Register Guidelines E-Books Search Today's Posts Mark Forums Read

Go Back   MobileRead Forums > E-Book General > General Discussions

Notices

Reply
 
Thread Tools Search this Thread
Old 04-18-2013, 06:31 PM   #31
Penforhire
Wizard
Penforhire ought to be getting tired of karma fortunes by now.Penforhire ought to be getting tired of karma fortunes by now.Penforhire ought to be getting tired of karma fortunes by now.Penforhire ought to be getting tired of karma fortunes by now.Penforhire ought to be getting tired of karma fortunes by now.Penforhire ought to be getting tired of karma fortunes by now.Penforhire ought to be getting tired of karma fortunes by now.Penforhire ought to be getting tired of karma fortunes by now.Penforhire ought to be getting tired of karma fortunes by now.Penforhire ought to be getting tired of karma fortunes by now.Penforhire ought to be getting tired of karma fortunes by now.
 
Posts: 2,073
Karma: 6830420
Join Date: Nov 2007
Location: Southern California
Device: Kindle PW, PRS-650, iPhone 4, iPad 4
If someone physically gets hold of your laptop (or other PC) it is generally still game-over for us. They can, for example, install a key-logger and learn your Keepass and Dropbox passwords the next time you enter them.

There are counter measures but they are awkward and most people don't use them. I use Encrypt Stick on a USB memory stick. If I am using a public PC I can engage a scrambled keyboard to enter my password -- every mouse click on an on-screen keyboard (internally encrypted) scrambles the key layout for the next click. Slow and annoying but 100% defeats key-loggers. However, if someone has a camera looking over my shoulder I can still lose.
Penforhire is offline   Reply With Quote
Old 04-18-2013, 06:39 PM   #32
Katsunami
Wizard
Katsunami ought to be getting tired of karma fortunes by now.Katsunami ought to be getting tired of karma fortunes by now.Katsunami ought to be getting tired of karma fortunes by now.Katsunami ought to be getting tired of karma fortunes by now.Katsunami ought to be getting tired of karma fortunes by now.Katsunami ought to be getting tired of karma fortunes by now.Katsunami ought to be getting tired of karma fortunes by now.Katsunami ought to be getting tired of karma fortunes by now.Katsunami ought to be getting tired of karma fortunes by now.Katsunami ought to be getting tired of karma fortunes by now.Katsunami ought to be getting tired of karma fortunes by now.
 
Katsunami's Avatar
 
Posts: 3,275
Karma: 14868287
Join Date: Mar 2008
Location: Netherlands
Device: Kindle Paperwhite
Quote:
Originally Posted by Penforhire View Post
If someone physically gets hold of your laptop (or other PC) it is generally still game-over for us. They can, for example, install a key-logger and learn your Keepass and Dropbox passwords the next time you enter them.
Yes, they can, but they will need to first remove the Admin password from UAC to be able to do so. It can be done, but:

- The thief would need to steal the notebook (or get in front of it at least).
- Have the luck that I forgot to pull out the USB-stick with the key file.
- Remove the password, install the keylogger.
- Do all of it without me not knowing.
- Hope that I'll activate Keepass before I ever need the Admin password.

It can be done, but it's unlikely. The chance of somebody getting a hold of the database, the keyfile AND the password all at once is small. If something happens which makes me not to trust my system, I would at once install a known clean image.
Katsunami is offline   Reply With Quote
Old 04-19-2013, 06:49 AM   #33
JoeD
Guru
JoeD ought to be getting tired of karma fortunes by now.JoeD ought to be getting tired of karma fortunes by now.JoeD ought to be getting tired of karma fortunes by now.JoeD ought to be getting tired of karma fortunes by now.JoeD ought to be getting tired of karma fortunes by now.JoeD ought to be getting tired of karma fortunes by now.JoeD ought to be getting tired of karma fortunes by now.JoeD ought to be getting tired of karma fortunes by now.JoeD ought to be getting tired of karma fortunes by now.JoeD ought to be getting tired of karma fortunes by now.JoeD ought to be getting tired of karma fortunes by now.
 
Posts: 883
Karma: 4235574
Join Date: Nov 2007
Device: Hanlin v3, iPad, Kindle 4NT
Quote:
Originally Posted by Penforhire View Post
If someone physically gets hold of your laptop (or other PC) it is generally still game-over for us. They can, for example, install a key-logger and learn your Keepass and Dropbox passwords the next time you enter them.

There are counter measures but they are awkward and most people don't use them. I use Encrypt Stick on a USB memory stick. If I am using a public PC I can engage a scrambled keyboard to enter my password -- every mouse click on an on-screen keyboard (internally encrypted) scrambles the key layout for the next click. Slow and annoying but 100% defeats key-loggers. However, if someone has a camera looking over my shoulder I can still lose.
Key loggers have been known to also screenshot desktops for this reason. That's been happening since web login forms for DOB changed from plain text entry boxes to drop down combo boxes sometimes with randomised orders (although that's fallen out of usage for the most part now). The loggers adapted and logged mouse click locations and later took screen grabs due to randomisation.

Nothing is foolproof though.

Everyone has to weigh up the convenience they want against the security they lose. However, anyone who is storing passwords in the clear on either a mobile or their computer should switch to a password safe _today_. Because you will lose nothing in convenience and gain much in security. For those using password safes, it's just a matter of how much security you want, you're going to lose some convenience the tighter you make things.

Again, not fool proof, hacks/trojans/keyloggers could compromise the lot. But then you can go one step further as I have, only use a password safe on an old piece of hardware which is never(almost never) used online and has networking disabled. Old mobile (smart) phones are ideal for this but old laptops work too if portability isn't a concern. The phones also double for running authentication tokens like google authenticator.

There's a security trade off with the offline safe though, a backup is needed so at some point you have to enable the network and copy the DB somewhere else. However that window of opportunity is tiny and with trojans/keyloggers the biggest fear unlikely to ever be an issue. Where you backup the DB is again another possible security trade off, but as long as the pass safe is a good one it matters a little less where you store this, even if it's on your main computer that gets hacked the DB should remain secure as you'll never need to open it on that computer. I wouldn't feel comfortable storing the DB backup in the cloud as others are, but again, it's a convenience/security trade off and really the DB should be safe if the encryption was suitably implemented.

There's even more secure steps you can take at the expense of convenience, but for me this is good enough.

BTW Katsunami: You may already be aware of this, but there's an option in the windows version of keepass 2 to require UAC be used for master password entry. This will block many key loggers from been able to grab your password as you enter it. The only thing it won't stop is a heavily rooted system, but then little can.

Last edited by JoeD; 04-19-2013 at 07:22 AM.
JoeD is offline   Reply With Quote
Old 04-23-2013, 08:24 AM   #34
Loosheesh
Wizard
Loosheesh ought to be getting tired of karma fortunes by now.Loosheesh ought to be getting tired of karma fortunes by now.Loosheesh ought to be getting tired of karma fortunes by now.Loosheesh ought to be getting tired of karma fortunes by now.Loosheesh ought to be getting tired of karma fortunes by now.Loosheesh ought to be getting tired of karma fortunes by now.Loosheesh ought to be getting tired of karma fortunes by now.Loosheesh ought to be getting tired of karma fortunes by now.Loosheesh ought to be getting tired of karma fortunes by now.Loosheesh ought to be getting tired of karma fortunes by now.Loosheesh ought to be getting tired of karma fortunes by now.
 
Loosheesh's Avatar
 
Posts: 1,235
Karma: 1774918
Join Date: Dec 2010
Location: Americas
Device: KindlePW + iPad3 + SGP5 + ClipZip
Thanks again for all the great suggestions and things to think (and be anxious ) about. I've been using LastPass and it's working out very well so far, so extra thanks to those of you who recommended it.
Loosheesh is offline   Reply With Quote
Old 04-23-2013, 10:13 AM   #35
Katsunami
Wizard
Katsunami ought to be getting tired of karma fortunes by now.Katsunami ought to be getting tired of karma fortunes by now.Katsunami ought to be getting tired of karma fortunes by now.Katsunami ought to be getting tired of karma fortunes by now.Katsunami ought to be getting tired of karma fortunes by now.Katsunami ought to be getting tired of karma fortunes by now.Katsunami ought to be getting tired of karma fortunes by now.Katsunami ought to be getting tired of karma fortunes by now.Katsunami ought to be getting tired of karma fortunes by now.Katsunami ought to be getting tired of karma fortunes by now.Katsunami ought to be getting tired of karma fortunes by now.
 
Katsunami's Avatar
 
Posts: 3,275
Karma: 14868287
Join Date: Mar 2008
Location: Netherlands
Device: Kindle Paperwhite
Quote:
Originally Posted by JoeD View Post
BTW Katsunami: You may already be aware of this, but there's an option in the windows version of keepass 2 to require UAC be used for master password entry. This will block many key loggers from been able to grab your password as you enter it. The only thing it won't stop is a heavily rooted system, but then little can.
Yes, I'm aware of this and I do use it. Thanks for mentioning it, because maybe others didn't know of this
Katsunami is offline   Reply With Quote
Old 04-26-2013, 03:06 AM   #36
kyteflyer
Wizard
kyteflyer ought to be getting tired of karma fortunes by now.kyteflyer ought to be getting tired of karma fortunes by now.kyteflyer ought to be getting tired of karma fortunes by now.kyteflyer ought to be getting tired of karma fortunes by now.kyteflyer ought to be getting tired of karma fortunes by now.kyteflyer ought to be getting tired of karma fortunes by now.kyteflyer ought to be getting tired of karma fortunes by now.kyteflyer ought to be getting tired of karma fortunes by now.kyteflyer ought to be getting tired of karma fortunes by now.kyteflyer ought to be getting tired of karma fortunes by now.kyteflyer ought to be getting tired of karma fortunes by now.
 
kyteflyer's Avatar
 
Posts: 1,047
Karma: 1826526
Join Date: Jul 2009
Location: Newcastle, Australia
Device: iPhone, iPad3, PRS-650, Kobo Glo,, iPad Mini and a couple of Androids
I just never adapted to 1Password. I have copies of it for iOS and my Mac, and never use them, choosing instead to use "Wallet" by Acrylic Software. Like 1Password it can and does have its database store in my dropbox folder, so is accessible wherever I need it.

I'm innately suspicious of storing passwords on a third party site, or in the browser.
kyteflyer is offline   Reply With Quote
Old 04-26-2013, 11:24 AM   #37
SusanM
Bemused by possibilities
SusanM ought to be getting tired of karma fortunes by now.SusanM ought to be getting tired of karma fortunes by now.SusanM ought to be getting tired of karma fortunes by now.SusanM ought to be getting tired of karma fortunes by now.SusanM ought to be getting tired of karma fortunes by now.SusanM ought to be getting tired of karma fortunes by now.SusanM ought to be getting tired of karma fortunes by now.SusanM ought to be getting tired of karma fortunes by now.SusanM ought to be getting tired of karma fortunes by now.SusanM ought to be getting tired of karma fortunes by now.SusanM ought to be getting tired of karma fortunes by now.
 
SusanM's Avatar
 
Posts: 58
Karma: 480244
Join Date: Jul 2012
Device: iPad3, Kobo
Quote:
Originally Posted by JoeD View Post
Key loggers have been known to also screenshot desktops for this reason. That's been happening since web login forms for DOB changed from plain text entry boxes to drop down combo boxes sometimes with randomised orders (although that's fallen out of usage for the most part now). The loggers adapted and logged mouse click locations and later took screen grabs due to randomisation.

Nothing is foolproof though.

Everyone has to weigh up the convenience they want against the security they lose. However, anyone who is storing passwords in the clear on either a mobile or their computer should switch to a password safe _today_. Because you will lose nothing in convenience and gain much in security. For those using password safes, it's just a matter of how much security you want, you're going to lose some convenience the tighter you make things.

Again, not fool proof, hacks/trojans/keyloggers could compromise the lot. But then you can go one step further as I have, only use a password safe on an old piece of hardware which is never(almost never) used online and has networking disabled. Old mobile (smart) phones are ideal for this but old laptops work too if portability isn't a concern. The phones also double for running authentication tokens like google authenticator.

There's a security trade off with the offline safe though, a backup is needed so at some point you have to enable the network and copy the DB somewhere else. However that window of opportunity is tiny and with trojans/keyloggers the biggest fear unlikely to ever be an issue. Where you backup the DB is again another possible security trade off, but as long as the pass safe is a good one it matters a little less where you store this, even if it's on your main computer that gets hacked the DB should remain secure as you'll never need to open it on that computer. I wouldn't feel comfortable storing the DB backup in the cloud as others are, but again, it's a convenience/security trade off and really the DB should be safe if the encryption was suitably implemented.

There's even more secure steps you can take at the expense of convenience, but for me this is good enough.

BTW Katsunami: You may already be aware of this, but there's an option in the windows version of keepass 2 to require UAC be used for master password entry. This will block many key loggers from been able to grab your password as you enter it. The only thing it won't stop is a heavily rooted system, but then little can.
I just read about malware that is circulating in which a screenshot is taken of a hotel guest's registration which is apparently hitting quite a few hotels. Scary as they have all your information all in one shot including credit card, address, phone number, etc.
SusanM is offline   Reply With Quote
Old 04-26-2013, 07:34 PM   #38
linereader
Junior Member
linereader will become famous soon enoughlinereader will become famous soon enoughlinereader will become famous soon enoughlinereader will become famous soon enoughlinereader will become famous soon enoughlinereader will become famous soon enough
 
Posts: 7
Karma: 510
Join Date: Oct 2011
Device: none
KeePass http://www.keepass.info
I have yet to see anything as good as this, and the remarkable thing is it's free.

I can take it with me everywhere, and there are compatible KeePass programs (made by third-parties) that can open KeePass databases on phones (see the site for links), so you're never without your passwords. I still use version 1.x of KeePass for the PC since nearly all third-party KeePass programs are compatible with version 1 KeePass databases.

The phrase 'must-have' is used too loosely these days, but for me this is what defines it.

Too many features to list, some which only became evident with long-term use. I cannot live without it. And your passwords are not stored on some third-party server 'managing them' for you.
linereader is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
can anyone recommend a good medical dictionary BeccaPrice General Discussions 9 02-03-2013 11:21 AM
Password Manager for Kindle mobigloo Amazon Kindle 3 07-18-2011 09:36 PM


All times are GMT -4. The time now is 11:58 AM.


MobileRead.com is a privately owned, operated and funded community.