Thread: Please recommend a good Password Manager
View Single Post
Old 04-26-2013, 11:24 AM   #37
SusanM
Bemused by possibilities
SusanM ought to be getting tired of karma fortunes by now.SusanM ought to be getting tired of karma fortunes by now.SusanM ought to be getting tired of karma fortunes by now.SusanM ought to be getting tired of karma fortunes by now.SusanM ought to be getting tired of karma fortunes by now.SusanM ought to be getting tired of karma fortunes by now.SusanM ought to be getting tired of karma fortunes by now.SusanM ought to be getting tired of karma fortunes by now.SusanM ought to be getting tired of karma fortunes by now.SusanM ought to be getting tired of karma fortunes by now.SusanM ought to be getting tired of karma fortunes by now.
 
SusanM's Avatar
 
Posts: 58
Karma: 480244
Join Date: Jul 2012
Device: iPad3, Kobo
Quote:
Originally Posted by JoeD View Post
Key loggers have been known to also screenshot desktops for this reason. That's been happening since web login forms for DOB changed from plain text entry boxes to drop down combo boxes sometimes with randomised orders (although that's fallen out of usage for the most part now). The loggers adapted and logged mouse click locations and later took screen grabs due to randomisation.

Nothing is foolproof though.

Everyone has to weigh up the convenience they want against the security they lose. However, anyone who is storing passwords in the clear on either a mobile or their computer should switch to a password safe _today_. Because you will lose nothing in convenience and gain much in security. For those using password safes, it's just a matter of how much security you want, you're going to lose some convenience the tighter you make things.

Again, not fool proof, hacks/trojans/keyloggers could compromise the lot. But then you can go one step further as I have, only use a password safe on an old piece of hardware which is never(almost never) used online and has networking disabled. Old mobile (smart) phones are ideal for this but old laptops work too if portability isn't a concern. The phones also double for running authentication tokens like google authenticator.

There's a security trade off with the offline safe though, a backup is needed so at some point you have to enable the network and copy the DB somewhere else. However that window of opportunity is tiny and with trojans/keyloggers the biggest fear unlikely to ever be an issue. Where you backup the DB is again another possible security trade off, but as long as the pass safe is a good one it matters a little less where you store this, even if it's on your main computer that gets hacked the DB should remain secure as you'll never need to open it on that computer. I wouldn't feel comfortable storing the DB backup in the cloud as others are, but again, it's a convenience/security trade off and really the DB should be safe if the encryption was suitably implemented.

There's even more secure steps you can take at the expense of convenience, but for me this is good enough.

BTW Katsunami: You may already be aware of this, but there's an option in the windows version of keepass 2 to require UAC be used for master password entry. This will block many key loggers from been able to grab your password as you enter it. The only thing it won't stop is a heavily rooted system, but then little can.
I just read about malware that is circulating in which a screenshot is taken of a hotel guest's registration which is apparently hitting quite a few hotels. Scary as they have all your information all in one shot including credit card, address, phone number, etc.
SusanM is offline   Reply With Quote