying off soon).
Darin

User avatar
Drain
Posts: 1402
Joined: Mon Feb 26, 2007 1:27 pm
Location: Maryland

Re: Password manager?

Post by Drain » Mon Dec 19, 2011 11:47 am

Just wondering...if you're storing your active KeePass file on Dropbox, where does the decryption take place right before a password is placed on the clipboard? Do you, at that moment, have decrypted data on the Dropbox server?
Darin

User avatar
NAVigator
Posts: 2457
Joined: Tue Feb 27, 2007 7:24 am
Location: Iowa

Re: Password manager?

Post by NAVigator » Mon Dec 19, 2011 12:19 pm

Drain wrote:Just wondering...if you're storing your active KeePass file on Dropbox, where does the decryption take place right before a password is placed on the clipboard? Do you, at that moment, have decrypted data on the Dropbox server?
The decryption is done in memory, not in the file. The file remains encrypted at all times. This includes any notes that you use to annotate the username and password for a site, such as the security questions and answers.

One can also run KeePass using a USB flash memory. When I worked, I used this method to avoid putting my passwords or the KeePass program on the employers PC.

If one is truly concerned about the clipboard capture risk, even when the clipboard is cleared within a few seconds, here are some simple tricks to use on very sensitive websites.
* Have the password stored in KeePass with one or more invalid characters. So after having the password entered by KeePass, make the correction.
* Or have the password stored in KeePass lacking one or more characters. Then simply add these yourself using the keyboard.
* Or have the password stored in KeePass have extra characters embedded in that password. Then simply delete those embedded characters after pasting in the password.

Jerry
"I was born with nothing and I have most of it left."

User avatar
Drain
Posts: 1402
Joined: Mon Feb 26, 2007 1:27 pm
Location: Maryland

Re: Password manager?

Post by Drain » Mon Dec 19, 2011 12:58 pm

[Message edits lost upon hitting Submit. See follow-up below.]
Last edited by Drain on Mon Dec 19, 2011 1:14 pm, edited 1 time in total.
Darin

User avatar
Drain
Posts: 1402
Joined: Mon Feb 26, 2007 1:27 pm
Location: Maryland

Re: Password manager?

Post by Drain » Mon Dec 19, 2011 1:13 pm

I'm having serious trouble with this web site losing what I type when I hit Submit. I'll try to re-create what I wrote.
NAVigator wrote:
Drain wrote:Just wondering...if you're storing your active KeePass file on Dropbox, where does the decryption take place right before a password is placed on the clipboard? Do you, at that moment, have decrypted data on the Dropbox server?
The decryption is done in memory, not in the file. The file remains encrypted at all times. This includes any notes that you use to annotate the username and password for a site, such as the security questions and answers.
I freely admit that I am far from an expert on these matters, but my understanding is that you cannot get information from an encrypted file without first decrypting it. I mean, that's the whole point of encryption, is it not? So the KeePass file must be decrypted in order for you to get your data, and I ask again...where does that take place? Is the encrypted file being sent to your computer, where KeePass decrypts it locally? Or is the file being decrypted on the Dropbox server, with the data then being transmitted (via encrypted connection, presumably) to you in plaintext? My concern is not so much with the plaintext being transmitted over an encrypted connection as it is with decrypted data at the Dropbox end of things. I would not trust Dropbox the way I'd trust KeePass.
If one is truly concerned about the clipboard capture risk, even when the clipboard is cleared within a few seconds, here are some simple tricks to use on very sensitive websites.
* Have the password stored in KeePass with one or more invalid characters. So after having the password entered by KeePass, make the correction.
* Or have the password stored in KeePass lacking one or more characters. Then simply add these yourself using the keyboard.
* Or have the password stored in KeePass have extra characters embedded in that password. Then simply delete those embedded characters after pasting in the password.
I don't think you're understanding the threat. All programs seems to have unfettered access to the clipboard. If that's the case, then a virus (or whatever--I can never keep the terms straight) could be designed to immediataely capture, log, and transmit anything written to the clipboard. Clearly, erasing the clipboard after n seconds is not going to thwart an attack like this.

That means that if such malware is on your computer, the bad guys can get your passwords as they're put on the clipboard. Yes, they won't be exactly right if you add or subtract a couple characters here and there, but you've spotted the bad guys almost the entire password, so brute force attacks would be quick. Plus, you're kinda losing all semblance of convenience relative to alternative products out there that don't use the clipboard.
Darin

User avatar
BigFoot48
Posts: 2759
Joined: Tue Feb 20, 2007 10:47 am
Location: Arizona

Re: Password manager?

Post by BigFoot48 » Mon Dec 19, 2011 1:24 pm

Drain wrote:I freely admit that I am far from an expert on these matters, but my understanding is that you cannot get information from an encrypted file without first decrypting it. I mean, that's the whole point of encryption, is it not? So the KeePass file must be decrypted in order for you to get your data, and I ask again...where does that take place? Is the encrypted file being sent to your computer, where KeePass decrypts it locally? Or is the file being decrypted on the Dropbox server, with the data then being transmitted (via encrypted connection, presumably) to you in plaintext? My concern is not so much with the plaintext being transmitted over an encrypted connection as it is with decrypted data at the Dropbox end of things. I would not trust Dropbox the way I'd trust KeePass..
The KeePass file is located on your local computer. That's the one you open with the program. If the file changes and you save it, the revised encrypted file is automatically uploaded to the Dropbox server.
Retired | Two-time in top-10 in Bogleheads S&P500 contest; 14-time loser

User avatar
Drain
Posts: 1402
Joined: Mon Feb 26, 2007 1:27 pm
Location: Maryland

Re: Password manager?

Post by Drain » Mon Dec 19, 2011 1:35 pm

BigFoot48 wrote:The KeePass file is located on your local computer. That's the one you open with the program. If the file changes and you save it, the revised encrypted file is automatically uploaded to the Dropbox server.
That would be good. I haven't used Dropbox for this purpose, so I haven't thought about it much before now. So the local file is read into KeePass in encrypted form, and then it's decrypted and used by the KeePass software, which I trust. Dropbox doesn't do anything at this point, because the file in the folder hasn't changed. That file changes only if you add, delete, or otherwise alter your KeePass data, in which case a new encrypted file is saved to the Dropbox folder to be backed up. Okay. As long as I don't have to rely on Dropbox to protect my privacy.
Darin

User avatar
Teetlebaum
Posts: 457
Joined: Tue Apr 10, 2007 4:27 pm

Re: Password manager?

Post by Teetlebaum » Sat Dec 24, 2011 9:31 pm

Teetlebaum wrote:I was a happy user of Lastpass until yesterday when it logged me out but wouldn't recognize my password. Since I couldn't log in, I've lost all my passwords. :evil:

As directed by Lastpass, I tried my old password & different browsers, and even a different computer, but all to no avail.
I lost access as described above on the 17th. I contacted them via their "Support Request", and the 22nd they offered me the option of reverting to an earlier password, which worked. But in the intervening days I had changed all my most important passwords, and because I have no idea how it happened, I'm going back to keepass.

User avatar
roymeo
Posts: 1273
Joined: Sat Apr 28, 2007 7:19 pm
Location: Oakland, CA
Contact:

Re: Password manager?

Post by roymeo » Mon Dec 26, 2011 9:22 pm

Hopefully you won't have another case of 'something went wrong-sisies' there, too.
The sewer system is a form of welfare state. | -- "Libra", Don DeLillo

wesgreen
Posts: 198
Joined: Fri Jan 07, 2011 9:14 am

Re: Password manager?

Post by wesgreen » Tue Dec 27, 2011 9:14 pm

I tried Keepass again, but to get it working still looks like another parttime job, which i don't need. I'll stay with LoginCode, free also, and simpler.

brianH
Posts: 328
Joined: Wed Aug 12, 2009 12:21 pm

Re: Password manager?

Post by brianH » Tue Dec 27, 2011 9:37 pm

Drain wrote: I don't think you're understanding the threat. All programs seems to have unfettered access to the clipboard. If that's the case, then a virus (or whatever--I can never keep the terms straight) could be designed to immediataely capture, log, and transmit anything written to the clipboard. Clearly, erasing the clipboard after n seconds is not going to thwart an attack like this.

That means that if such malware is on your computer, the bad guys can get your passwords as they're put on the clipboard. Yes, they won't be exactly right if you add or subtract a couple characters here and there, but you've spotted the bad guys almost the entire password, so brute force attacks would be quick. Plus, you're kinda losing all semblance of convenience relative to alternative products out there that don't use the clipboard.
KeePass tries to get around this a number of ways (http://keepass.info/help/v2/autotype_obfuscation.html) For one, it 'hooks' clipboard events to try and stop other programs (malware) from knowing that the clipboard just received data. This is not totally foolproof, but it's the best that is possible for the clipboard in Windows. Another option is to use auto-type. KeePass can 'type' your password using a mix of clipboard and key presses. Again, not unbeatable, but it makes it much more difficult.

In any case, many local spyware apps don't bother with the clipboard. They can simply attach to the network stack and see your raw HTTP (web) data as it's transmitted over the wire. It's easier for the hacker to figure out data from the network that looks like:

Code: Select all

POST /login.jsp HTTP/1.1
Host: www.vanguard.com
User-Agent: Mozilla/4.0
Content-Length: 27
Content-Type: application/x-www-form-urlencoded
userid=joe&password=uhoh
than massive random clipboard data:

Code: Select all

this is just a story that I am writing in my word processor(click 35,43)(enter)(click 45,65)(enter)joe(click 45,43)uhoh

zeep
Posts: 92
Joined: Sat Oct 04, 2008 3:03 pm

Re: Password manager?

Post by zeep » Wed Dec 28, 2011 8:43 pm

I'm looking for a system I can use on my company laptop (locked down so only administrators can install software) and my spouse and I can use at home. I can't install Dropbox (althought I can access my dropbox account for the web).

I think that means I need to either run a portable version off a USB drive, or use a bookmarklet. I'm leaning toward Lastpass, and putting the bookmarklet on my company laptop. Otherwise I'll just need to go back to trying to remember a "system" for passwords, but often one of us locks us out of our accounts.

Appreciate any thoughts.

lightheir
Posts: 2415
Joined: Mon Oct 03, 2011 11:43 pm

Re: Password manager?

Post by lightheir » Wed Dec 28, 2011 8:56 pm

zeep wrote:I'm looking for a system I can use on my company laptop (locked down so only administrators can install software) and my spouse and I can use at home. I can't install Dropbox (althought I can access my dropbox account for the web).

I think that means I need to either run a portable version off a USB drive, or use a bookmarklet. I'm leaning toward Lastpass, and putting the bookmarklet on my company laptop. Otherwise I'll just need to go back to trying to remember a "system" for passwords, but often one of us locks us out of our accounts.

Appreciate any thoughts.
Keepass portable. /endthread.

Seriously, though, it works great. You can run keepass portable (google it) as an executable file with no install needed, and the data file is super small and readily downloaded off your email or USB drive. It should readily autofill the fields for you.

Lastpass 'may' work, but it is possible that your work might cripple the browser integration for autofilling.

User avatar
Don Christy
Posts: 391
Joined: Sun Oct 11, 2009 10:33 pm

Re: Password manager?

Post by Don Christy » Mon Jan 02, 2012 8:39 am

Any of you KeePass users have a recommended iPhone/iPad app? All of the ones I see in the App store seem to be flawed based on reviews.

Thanks,
Don
“Speak only if it improves upon the silence." Mahatma Gandhi

User avatar
mattman22
Posts: 192
Joined: Sun Dec 30, 2007 11:51 am
Location: Boston, MA
Contact:

Re: Password manager?

Post by mattman22 » Mon Jan 02, 2012 11:59 pm

Drain wrote:That means that if such malware is on your computer, the bad guys can get your passwords as they're put on the clipboard. Yes, they won't be exactly right if you add or subtract a couple characters here and there, but you've spotted the bad guys almost the entire password, so brute force attacks would be quick. Plus, you're kinda losing all semblance of convenience relative to alternative products out there that don't use the clipboard.
I suggest reading http://keepass.info/help/base/security.html and http://keepass.info/help/v2/autotype_obfuscation.html to see why KeePass is easily the best password manager for Windows. From a security standpoint is handily beats LastPass. From a user perspective and ease of use, that is a more personal opinion.

User avatar
Don Christy
Posts: 391
Joined: Sun Oct 11, 2009 10:33 pm

Re: Password manager?

Post by Don Christy » Sun Jan 08, 2012 8:10 am

Don Christy wrote:Any of you KeePass users have a recommended iPhone/iPad app? All of the ones I see in the App store seem to be flawed based on reviews.

Thanks,
Don
Bump - anyone have info for mobile?
“Speak only if it improves upon the silence." Mahatma Gandhi

Topic Author
ClaireTN
Posts: 247
Joined: Tue Jan 06, 2009 8:23 pm
Location: Tennessee

Re: Password manager?

Post by ClaireTN » Sun Jan 08, 2012 12:43 pm

Don Christy wrote:
Don Christy wrote:Any of you KeePass users have a recommended iPhone/iPad app? All of the ones I see in the App store seem to be flawed based on reviews.

Thanks,
Don
Bump - anyone have info for mobile?
I don't know about KeePass, but I've been using 1Password, which works seamlessly on my iPad, Android phone, and MacBook. It syncs through Dropbox.

User avatar
Drain
Posts: 1402
Joined: Mon Feb 26, 2007 1:27 pm
Location: Maryland

Re: Password manager?

Post by Drain » Sun Jan 08, 2012 1:48 pm

mattman22 wrote:I suggest reading http://keepass.info/help/base/security.html and http://keepass.info/help/v2/autotype_obfuscation.html to see why KeePass is easily the best password manager for Windows.
That's just a general description of features, and doesn't seem to address anything I've written.
From a security standpoint is handily beats LastPass.
Handily? How? Each program has its advantages and disadvantages. Still seems to me that if cloud storage and access is important to you, you choose LastPass. Otherwise, go with KeePass.
Darin

User avatar
Drain
Posts: 1402
Joined: Mon Feb 26, 2007 1:27 pm
Location: Maryland

Re: Password manager?

Post by Drain » Sun Jan 08, 2012 1:51 pm

ClaireTN wrote:I don't know about KeePass, but I've been using 1Password, which works seamlessly on my iPad, Android phone, and MacBook. It syncs through Dropbox.
Does 1Password offer an option for a second authentication factor yet?
Darin

User avatar
lmpmd
Posts: 739
Joined: Sun Jan 18, 2009 4:47 pm

Re: Password manager?

Post by lmpmd » Sun Jan 08, 2012 2:21 pm

I'm sorry I haven't read the entire thread. But isn't anyone using Sandisk SecureAccess software on their flash drives?
http://www.sandisk.com/misc/secure-access
Lately I just type all my sites and passwords on a microsoft word file and drop it into the SecureAcess vault on the flash drive. Is there anything wrong with this? That way it's on my keyring and with me all the time.

Topic Author
ClaireTN
Posts: 247
Joined: Tue Jan 06, 2009 8:23 pm
Location: Tennessee

Re: Password manager?

Post by ClaireTN » Sun Jan 08, 2012 4:38 pm

Drain wrote:
ClaireTN wrote:I don't know about KeePass, but I've been using 1Password, which works seamlessly on my iPad, Android phone, and MacBook. It syncs through Dropbox.
Does 1Password offer an option for a second authentication factor yet?
Not at this time. Here's one explanation of why not: http://blog.agilebits.com/2011/09/23/tw ... wo-factor/

Post Reply