How I Handle Information Security

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills
Topic Author
MarkBarb
Posts: 283
Joined: Mon Aug 03, 2009 11:59 am

How I Handle Information Security

Post by MarkBarb » Sun Feb 19, 2012 11:34 am

I was inspired by the Mint.com thread to write this thread about how I handle electronic security. I have three major components that I secure – my IDs/passwords, my Quicken file, and my documents. I use three major software components for security KeePass, TrueCrypt, and DropBox.

One of the biggest security issues that everyone deals with is password security. Ideally, our passwords should be long and complex. They should also be different for every account so that if one is hacked, the others aren’t compromised. Finally, we should change them often. All that sounds great, but it is hard to memorize one “long and complex” password, let alone lots of ever changing versions.

That’s where the open source software package KeePass comes into play. It will randomly generate those long, complex passwords for you and store them so that you can look them up when you need them. Using KeePass, you don’t need to remember them, so making them unique for each account and changing them frequently isn’t a problem. You just need to make sure that your KeePass password isn’t hackable.

Your KeePass password is now the key to your entire kingdom, so you need to make it as safe as possible. Make it long…at least 16 characters. I like to use a phrase that includes upper and lower case characters, a few special characters, and some numbers. To make it easy to remember, I base it off of a memorable phrase. To make it harder to crack with a dictionary attack, I misspell some of the words in the phrase. An example would be !I”llgeTYou,yoUWascallywabbiT. I put an exclamation at the start instead of the end, used a double quote instead of a single quote, alternated capitalizing the first and last letter of every word, and misspell “rascally” and “rabbit” in a way that is easy to remember (for anyone familiar with Elmer Fudd) but unlikely to be used in a dictionary attack. At 29 characters, it will defeat any brute force attack. The downside is that it is a pain to key in on a cell phone.

I use my KeePass database for more than just passwords. I store credit card numbers, driver’s license numbers, social security numbers, frequent flyer program IDS, insurance IDs, critical phone numbers, and other identifiers like that. As long as I have access to my KeePass database, I can tap into a wealth of useful information. Once again, this means that I have to keep my KeePass password extremely safe – long, complex, and changed frequently. I never share it with anyone or write it down anywhere.

If you want to take your security up one more notch, you can make the passwords in your KeePass file incomplete. When you create a new password, you can have a secret modification that doesn’t go into KeePass. For example, KeePass may say that your Vanguard password is ADFadf323@#$aad when it is really vADFadf323@#$aadd. I added the first letter and last letter of Vanguard to the beginning and the end of the password.

After password security, the next step in my information security process is to encrypt my files. I use a program called TrueCrypt for this. Once again, it is an open source program that is free for personal use. With it, you create an encrypted file. When you mount it using TrueCrypt, you supply a password. When you provide the correct password, your TrueCrypt file shows up like a new drive. Of course, you want your TrueCrypt password to be long and complex, so I use a 60 character password generated and stored in KeePass.

I have two TrueCrypt files. One is a relatively small file that I used to store my Quicken files. The other is a much larger file that I use for storing my “documents.” In it, I store all my paystubs, my bills, my receipts, my tax documents, my medical documents, and stuff like that. It is an electronic version of what people used to store in a filing cabinet.

When I first started using KeePass and TrueCrypt to secure my files, I thought that my security problems were solved. I stored KeePass and my Quicken TrueCrypt file on a USB drive so that I could take it with me wherever I went. That worked OK, but I often left my USB drive at home or at the office and needed it in the other location. The answer to that was the service DropBox. It isn’t open source, but it is free, at least for people using 2 gig of storage or less.

DropBox is a file synchronization service. I have it loaded on my home desktop, my wife’s desktop, my laptop, my work computer, my phone, and my wife’s phone. My KeePass file and my Quicken TrueCrypt file are stored in my DropBox folder. That’s just another folder on my PC, like the “My Documents” folder. The difference is that when I put something in my DropBox folder, it gets uploaded to their site and then pushed to my other computers. So if I update my KeePass file on my home computer, within seconds the updates appear on my wife’s computer and my office computer. Wherever I am, I have the latest version. So I can add a password at work and the reference it on my laptop at home. I can update Quicken on my laptop while traveling and my Quicken file at home will get the updates. I even have it set up to synchronize the KeePass file with my phone so that I have access to all of my passwords and IDs right from my mobile phone.

That’s my solution. I have very long, complex passwords that I change frequently (every month for ones with large dollar accounts). I have all my information stored electronically and available to me, but securely encrypted.

There are a few things that could be tweaked. One concern is that if something happens to me and my wife, all of that encrypted information is lost. To mitigate that, I back up the TrueCrypt files to an unencrypted drives (redundancy) that are stored in a safe place. Those files include a lot of sensitive information like tax returns, but they don’t include passwords that could be used to access my accounts. Those are only stored in encrypted form in a KeePass file. If something happens to us, someone will have to work with each institution to get the passwords reset.

The Wizard
Posts: 13356
Joined: Tue Mar 23, 2010 1:45 pm
Location: Reading, MA

Re: How I Handle Information Security

Post by The Wizard » Sun Feb 19, 2012 1:34 pm

This seems unduly complex for nine out of ten people...
Attempted new signature...

Saving$
Posts: 1840
Joined: Sat Nov 05, 2011 8:33 pm

Re: How I Handle Information Security

Post by Saving$ » Sun Feb 19, 2012 1:49 pm

MarkBarb THANK YOU very much for the post.

I second the recommendation to use KeePass, and have other family members whose information I help manage on KeePass also.

Right now I have all my other info behind a password on a local drive, that is regularly backed up and stored off site. I am to the point that I need to have a networked system at home, but have been reluctant to do so because of my fears of managing data over the home wireless network. It sounds like TrueCrypt might be the solution to that. Thank you for the recommendation. Does not sound like much of a jump from TrueCrypt to Drop Box, but I may be a ways away from needing that.

The Wizard
Posts: 13356
Joined: Tue Mar 23, 2010 1:45 pm
Location: Reading, MA

Re: How I Handle Information Security

Post by The Wizard » Sun Feb 19, 2012 1:50 pm

Here's a Q for you.
Pick a nice easy to remember pw, like BlingWart369 for my VG acct, say.
why is there EVER any reason to change this?
Are the bad guys monitoring my encrypted comms with VG and incrementally decyphering my pw?
Attempted new signature...

User avatar
FNK
Posts: 1360
Joined: Tue May 17, 2011 7:01 pm

Re: How I Handle Information Security

Post by FNK » Sun Feb 19, 2012 2:00 pm

Mark: very good policy. Overkill at a few corners, but if you're OK with paying the inconvenience, then why not.

Wizard: they might be. Or they might be trying to log into your account once an hour. Or, say, a systems administrator quits VG with the password database in tow. By the time he cracks it, you want your password to be different. Monthly is overkill, but yearly is good.

User avatar
VictoriaF
Posts: 19067
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: How I Handle Information Security

Post by VictoriaF » Sun Feb 19, 2012 2:22 pm

Thank you, Mark.

Victoria
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)

investomajic
Posts: 140
Joined: Tue Aug 03, 2010 8:01 pm

Re: How I Handle Information Security

Post by investomajic » Sun Feb 19, 2012 2:36 pm

Just keep in mind that if you use KeePass on a laptop, what happens if that gets stolen? (hopefully you plan to change all your passwords!) With a windows machine, on an unencrypted hard-drive, all those numbers (CC numbers, SSN as you mentioned) get scattered around various places on the hard drive making it relatively easy to find if someone has physical access to your hard drive.

I just thought I would point this out as I didn't see encryption of your local hard drive mentioned anywhere. Encrypting your hard drive as well as your page file (for windows, and probably most important) is vital. TrueCrypt will allow you to encrypt your hard drive but I am not certain it will encrypt your page file (a lot of encryption utilities don't). Fortunately, Windows VIsta and WIndows 7 both have internal utilities you can use to ecnrypt your page file.

Here is how you can encrypt your page file:
http://www.ghacks.net/2011/04/04/encryp ... -security/

Also, to make it a little more difficult for a thief, you can also clear your page file on shutdown:
http://support.microsoft.com/kb/314834

If you want to find out just how easy this is (and you are fairly familiar with computers) after using KeePass, open up your page file (again, if you are using Windows) with a tool like WinHex and you will find all your sensitive information in seconds in clear text.

Mortgasm
Posts: 268
Joined: Mon Feb 06, 2012 7:54 pm

Re: How I Handle Information Security

Post by Mortgasm » Sun Feb 19, 2012 2:43 pm

Lastpast.com, far easier to use. I even got my wife to use it.

Juniormint
Posts: 175
Joined: Sat Jan 21, 2012 12:16 pm

Re: How I Handle Information Security

Post by Juniormint » Sun Feb 19, 2012 3:13 pm

This was a great post. Thanks :)

Mudpuppy
Posts: 5890
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: How I Handle Information Security

Post by Mudpuppy » Sun Feb 19, 2012 4:45 pm

investomajic wrote:Just keep in mind that if you use KeePass on a laptop, what happens if that gets stolen? (hopefully you plan to change all your passwords!) With a windows machine, on an unencrypted hard-drive, all those numbers (CC numbers, SSN as you mentioned) get scattered around various places on the hard drive making it relatively easy to find if someone has physical access to your hard drive.

I just thought I would point this out as I didn't see encryption of your local hard drive mentioned anywhere. Encrypting your hard drive as well as your page file (for windows, and probably most important) is vital. TrueCrypt will allow you to encrypt your hard drive but I am not certain it will encrypt your page file (a lot of encryption utilities don't). Fortunately, Windows VIsta and WIndows 7 both have internal utilities you can use to ecnrypt your page file.

Here is how you can encrypt your page file:
http://www.ghacks.net/2011/04/04/encryp ... -security/

Also, to make it a little more difficult for a thief, you can also clear your page file on shutdown:
http://support.microsoft.com/kb/314834

If you want to find out just how easy this is (and you are fairly familiar with computers) after using KeePass, open up your page file (again, if you are using Windows) with a tool like WinHex and you will find all your sensitive information in seconds in clear text.
KeePass claims to keep their unencrypted information out of the page file (essentially by marking the memory segments with unencrypted data as unswappable, encrypting the data in swappable memory and clearing their memory after use). Have you actually run the hexdump test on a current version of KeePass and proven that the data enters the page file or are you basing this advice on how normal programs operate?

I would test this myself, but this Windows VM is quite limited for a reason and I'd like to keep it that way. I don't have other Windows licenses at home, so I'd have to wait until I had access to the digital forensics test bed at work tomorrow to run the test. I figured it was much faster just to ask.

Muchtolearn
Posts: 1563
Joined: Sun Dec 25, 2011 10:41 am

Re: How I Handle Information Security

Post by Muchtolearn » Sun Feb 19, 2012 5:28 pm

Too complex for me and if you forget or lose the Keepass, that's trouble I think. I only have a few accounts that need careful checking like vanguard and my bank. And they are in both on my mozilla home page and i check them daily.

User avatar
interplanetjanet
Posts: 2226
Joined: Mon Jan 24, 2011 4:52 pm
Location: the wilds of central California

Re: How I Handle Information Security

Post by interplanetjanet » Sun Feb 19, 2012 5:35 pm

Mudpuppy wrote:KeePass claims to keep their unencrypted information out of the page file (essentially by marking the memory segments with unencrypted data as unswappable, encrypting the data in swappable memory and clearing their memory after use). Have you actually run the hexdump test on a current version of KeePass and proven that the data enters the page file or are you basing this advice on how normal programs operate?
This is probably a good idea. Keep in mind that even if KeePass keeps critical plaintext out of the page file (such as your master password) any intermediary that may handle a password that's unencrypted from the KeePass database (like, say, your web browser) has a chance to have it paged out while it's handling it unless it takes steps as well. I remember a warning that came with PGP about 20 years ago - stating that while it would try its hardest to keep anything critical from getting paged out, you really needed to look at the whole chain of where information passes through to maintain security.

KeePass does help with one of the biggest security exposures in my experience - the tendancy to reuse passwords. Making it easy for users to get away from this is a great benefit.

I kind of like PasswordCard, but then again I used to keep lists of S/Key passphrases in my wallet...

-janet [99 CURE MIKE BANE HIM RACY GORE ]

User avatar
bertilak
Posts: 7014
Joined: Tue Aug 02, 2011 5:23 pm
Location: East of the Pecos, West of the Mississippi

Re: How I Handle Information Security

Post by bertilak » Sun Feb 19, 2012 6:20 pm

MarkBarb,

Thanks for the post. It reminded me that I need to be a little more strict in my password management. I do use KeePass but from your comments I see I could be making more use of it.

I also use Quicken and rely on it's internal encryption. The file is backed up nightly to a USB stick and is also backed up with Carbonite which encrypts things as they are backed up.

I may look into TrueCrypt but I don't think I need it as the only critical files I have are Quicken and KeePass and they are already encrypted. I do not keep any of the financial info I receive and rely on the institutions I deal with to make it available online. There is just too darn much of it. All key tax info comes hard copy snail mail anyway.

Thanks again.
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker (aka S.O.B.), the Cowboy Poet

investomajic
Posts: 140
Joined: Tue Aug 03, 2010 8:01 pm

Re: How I Handle Information Security

Post by investomajic » Sun Feb 19, 2012 9:06 pm

Mudpuppy wrote:
investomajic wrote:Just keep in mind that if you use KeePass on a laptop, what happens if that gets stolen? (hopefully you plan to change all your passwords!) With a windows machine, on an unencrypted hard-drive, all those numbers (CC numbers, SSN as you mentioned) get scattered around various places on the hard drive making it relatively easy to find if someone has physical access to your hard drive.

I just thought I would point this out as I didn't see encryption of your local hard drive mentioned anywhere. Encrypting your hard drive as well as your page file (for windows, and probably most important) is vital. TrueCrypt will allow you to encrypt your hard drive but I am not certain it will encrypt your page file (a lot of encryption utilities don't). Fortunately, Windows VIsta and WIndows 7 both have internal utilities you can use to ecnrypt your page file.

Here is how you can encrypt your page file:
http://www.ghacks.net/2011/04/04/encryp ... -security/

Also, to make it a little more difficult for a thief, you can also clear your page file on shutdown:
http://support.microsoft.com/kb/314834

If you want to find out just how easy this is (and you are fairly familiar with computers) after using KeePass, open up your page file (again, if you are using Windows) with a tool like WinHex and you will find all your sensitive information in seconds in clear text.
KeePass claims to keep their unencrypted information out of the page file (essentially by marking the memory segments with unencrypted data as unswappable, encrypting the data in swappable memory and clearing their memory after use). Have you actually run the hexdump test on a current version of KeePass and proven that the data enters the page file or are you basing this advice on how normal programs operate?

I would test this myself, but this Windows VM is quite limited for a reason and I'd like to keep it that way. I don't have other Windows licenses at home, so I'd have to wait until I had access to the digital forensics test bed at work tomorrow to run the test. I figured it was much faster just to ask.
I am basing my results off of my own tests, using WinHex, using version 2.13 of KeePass and whatever the latest version of the non-.Net / C++ version of KeePass was at the time (I am basing this off of my notes I saved and for whatever reason didn't write down the other version); both versions leaked clear text data into the page file. I thought, at first, that it might have been an issue with the .Net Framework version (2.*) so tested the pre .Net version as well (1.*). I haven't bothered to test any of the newer versions but keep in mind that KeePass made that exact same claim (to keep clear text passwords out of the page file) on version 2.13 as well.

When I get access to my "test" PC again, I will give the latest version a try, but I haven't bothered because encrypting the page file solves that issue anyways (and I have since moved to a different password management system).

[Edited to add more specific testing information]

saied45
Posts: 119
Joined: Sat Oct 08, 2011 6:08 pm

Re: How I Handle Information Security

Post by saied45 » Sun Feb 19, 2012 9:23 pm

Mortgasm wrote:Lastpast.com, far easier to use. I even got my wife to use it.
last pass is clearly much easier to use. however it does have one bad issue. your passwords are saved on the cloud rather than your own local HD(which as the op mentioned is encrypted). if lastpass gets hacked(and it has before but minor hacking was done) all your passwords are at risk because now the hacker has your ID and password information and by the time you know lastpass was hacked it might be too late.

i think one thing that the OP should do is use winrar to zip all his old archieved folders in dropbox. this is what i do for my YNAB and quicken files. also i believe there are free open source addons for encrypting your dropbox folder online.

investomajic
Posts: 140
Joined: Tue Aug 03, 2010 8:01 pm

Re: How I Handle Information Security

Post by investomajic » Sun Feb 19, 2012 9:24 pm

interplanetjanet wrote:Keep in mind that even if KeePass keeps critical plaintext out of the page file (such as your master password) any intermediary that may handle a password that's unencrypted from the KeePass database (like, say, your web browser) has a chance to have it paged out while it's handling it unless it takes steps as well.
This is the key point.

Although my personal tests using KeePass indicated that using the software directly did leak clear text passwords into the page file, even if that was fixed (and it may be with the latest versions), it can still end up in the page file as clear text via other programs, as you mentioned. Encrypting the page file is the only way around this in windows, that I know of.

bvp
Posts: 124
Joined: Mon Feb 21, 2011 9:31 am

Re: How I Handle Information Security

Post by bvp » Sun Feb 19, 2012 9:44 pm

All that security, defeated by a simple key logger. :wink:

Go with some complex passwords, a patched Linux VM, google chrome and call it a day.

saied45
Posts: 119
Joined: Sat Oct 08, 2011 6:08 pm

Re: How I Handle Information Security

Post by saied45 » Sun Feb 19, 2012 10:13 pm

bvp wrote:All that security, defeated by a simple key logger. :wink:

Go with some complex passwords, a patched Linux VM, google chrome and call it a day.
most financial instituations let you enter your password using the mouse and onscreen keyboard. and also if your are careful and dont visit sites that are knowen for viruses/keyloggers ext and use an up to date antivirus than you should be fine. remember no ammount of security you implement will be 100% full proof. but using basic knowledge plus a little caution can go along way.

User avatar
BigFoot48
Posts: 2757
Joined: Tue Feb 20, 2007 10:47 am
Location: Arizona

Re: How I Handle Information Security

Post by BigFoot48 » Sun Feb 19, 2012 10:28 pm

Mark, great post and people should make a copy of it for future reference. I also use all three of those useful free tools. I have slowly evolved to using unique complex passwords that I can no longer memorize for all of my financial websites, and I rely on KeePass to either enter them into the site at log on, or allow me to copy them for pasting into the password field. The only exception is Treasury Direct where I use a short, easy to remember password for its unique logon system.
Last edited by BigFoot48 on Mon Feb 20, 2012 8:20 am, edited 1 time in total.
Retired | Two-time in top-10 in Bogleheads S&P500 contest; 14-time loser

itypefast
Posts: 199
Joined: Sat Nov 19, 2011 5:35 pm

Re: How I Handle Information Security

Post by itypefast » Mon Feb 20, 2012 8:13 am

I've been in IT for 20 years and I have to say to the OP that this is great advice.

A few points to consider:
1. Using a TrueCrypt volume on Dropbox will cause a lot of network traffic because the entire TrueCrypt volume changes everytime anything within it changes. This necessitates synching the entire file to the server and then to each client again for any minor change. For this reason, keep the TC volume small.
2. I use KeePass as well but don't recommend putting SSNs or driver's license numbers in it. Better to just memorize them which isn't difficult.
3. Swap file inclusion problem isn't unique to KeePass.. Any app you type a password into can store it in plaintext in the swap file. What's the concern? If someone has access to your computer, you have bigger problems than someone going through your swap file.

bvp
Posts: 124
Joined: Mon Feb 21, 2011 9:31 am

Re: How I Handle Information Security

Post by bvp » Mon Feb 20, 2012 8:28 am

saied45 wrote:
bvp wrote:All that security, defeated by a simple key logger. :wink:

Go with some complex passwords, a patched Linux VM, google chrome and call it a day.
most financial instituations let you enter your password using the mouse and onscreen keyboard. and also if your are careful and dont visit sites that are knowen for viruses/keyloggers ext and use an up to date antivirus than you should be fine. remember no ammount of security you implement will be 100% full proof. but using basic knowledge plus a little caution can go along way.
That's my point - basic knowledge plus a little caution goes a long way. It eliminates the need for all that.

Edit - but props to the OP. they've got something that works.

Sidney
Posts: 6736
Joined: Thu Mar 08, 2007 6:06 pm

Re: How I Handle Information Security

Post by Sidney » Mon Feb 20, 2012 8:56 am

itypefast wrote:I've been in IT for 20 years and I have to say to the OP that this is great advice.

A few points to consider:
1. Using a TrueCrypt volume on Dropbox will cause a lot of network traffic because the entire TrueCrypt volume changes everytime anything within it changes. This necessitates synching the entire file to the server and then to each client again for any minor change. For this reason, keep the TC volume small.
2. I use KeePass as well but don't recommend putting SSNs or driver's license numbers in it. Better to just memorize them which isn't difficult.
3. Swap file inclusion problem isn't unique to KeePass.. Any app you type a password into can store it in plaintext in the swap file. What's the concern? If someone has access to your computer, you have bigger problems than someone going through your swap file.
Is the encryption built in to Keepass inferior? If so, I would suggest that it isn't a good idea to use it for passwords if you are also concerned to put something in like a drivers license number.
I always wanted to be a procrastinator.

User avatar
BigFoot48
Posts: 2757
Joined: Tue Feb 20, 2007 10:47 am
Location: Arizona

Re: How I Handle Information Security

Post by BigFoot48 » Mon Feb 20, 2012 9:40 am

Sidney wrote:Is the encryption built in to Keepass inferior? If so, I would suggest that it isn't a good idea to use it for passwords if you are also concerned to put something in like a drivers license number.
It's about as good as it gets! http://keepass.info/features.html#lnksec
Retired | Two-time in top-10 in Bogleheads S&P500 contest; 14-time loser

edge
Posts: 3452
Joined: Mon Feb 19, 2007 7:44 pm
Location: NY

Re: How I Handle Information Security

Post by edge » Mon Feb 20, 2012 9:58 am

Long and complex passwords are a waste of time. No one actually tries to brute force passwords.

yosef
Posts: 338
Joined: Tue May 24, 2011 2:10 pm

Re: How I Handle Information Security

Post by yosef » Mon Feb 20, 2012 10:22 am

edge wrote:Long and complex passwords are a waste of time. No one actually tries to brute force passwords.
Umm, the whole reason to use long and complex passwords is to effectively *require* a brute force attack to break them. So you're statement is contradictory.

geekpryde
Posts: 92
Joined: Mon Jun 01, 2009 2:37 pm

Re: How I Handle Information Security

Post by geekpryde » Mon Feb 20, 2012 10:28 am

edge wrote:Long and complex passwords are a waste of time. No one actually tries to brute force passwords.
Hmmm, that is a very untrue statement.

Back on topic, I would like to add my strong recommendation for using KeePass. Even if you dont care about the security features (which you should), the convience features make life so much easier. I can sign in to about 140 sites, everything from banks, to credit cards, to foums like Bogleheads.org, with a simple double click of the URL in keepass, ALT-TAB (to get back to keepass), and then a CTRL-v to have keepass drop to background and autotype my user/password. I can easily see every site I have ever created an account with, easily create complex passwords, auto sign-in without remembering said complex passwords, leave notes about certain sites,loan,acccounts, social secuity ids for all family members, etc. There are many more features, but I wont run down them all. What's not to love?!

Combine KeePass with Windows live mesh (what I use), or dropbox, and you have the file everywhere you need it, constanly sync'd.

Of course it a single point of failure, so backup the file, and create a very complex master password. Of course, since this is the ONLY complex and long password you will need to remember, and you will most likely be trying it several times a day, you will get very good and fast at it.

Sidney
Posts: 6736
Joined: Thu Mar 08, 2007 6:06 pm

Re: How I Handle Information Security

Post by Sidney » Mon Feb 20, 2012 10:46 am

geekpryde wrote: Of course it a single point of failure, so backup the file, and create a very complex master password.
This really only creates two identical single points of failure. I have never met a database that can't get corrupted some time in its life. I keep a paper printout in safe deposit box.
I always wanted to be a procrastinator.

brianH
Posts: 328
Joined: Wed Aug 12, 2009 12:21 pm

Re: How I Handle Information Security

Post by brianH » Mon Feb 20, 2012 10:56 am

Great tips.

I'll add my own for using KeePass for the slightly more computer literate:

1. Use a keyfile + password. KeePass has the option to use a file (it creates) on your disk in addition to the password you enter. Assuming you use a sync service (Dropbox) to move your PW database around, having the keyfile not sync'd with the DB is an extra layer of security. Without that file, even if your password was '123', the database is safe.
2. Windows Vista/7 - Set the access on the keyfile to admin only (Administrators role). Right click, properties, security, remove all accounts except System and Administrators.
3. Run KeePass as admin. Find the executable file (C:\Program Files (x86)\KeePass\KeePass.exe), right click, properties, compatibility, check 'run as admin'. This will give you a UAC prompt every time you launch it, and it will allow the program to read the keyfile protected in step 2.

The point behind steps 2 and 3 are to prevent a user-space virus from being able to access your keyfile. Malware that tricks you into running it or compromises something in your browser will be running in your user's space (non-elevated.) Elevating to admin access cannot occur (*1) without a UAC prompt.

(*1) - Set UAC to the highest level (http://www.7tutorials.com/how-change-us ... uac-levels) hacks have been found that can get around the one-notch-down level that Win 7 defaults to.

Make sure Data Execution Prevention (DEP) is on (http://windows.microsoft.com/en-US/wind ... n-settings)

If possible, always use 64-bit operating systems. The ASLR (http://en.wikipedia.org/wiki/Address_sp ... domization) is much better in 64 bit OSs.

User avatar
LazyNihilist
Posts: 901
Joined: Sat Feb 19, 2011 9:56 pm

Re: How I Handle Information Security

Post by LazyNihilist » Mon Feb 20, 2012 11:07 am

Image

:lol:
The strong do what they can and the weak suffer what they must -Thucydides

User avatar
LazyNihilist
Posts: 901
Joined: Sat Feb 19, 2011 9:56 pm

Re: How I Handle Information Security

Post by LazyNihilist » Mon Feb 20, 2012 11:11 am

edge wrote:Long and complex passwords are a waste of time. No one actually tries to brute force passwords.
Very bad advice. There are tons of brute force attempts at cracking passwords.
Complex passwords, hard to brute force but easy to remember are a great step in Information Security.
The strong do what they can and the weak suffer what they must -Thucydides

User avatar
LazyNihilist
Posts: 901
Joined: Sat Feb 19, 2011 9:56 pm

Re: How I Handle Information Security

Post by LazyNihilist » Mon Feb 20, 2012 11:13 am

saied45 wrote:
bvp wrote:All that security, defeated by a simple key logger. :wink:

Go with some complex passwords, a patched Linux VM, google chrome and call it a day.
most financial instituations let you enter your password using the mouse and onscreen keyboard. and also if your are careful and dont visit sites that are knowen for viruses/keyloggers ext and use an up to date antivirus than you should be fine. remember no ammount of security you implement will be 100% full proof. but using basic knowledge plus a little caution can go along way.
+1
The strong do what they can and the weak suffer what they must -Thucydides

edge
Posts: 3452
Joined: Mon Feb 19, 2007 7:44 pm
Location: NY

Re: How I Handle Information Security

Post by edge » Mon Feb 20, 2012 6:16 pm

LazyNihilist wrote:
edge wrote:Long and complex passwords are a waste of time. No one actually tries to brute force passwords.
Very bad advice. There are tons of brute force attempts at cracking passwords.
Complex passwords, hard to brute force but easy to remember are a great step in Information Security.
Really? How many brute force attacks on an individual's password on a financial website has succeeded? Brute force attacks do not work on these types of passwords because you get locked out after a small number of tries. Long complicated passwords are a waste of time. So is changing them all the time unless they could be disclosed some other way.

All these 'long complicated passwords are good' arguments seem to lack any substance at all. They aren't even good when someone is brute forcing since its a computer performing the brute force and it doesn't care about how complicated your silly password is.

Make your passwords a little less obvious than your birthday and you are pretty much OK.

The Wizard
Posts: 13356
Joined: Tue Mar 23, 2010 1:45 pm
Location: Reading, MA

Re: How I Handle Information Security

Post by The Wizard » Mon Feb 20, 2012 6:29 pm

edge wrote:Long and complex passwords are a waste of time. No one actually tries to brute force passwords.
I agree, but don't tell any corporate IT depts.
A lot of their justification depends on folks believing this.
It's a Y2K kinda thing...
Attempted new signature...

User avatar
interplanetjanet
Posts: 2226
Joined: Mon Jan 24, 2011 4:52 pm
Location: the wilds of central California

Re: How I Handle Information Security

Post by interplanetjanet » Mon Feb 20, 2012 6:46 pm

The Wizard wrote:
edge wrote:Long and complex passwords are a waste of time. No one actually tries to brute force passwords.
I agree, but don't tell any corporate IT depts.
A lot of their justification depends on folks believing this.
It's a Y2K kinda thing...
Brute forcing is alive and well, but is the most significant threat in situations where password crack attempts can be made off-line. In many systems depending on password validation, the users' password goes through a one-way hash function to generate an encrypted password that is then stored. If the attacker gains access to these encrypted passwords, they are not immediately able to derive useful passwords from them, but they can take their time making brute-force attempts, with thousands or more attempts made per second - with the use of computing clusters and precalculated tables, many millions of attempts can be made per second.

Exposure of back-end databases containing these encrypted passwords happens, and is not an infrequent goal of attack on a *site* or centrally authenticated portion of computing infrastructure. You are unlikely to be individually targetted for your account, but if someone compromises a site's encrypted password database, accounts with simple passwords may be broken immediately and complex ones may take far longer or not be at all.

As with everything, the gain in security made with complex passwords is incremental, and they are not a panacea. They do help to a measurable degree, though.

-janet [who once had to gently ask her new boss to please use a more secure password than just a body part and an exclamation mark]

bvp
Posts: 124
Joined: Mon Feb 21, 2011 9:31 am

Re: How I Handle Information Security

Post by bvp » Mon Feb 20, 2012 7:01 pm

interplanetjanet wrote:
The Wizard wrote:
edge wrote:Long and complex passwords are a waste of time. No one actually tries to brute force passwords.
I agree, but don't tell any corporate IT depts.
A lot of their justification depends on folks believing this.
It's a Y2K kinda thing...
Brute forcing is alive and well, but is the most significant threat in situations where password crack attempts can be made off-line. In many systems depending on password validation, the users' password goes through a one-way hash function to generate an encrypted password that is then stored. If the attacker gains access to these encrypted passwords, they are not immediately able to derive useful passwords from them, but they can take their time making brute-force attempts, with thousands or more attempts made per second - with the use of computing clusters and precalculated tables, many millions of attempts can be made per second.

Exposure of back-end databases containing these encrypted passwords happens, and is not an infrequent goal of attack on a *site* or centrally authenticated portion of computing infrastructure. You are unlikely to be individually targetted for your account, but if someone compromises a site's encrypted password database, accounts with simple passwords may be broken immediately and complex ones may take far longer or not be at all.

As with everything, the gain in security made with complex passwords is incremental, and they are not a panacea. They do help to a measurable degree, though.

-janet [who once had to gently ask her new boss to please use a more secure password than just a body part and an exclamation mark]
Winner winner chicken dinner. Long and complex passwords can render offline password attacks ineffective. I do disagree with your final statement though. Long, complex passwords (and unique ones, don't use the same password for every site) is probably the #1 thing you can do to protect yourself.

[edit] #2 being to not use Microsoft Windows in conjunction with Internet Explorer (and Microsoft Office).

User avatar
FNK
Posts: 1360
Joined: Tue May 17, 2011 7:01 pm

Re: How I Handle Information Security

Post by FNK » Mon Feb 20, 2012 7:08 pm

edge wrote:Really? How many brute force attacks on an individual's password on a financial website has succeeded?
Didn't they tell you? Oh, they don't disclose most break-ins? Then we don't know, do we?

Anyway, different passwords for different sites is a solid requirement, and since pw databases make that stupidly simple, why not have the databases make them long and complex while they are at it. No incremental cost.

User avatar
FNK
Posts: 1360
Joined: Tue May 17, 2011 7:01 pm

Re: How I Handle Information Security

Post by FNK » Mon Feb 20, 2012 7:11 pm

brianH wrote:The point behind steps 2 and 3 are to prevent a user-space virus from being able to access your keyfile.
Unless, of course, the virus infects KeyPass. ;-)

Teaching yourself to type in the admin password without thinking is questionable. But if you stay vigilant about that, sure, a nice incremental improvement.

User avatar
FNK
Posts: 1360
Joined: Tue May 17, 2011 7:01 pm

Re: How I Handle Information Security

Post by FNK » Mon Feb 20, 2012 7:16 pm

itypefast wrote:Using a TrueCrypt volume on Dropbox will cause a lot of network traffic because the entire TrueCrypt volume changes everytime anything within it changes. This necessitates synching the entire file to the server and then to each client again for any minor change. For this reason, keep the TC volume small.
20 years in IT and have not learned to verify your assumptions? TrueCrypt uses XTS encryption which only changes localized areas of the file, and Dropbox does incremental syncing.

User avatar
FNK
Posts: 1360
Joined: Tue May 17, 2011 7:01 pm

Re: How I Handle Information Security

Post by FNK » Mon Feb 20, 2012 7:19 pm

BigFoot48 wrote:The only exception is Treasury Direct where I use a short, easy to remember password for its unique logon system.
The only site that promises no responsibility if it's compromised? Ouch.

LastPass beats KeePass with TD thanks to its browser integration: it can fill in the password behind the stupid screen keyboard.

User avatar
FNK
Posts: 1360
Joined: Tue May 17, 2011 7:01 pm

Re: How I Handle Information Security

Post by FNK » Mon Feb 20, 2012 7:23 pm

saied45 wrote:last pass is clearly much easier to use. however it does have one bad issue. your passwords are saved on the cloud rather than your own local HD(which as the op mentioned is encrypted). if lastpass gets hacked(and it has before but minor hacking was done) all your passwords are at risk because now the hacker has your ID and password information and by the time you know lastpass was hacked it might be too late.
LastPass was not hacked at all, and it encrypts everything on your computer.

KeePass + Dropbox may be marginally more secure than LastPass, but not significantly so.

Dropbox once allowed wide-open access to customer files.

edge
Posts: 3452
Joined: Mon Feb 19, 2007 7:44 pm
Location: NY

Re: How I Handle Information Security

Post by edge » Mon Feb 20, 2012 7:46 pm

Uh, how does a long complicated password make an offline attack 'ineffective'? It doesn't. If someone has an encrypted password and has the capability to test against it offline then you are finished. As if a computer cares how long and 'complicated' your password is (as if a computer thinks putting numbers and symbols into a password is 'complicated'). All this stuff is warm blanket crud that has no actual basis in security.

Your best protection is _NOT_ having a stupidly long password, it is in keeping that password to yourself and not using it in multiple places, especially places where you can expect the security to be less than at a financial web site.
bvp wrote:
interplanetjanet wrote:
The Wizard wrote:
edge wrote:Long and complex passwords are a waste of time. No one actually tries to brute force passwords.
I agree, but don't tell any corporate IT depts.
A lot of their justification depends on folks believing this.
It's a Y2K kinda thing...
Brute forcing is alive and well, but is the most significant threat in situations where password crack attempts can be made off-line. In many systems depending on password validation, the users' password goes through a one-way hash function to generate an encrypted password that is then stored. If the attacker gains access to these encrypted passwords, they are not immediately able to derive useful passwords from them, but they can take their time making brute-force attempts, with thousands or more attempts made per second - with the use of computing clusters and precalculated tables, many millions of attempts can be made per second.

Exposure of back-end databases containing these encrypted passwords happens, and is not an infrequent goal of attack on a *site* or centrally authenticated portion of computing infrastructure. You are unlikely to be individually targetted for your account, but if someone compromises a site's encrypted password database, accounts with simple passwords may be broken immediately and complex ones may take far longer or not be at all.

As with everything, the gain in security made with complex passwords is incremental, and they are not a panacea. They do help to a measurable degree, though.

-janet [who once had to gently ask her new boss to please use a more secure password than just a body part and an exclamation mark]
Winner winner chicken dinner. Long and complex passwords can render offline password attacks ineffective. I do disagree with your final statement though. Long, complex passwords (and unique ones, don't use the same password for every site) is probably the #1 thing you can do to protect yourself.

[edit] #2 being to not use Microsoft Windows in conjunction with Internet Explorer (and Microsoft Office).

Saving$
Posts: 1840
Joined: Sat Nov 05, 2011 8:33 pm

Re: How I Handle Information Security

Post by Saving$ » Mon Feb 20, 2012 7:55 pm

Again, THANK YOU for this thread. Stealing of financial data and/or pw's is one of my biggest concerns.

It seems the biggest threats are:
a. malware or keyloggers getting onto your computer via browsing the net
b. someone physically stealing your computer and figuring out how to get past whatever security you have
c. someone hacking into your home wireless network (could be via a. above)
Not sure if the above is correct, but from an amatuer's point of view, they seem to be what you read about. In order to avoid the problem with a. and thus keep financial data relatively safe, would launching a browser only through something like Sandboxie help?

To the person who posted that most financial institutions allow you to enter your password via onscreen mouse clicking, I must say that I have accounts at multiple places and the only one that ever had such a system was ING Direct. Where else are you seeing this?

User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: How I Handle Information Security

Post by Epsilon Delta » Mon Feb 20, 2012 8:43 pm

edge wrote:Uh, how does a long complicated password make an offline attack 'ineffective'? It doesn't. If someone has an encrypted password and has the capability to test against it offline then you are finished. As if a computer cares how long and 'complicated' your password is (as if a computer thinks putting numbers and symbols into a password is 'complicated').
A long password means that no-one has the capacity to test against it offline. You can reasonable choose a password that is long enough that all the computing power on Earth cannot break before the Sun goes nova.

Elysium
Posts: 1925
Joined: Mon Apr 02, 2007 6:22 pm

Re: How I Handle Information Security

Post by Elysium » Mon Feb 20, 2012 9:20 pm

Strength of encryption is more important than long and complex password. You might have a long and complex password, but if the encryption cipher is weak and the attacker has it available for an offline attack, then it doesn't take many million iterations to crack it. OTOH, if the cipher strength is strong then even not so long and complex passwords take time to crack. Lets hope the financial institutions are employing the best encryption methods, and keeping them secure. In many large organizations passwords are not kept so secure in storage, there are many engineers with access levels that can decrypt passwords on the fly. But most won't do it, since there are strong deterrents against it. Typically what users do on their end is not the common cause of accounts getting compromised, rather it is the practice at the financial institution.

User avatar
interplanetjanet
Posts: 2226
Joined: Mon Jan 24, 2011 4:52 pm
Location: the wilds of central California

Re: How I Handle Information Security

Post by interplanetjanet » Mon Feb 20, 2012 9:22 pm

edge wrote:Uh, how does a long complicated password make an offline attack 'ineffective'? It doesn't. If someone has an encrypted password and has the capability to test against it offline then you are finished. As if a computer cares how long and 'complicated' your password is (as if a computer thinks putting numbers and symbols into a password is 'complicated'). All this stuff is warm blanket crud that has no actual basis in security.
The difference between a short (8 character or so) and a long password, from a brute forcing point of view, is night and day.

With precomputed tables and ample computing power, it's possible to brute-force a <8 character password using some popular algorithms in time on the order of or less than a day. Passphrases or longer passwords can raise this to centuries or longer with only a modest increase in length, even using computing clusters to attack the problem in parallel or presuming advances in computing performance. As I said before, the gain in security made with complex passwords is incremental, and they are not a panacea. They will not solve all problems but they measurably help against this one. Encrypted password compromise does happen and if you can make your password unattractive to crack, the likelihood of an individual account compromise will decrease. Should an attacker compromise an administrative account or similar in your infrastructure then they may well be able to do whatever they like, but you cannot effectively defend against this - you *can* defend against individual account compromise to some degree.
Your best protection is _NOT_ having a stupidly long password, it is in keeping that password to yourself and not using it in multiple places, especially places where you can expect the security to be less than at a financial web site.
The last point is excellent. Do not reuse passwords.

-janet
Last edited by interplanetjanet on Mon Feb 20, 2012 9:45 pm, edited 2 times in total.

User avatar
interplanetjanet
Posts: 2226
Joined: Mon Jan 24, 2011 4:52 pm
Location: the wilds of central California

Re: How I Handle Information Security

Post by interplanetjanet » Mon Feb 20, 2012 9:25 pm

bvp wrote:
interplanetjanet wrote:As with everything, the gain in security made with complex passwords is incremental, and they are not a panacea. They do help to a measurable degree, though.
I do disagree with your final statement though. Long, complex passwords (and unique ones, don't use the same password for every site) is probably the #1 thing you can do to protect yourself.
I don't see the disagreement between your statement and mine. Can you elaborate?

-janet

saied45
Posts: 119
Joined: Sat Oct 08, 2011 6:08 pm

Re: How I Handle Information Security

Post by saied45 » Mon Feb 20, 2012 9:26 pm

FNK wrote:
saied45 wrote:last pass is clearly much easier to use. however it does have one bad issue. your passwords are saved on the cloud rather than your own local HD(which as the op mentioned is encrypted). if lastpass gets hacked(and it has before but minor hacking was done) all your passwords are at risk because now the hacker has your ID and password information and by the time you know lastpass was hacked it might be too late.
LastPass was not hacked at all, and it encrypts everything on your computer.

KeePass + Dropbox may be marginally more secure than LastPass, but not significantly so.

Dropbox once allowed wide-open access to customer files.
ur right . i talk out of my butt.
http://mashable.com/2011/05/05/last-pass-breach/

User avatar
interplanetjanet
Posts: 2226
Joined: Mon Jan 24, 2011 4:52 pm
Location: the wilds of central California

Re: How I Handle Information Security

Post by interplanetjanet » Mon Feb 20, 2012 10:10 pm

Epsilon Delta wrote:A long password means that no-one has the capacity to test against it offline. You can reasonable choose a password that is long enough that all the computing power on Earth cannot break before the Sun goes nova.
If the Sun was going to go nova, I'd agree with you, but that's splitting hairs. ;)

(on second thought, your statement is right regardless, so it's all good)

-janet
Last edited by interplanetjanet on Mon Feb 20, 2012 11:04 pm, edited 1 time in total.

User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: How I Handle Information Security

Post by Epsilon Delta » Mon Feb 20, 2012 10:22 pm

Dieharder wrote:Strength of encryption is more important than long and complex password. You might have a long and complex password, but if the encryption cipher is weak and the attacker has it available for an offline attack, then it doesn't take many million iterations to crack it. OTOH, if the cipher strength is strong then even not so long and complex passwords take time to crack. Lets hope the financial institutions are employing the best encryption methods, and keeping them secure. In many large organizations passwords are not kept so secure in storage, there are many engineers with access levels that can decrypt passwords on the fly. But most won't do it, since there are strong deterrents against it. Typically what users do on their end is not the common cause of accounts getting compromised, rather it is the practice at the financial institution.
You need strong encryption, and long keys, and good personnel. The attacker gets to chose - if the cypher is weak he attacks the cypher, if the cypher is strong he attacks the key, if the staff are weak he bribes the engineers ... . You don't have control over most things but you do have control over the key.

Any encryption can be broken by brute force trial and error of possible keys. The best possible encryption is when brute forcing all keys is the best attack. This has has little to do with how fast you can test a key. If it takes a long time to test a key the cypher (or at least your implementation) is slow, but not necessarily strong.

DES is broken only because it does not support long keys and is now easy to brute force all possible keys.

itypefast
Posts: 199
Joined: Sat Nov 19, 2011 5:35 pm

Re: How I Handle Information Security

Post by itypefast » Mon Feb 20, 2012 10:32 pm

FNK wrote:
itypefast wrote:Using a TrueCrypt volume on Dropbox will cause a lot of network traffic because the entire TrueCrypt volume changes everytime anything within it changes. This necessitates synching the entire file to the server and then to each client again for any minor change. For this reason, keep the TC volume small.
20 years in IT and have not learned to verify your assumptions? TrueCrypt uses XTS encryption which only changes localized areas of the file, and Dropbox does incremental syncing.
No need to be insulting. I have in fact 100% verified this on my own system. Storing large TrueCrypt volumes on Dropbox leads to very high network traffic when the files in the TC volume are updated.

Post Reply