Please recommend a good Password Manager

[Penforhire]

If someone physically gets hold of your laptop (or other PC) it is generally still game-over for us. They can, for example, install a key-logger and learn your Keepass and Dropbox passwords the next time you enter them.

There are counter measures but they are awkward and most people don't use them. I use Encrypt Stick on a USB memory stick. If I am using a public PC I can engage a scrambled keyboard to enter my password -- every mouse click on an on-screen keyboard (internally encrypted) scrambles the key layout for the next click. Slow and annoying but 100% defeats key-loggers. However, if someone has a camera looking over my shoulder I can still lose.

[Katsunami]

Quote:

Originally Posted by Penforhire

If someone physically gets hold of your laptop (or other PC) it is generally still game-over for us. They can, for example, install a key-logger and learn your Keepass and Dropbox passwords the next time you enter them.

Yes, they can, but they will need to first remove the Admin password from UAC to be able to do so. It can be done, but:

- The thief would need to steal the notebook (or get in front of it at least).
- Have the luck that I forgot to pull out the USB-stick with the key file.
- Remove the password, install the keylogger.
- Do all of it without me not knowing.
- Hope that I'll activate Keepass before I ever need the Admin password.

It can be done, but it's unlikely. The chance of somebody getting a hold of the database, the keyfile AND the password all at once is small. If something happens which makes me not to trust my system, I would at once install a known clean image.

[JoeD]

Quote:

Originally Posted by Penforhire

If someone physically gets hold of your laptop (or other PC) it is generally still game-over for us. They can, for example, install a key-logger and learn your Keepass and Dropbox passwords the next time you enter them.

There are counter measures but they are awkward and most people don't use them. I use Encrypt Stick on a USB memory stick. If I am using a public PC I can engage a scrambled keyboard to enter my password -- every mouse click on an on-screen keyboard (internally encrypted) scrambles the key layout for the next click. Slow and annoying but 100% defeats key-loggers. However, if someone has a camera looking over my shoulder I can still lose.

Key loggers have been known to also screenshot desktops for this reason. That's been happening since web login forms for DOB changed from plain text entry boxes to drop down combo boxes sometimes with randomised orders (although that's fallen out of usage for the most part now). The loggers adapted and logged mouse click locations and later took screen grabs due to randomisation.

Nothing is foolproof though.

Everyone has to weigh up the convenience they want against the security they lose. However, anyone who is storing passwords in the clear on either a mobile or their computer should switch to a password safe _today_. Because you will lose nothing in convenience and gain much in security. For those using password safes, it's just a matter of how much security you want, you're going to lose some convenience the tighter you make things.

Again, not fool proof, hacks/trojans/keyloggers could compromise the lot. But then you can go one step further as I have, only use a password safe on an old piece of hardware which is never(almost never) used online and has networking disabled. Old mobile (smart) phones are ideal for this but old laptops work too if portability isn't a concern. The phones also double for running authentication tokens like google authenticator.

There's a security trade off with the offline safe though, a backup is needed so at some point you have to enable the network and copy the DB somewhere else. However that window of opportunity is tiny and with trojans/keyloggers the biggest fear unlikely to ever be an issue. Where you backup the DB is again another possible security trade off, but as long as the pass safe is a good one it matters a little less where you store this, even if it's on your main computer that gets hacked the DB should remain secure as you'll never need to open it on that computer. I wouldn't feel comfortable storing the DB backup in the cloud as others are, but again, it's a convenience/security trade off and really the DB should be safe if the encryption was suitably implemented.

There's even more secure steps you can take at the expense of convenience, but for me this is good enough.

BTW Katsunami: You may already be aware of this, but there's an option in the windows version of keepass 2 to require UAC be used for master password entry. This will block many key loggers from been able to grab your password as you enter it. The only thing it won't stop is a heavily rooted system, but then little can.

[Loosheesh]

Thanks again for all the great suggestions and things to think (and be anxious ) about. I've been using LastPass and it's working out very well so far, so extra thanks to those of you who recommended it.

[Katsunami]

Quote:

Originally Posted by JoeD

BTW Katsunami: You may already be aware of this, but there's an option in the windows version of keepass 2 to require UAC be used for master password entry. This will block many key loggers from been able to grab your password as you enter it. The only thing it won't stop is a heavily rooted system, but then little can.

Yes, I'm aware of this and I do use it. Thanks for mentioning it, because maybe others didn't know of this

[kyteflyer]

I just never adapted to 1Password. I have copies of it for iOS and my Mac, and never use them, choosing instead to use "Wallet" by Acrylic Software. Like 1Password it can and does have its database store in my dropbox folder, so is accessible wherever I need it.

I'm innately suspicious of storing passwords on a third party site, or in the browser.

[SusanM]

Quote:

Originally Posted by JoeD

Key loggers have been known to also screenshot desktops for this reason. That's been happening since web login forms for DOB changed from plain text entry boxes to drop down combo boxes sometimes with randomised orders (although that's fallen out of usage for the most part now). The loggers adapted and logged mouse click locations and later took screen grabs due to randomisation.

Nothing is foolproof though.

Everyone has to weigh up the convenience they want against the security they lose. However, anyone who is storing passwords in the clear on either a mobile or their computer should switch to a password safe _today_. Because you will lose nothing in convenience and gain much in security. For those using password safes, it's just a matter of how much security you want, you're going to lose some convenience the tighter you make things.

Again, not fool proof, hacks/trojans/keyloggers could compromise the lot. But then you can go one step further as I have, only use a password safe on an old piece of hardware which is never(almost never) used online and has networking disabled. Old mobile (smart) phones are ideal for this but old laptops work too if portability isn't a concern. The phones also double for running authentication tokens like google authenticator.

There's a security trade off with the offline safe though, a backup is needed so at some point you have to enable the network and copy the DB somewhere else. However that window of opportunity is tiny and with trojans/keyloggers the biggest fear unlikely to ever be an issue. Where you backup the DB is again another possible security trade off, but as long as the pass safe is a good one it matters a little less where you store this, even if it's on your main computer that gets hacked the DB should remain secure as you'll never need to open it on that computer. I wouldn't feel comfortable storing the DB backup in the cloud as others are, but again, it's a convenience/security trade off and really the DB should be safe if the encryption was suitably implemented.

There's even more secure steps you can take at the expense of convenience, but for me this is good enough.

BTW Katsunami: You may already be aware of this, but there's an option in the windows version of keepass 2 to require UAC be used for master password entry. This will block many key loggers from been able to grab your password as you enter it. The only thing it won't stop is a heavily rooted system, but then little can.

I just read about malware that is circulating in which a screenshot is taken of a hotel guest's registration which is apparently hitting quite a few hotels. Scary as they have all your information all in one shot including credit card, address, phone number, etc.

[linereader]

KeePass http://www.keepass.info
I have yet to see anything as good as this, and the remarkable thing is it's free.

I can take it with me everywhere, and there are compatible KeePass programs (made by third-parties) that can open KeePass databases on phones (see the site for links), so you're never without your passwords. I still use version 1.x of KeePass for the PC since nearly all third-party KeePass programs are compatible with version 1 KeePass databases.

The phrase 'must-have' is used too loosely these days, but for me this is what defines it.

Too many features to list, some which only became evident with long-term use. I cannot live without it. And your passwords are not stored on some third-party server 'managing them' for you.