Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Password vaults...are they secure?


  • Please log in to reply
11 replies to this topic

#1 IAMFree

IAMFree

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Georgia
  • Local time:01:06 PM

Posted 19 May 2016 - 11:57 AM

I am in the process of trying to determine which password vault to use on my Window's phone and as well on my PC.

 

I am hesitant to install and use one, as I am not familiar with them enough to feel secure putting the key to all of my vitals in one location.

My fear is that the developer has put a call home feature or back door into the program, so I would basically be giving them access to my fortress.

 

So, does that make open source the way to go? Who or what agencies have checked the code to ensure there isn't anything malicious in there?

 

 



BC AdBot (Login to Remove)

 


#2 BaronCardinal

BaronCardinal

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:06 PM

Posted 19 May 2016 - 12:16 PM

I feel like this would be the same as using the same password for everything that you do. If you feel comfortable doing that, move forward. Arguably if you have a lot of passwords to remember it might be safer to have one generate one for you.

 

 

 

https://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201510_en.pdf



#3 IAMFree

IAMFree
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Georgia
  • Local time:01:06 PM

Posted 19 May 2016 - 12:27 PM

I feel like this would be the same as using the same password for everything that you do. If you feel comfortable doing that, move forward. Arguably if you have a lot of passwords to remember it might be safer to have one generate one for you.

 

 

 

https://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201510_en.pdf

Initially, I was using the same password for all of my online needs, but knew that was a big no no...then started using variations of the same password, but had direct relevance to a particular site I was connecting to. The problem I have run into is that because each site has different requirements for passwords, I can't use one standard of variants for all sites and thus causes the issue with remembering passwords.

I am at the point where I can gain access to about 30% of the sites first try, but the remaining 70% either takes multiple guesses as to what my password is or I have to click on the forgot password link....uhhg!


Edited by IAMFree, 19 May 2016 - 12:27 PM.


#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:06 PM

Posted 19 May 2016 - 05:04 PM

I use Keepass. It's offline and open source.
There are ports for Windows Phone, but I don't use these.

http://keepass.info/download.html

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 34,847 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:10:06 AM

Posted 19 May 2016 - 09:18 PM

I too use KeePass. I do use the Android app with Dropbox linking. Windows and Android version 2 each.

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+

#6 rp88

rp88

  • Members
  • 2,983 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:06 PM

Posted 23 May 2016 - 10:58 AM

Personally I'd say it's more secure not too. Password vault software can be VERY well designed but it's still software, it's still on computers and it can still have weaknesses. If it does have a weakness, or if someone gets hold of your single master password then they would be able to get into anything if you use a password vault. On the other hand writing passwords down* is immune to hacking as long as the risk is not from anyone with physical access to the paper pad you keep the passwords on. I would suggest keeping the most important passwords all different and stored nowhere except your memory, that is to say bank/primary email account/... Other passwords, make sure they're all different and write them in the book.


*Make sure this book is kept safe, in a safe is a good place on your desk right next to your computer is not a good place, in your pocket/wallet could be a good place too. The book is , to those with physical access, more vulnerable than password managers, but most hackers do not have physical access, which is why such a book makes sense, it keeps the passwords in a place where the world's most capable hackers could not see them, because they are not on a computer. Also you could disguise it, that is to say mix the password into other words or write the passwords backwards, make it look like unimportant doodling with random characters scattered through it...

Edited by rp88, 23 May 2016 - 11:00 AM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#7 themantis

themantis

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 23 May 2016 - 11:46 AM

it's as good as your master password. But again as rp88 mentioned "it's still software", such as truecrypt. 

http://arstechnica.com/security/2015/11/hacking-tool-swipes-encrypted-credentials-from-password-manager/


Edited by themantis, 23 May 2016 - 11:48 AM.


#8 pdmike

pdmike

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles, CA
  • Local time:10:06 AM

Posted 31 May 2016 - 10:20 PM

I have used Keeper for years and found it to be very user friendly.  To my knowledge, it has never been breached.



#9 IAMFree

IAMFree
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Georgia
  • Local time:01:06 PM

Posted 01 June 2016 - 01:32 PM

I've opted to use Password Padlock for my Window's phone with only local storage. I'm not fond of cloud storage for passwords, regardless of the encryption methods.



#10 tealover

tealover

  • Members
  • 174 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chester, UK
  • Local time:06:06 PM

Posted 03 June 2016 - 03:22 PM

Here's a cautionary article

 

http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/

 

And more on password cracking.

 

http://arstechnica.com/search/?ie=UTF-8&q=password+cracking


Edited by tealover, 03 June 2016 - 03:24 PM.


#11 MDD1963

MDD1963

  • Members
  • 699 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 15 June 2016 - 06:31 AM

You can even use a simple notepad file (encrypted of course), or keypass, or LastPass......


Asus Z270A Prime/7700K/32 GB DDR4-3200/GTX1060


#12 KingDavidlll

KingDavidlll

  • Members
  • 297 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:06 AM

Posted 16 June 2016 - 07:16 AM

It honestly depends which password manager you are using, what you are using it for.  Honestly most of the time that you get your password breached is when a website is breached and a lot of passwords are sold/leaked.  I honestly think the best way to protect this is to get a password manager as let's face it, most of the sites you would like to keep safe except there are just too many that you have credentials to to remember a different secure password for each one, and even if someone gets into them, it's more of a hassle than anything else.  Also if a password manager is good, it encrypts all of the passwords by that master password and doesn't store that password anywhere, so it's impossible to access without it, and so only real way for someone to gain access is to steal the passwords and keep on cracking it for a few years, or get a keylogger/breach your system and let's face it, if they have that then you're going to get breached as soon as you access those sites anyway. 

 

Also, to be honest, the safest thing I think to protect you is to get an actual safe, inside of your place of work, write your passwords on pieces of paper and don't remember them, and put your passwords in there.  They will be quite secure.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users