Password list security

[mikeymikec]

I'm mulling over whether I should change my current password storage system.

At the moment I just have a collection of unencrypted files on my computer containing passwords on my home + business computer (self-employed). My only concern is that it's apparently becoming more common for break-ins to occur specifically for password lists (paper or electronic).

My system at the moment would require the person to know the names and location of the files (the main one has an uninformative file name, and is not stored in an obvious place).

I'm not happy with the idea of using password-storage-software because it's an extreme question of trust with the developers (in terms of both competence and honesty) and also the existence of such a piece of software on a victim's computer is a really obvious indicator of where the desired information is.

I'm considering using a TrueCrypt container as I have a fair bit of experience with TrueCrypt already and I'm pretty sure I can handle it without causing a catastrophic mistake resulting in me no longer having a record of the passwords I feel the need to keep a record of. I also like that TC doesn't keep a record of recently opened files. However, I haven't used TrueCrypt in this capacity before (ie. I want to quickly access a file then disconnect when I'm done, as leaving TC open and connected to the container and generally hibernating Windows would be A Bad Thing (tm). Any suggestions?

I have a Windows password set, FWIW.

 

[smakme7757]

If you don't mind storing an encrypted container in the cloud Lastpass is by far the most versatile and secure password management system available.
https://lastpass.com/

You save your passwords in a database locally, encrypt is locally, and a copy of the encrypted database is sent off to Lastpass so you can retrieve is whenever you want. The big bonus is that it will sync passwords across all your devices.

If you want to keep everything locally, then Keypass is a nice alternative:
http://keepass.info/

I use Lastpass.

 

[balloonshark]

I use keepass because it stores everything locally like smakme mentioned.

I won't use lastpass because of the cloud storage and their headquarters are are located just outside of D.C. in the US. That might concern you if you keep up with the news.

 

[Savatar]

I also like that TC doesn't keep a record of recently opened files.

While TrueCrypt can be set to not remember history of which volumes were mounted, most applications maintain a recent history list of their own for files they handle. So if you open word documents from the TrueCrypt container, for example, they will still show up in Word's recent history. So TrueCrypt doesn't really offer great 'recent history' protection... as file paths and names and so on are then recorded in an unencrypted manner on other parts of the system. You can complement this with something like CCleaner to remove recent history from several applications, which helps, but also is not a perfect solution. Just something to keep in mind.

TrueCrypt brings some interesting concepts to storing passwords because it could allow you to hide accounts on the hidden volume, so if someone forced you to get the password list, you could use the outer container instead (which would contain shell accounts). You can even still use an offline KeePass archive in addition to that (inside the containers).

For storing passwords, you might want to consider a combination of storage locally on your PC (or the cloud - though I would avoid that b/c it only increases the attack vector) and from a secondary source (offline document or something memorized). In this manner, even if the credential store is compromised, the attacker still might not be able to use the password to log on (since it only contains part of the data needed).

 

[mikeymikec]

While TrueCrypt can be set to not remember history of which volumes were mounted, most applications maintain a recent history list of their own for files they handle. So if you open word documents from the TrueCrypt container, for example, they will still show up in Word's recent history. So TrueCrypt doesn't really offer great 'recent history' protection... as file paths and names and so on are then recorded in an unencrypted manner on other parts of the system. You can complement this with something like CCleaner to remove recent history from several applications, which helps, but also is not a perfect solution. Just something to keep in mind.

However, that would give away file names from inside the container (not the location of the container or anything else worth knowing). The only risk would be from temp files (if I used something more advanced than say Notepad).

TrueCrypt brings some interesting concepts to storing passwords because it could allow you to hide accounts on the hidden volume, so if someone forced you to get the password list, you could use the outer container instead (which would contain shell accounts). You can even still use an offline KeePass archive in addition to that (inside the containers).

That's something that intrigues me that I haven't yet looked into.

 

[Savatar]

However, that would give away file names from inside the container (not the location of the container or anything else worth knowing). The only risk would be from temp files (if I used something more advanced than say Notepad).

That's something that intrigues me that I haven't yet looked into.

Most file names are actually very valuable and definitely worth knowing to an attacker or investigating entity, and it's worth knowing that it's mounted to a drive letter that doesn't exist on the system (hinting that the data is on an external drive like a USB stick or a TC volume). File names often give away the type of data, and a general description of the data... i.e. X: \Classified_Docs\2013\project_snoopy_presentation.pdf.

A social engineer or interrogator could then use this information to then inquire about "Project Snoopy". They deny knowing about it? Won't work now, because they have proof that an operator of the system should be familiar with it and can press harder. So it's not just the contents that are important.

However, file names often do actually give away their content too. Many questionable or otherwise shady files can be found by their original file name just by searching google. If you have the file name, in many cases, you may know exactly what was being viewed.

 

[bononos]

.......
I'm not happy with the idea of using password-storage-software because it's an extreme question of trust with the developers (in terms of both competence and honesty) and also the existence of such a piece of software on a victim's computer is a really obvious indicator of where the desired information is.

I'm considering using a TrueCrypt container as I have a fair bit of experience with TrueCrypt already and I'm pretty sure I can handle it without causing a catastrophic mistake resulting in me no longer having a record of the passwords I feel the need to keep a record of. I also like that TC doesn't keep a record of recently opened files. However, I haven't used TrueCrypt in this capacity before (ie. I want to quickly access a file then disconnect when I'm done, as leaving TC open and connected to the container and generally hibernating Windows would be A Bad Thing (tm). Any suggestions?

I have a Windows password set, FWIW.

TC is great for encrypting whole volumes/partitions. If you just want something to keep your passwords secure lastpass/keepass is more ideal. Or something even simpler like locknote which is just one executable (no need to install). You will need to configure your antivirus/hips to allow locknote to overwrite itself since that behaviour is suspicious.

 

[smakme7757]

To be honest the best password management is easy password management. If you make it too difficult you will end up taking shortcuts. That's why password management software is so useful.

With regards to trusting the developer, why do you trust Truecrypt more than keepass or Lastpass?

No one has ever actually done a 100% analysis of the Truecrypt code. People just take it for granted that because it's "Open Source" (which it really isn't as you cannot edit the code because it's copyrighted) that's it's safe to use.

I don't trust Truecrypt anymore than i would trust Lastpass or Keepass, but all of those products will give me 100% protection from 99% of adversaries.

 

[mikeymikec]

I don't trust Truecrypt anymore than i would trust Lastpass or Keepass, but all of those products will give me 100% protection from 99% of adversaries.

A standard commercial company structure has a vulnerability in the form of someone with sufficient authority being requested by an NSA-like organisation to insert a backdoor or vulnerability. The only ways that such a vulnerability would come to light would be if a researcher stumbles upon the vulnerability or an employee whistle-blows it.

With open source software the likelihood is somewhat higher that a developer would spot the problem, and the lack of central authority as well as the general interest in developing an honestly secure product gives me more confidence in it. Discussions regarding its development tend to be a matter of public record. NSA-like organisations don't like anything being a matter of public record either.

I'm not saying open source development is invulnerable to this method of compromise, but for example if someone inserted some compromising code, the rest of the development team are not inherently compromised as a result. In a small company, it's going to be a case of "like it or leave, and here's an NDA in either case".

 

[lxskllr]

I may have missed it, but there seems to be a misconception that KeePass is proprietary software. It's libre, and that's the reason I use it. I keep it backed up to my SpiderOak account so I can use it on the road.

 

[mikeymikec]

I may have missed it, but there seems to be a misconception that KeePass is proprietary software. It's libre, and that's the reason I use it. I keep it backed up to my SpiderOak account so I can use it on the road.

Point taken. TBH, I hadn't checked.

 

[PrincessFrosty]

You're approaching this the wrong way, security through obscurity is always a really bad idea and is always weaker. For example it's always better to have a good cryptographic lock on an obvious file/password than to store that file/password in plaintext somewhere and simply hide where that place is, that's a really, REALLY bad idea.

Cryptography is secure when implemented properly and there's plenty of decent password storage solutions out there which are used and trusted by lots of people, some already mentioned in this thread.

 

[alangrift]

If you don't mind storing an encrypted container in the cloud Lastpass is by far the most versatile and secure password management system available.
https://lastpass.com/

You save your passwords in a database locally, encrypt is locally, and a copy of the encrypted database is sent off to Lastpass so you can retrieve is whenever you want. The big bonus is that it will sync passwords across all your devices.

If you want to keep everything locally, then Keypass is a nice alternative:
http://keepass.info/

I use Lastpass.

Lastpass had a leak this year didn't they?

 

[Berliner]

My system at the moment would require the person to know the names and location of the files (the main one has an uninformative file name, and is not stored in an obvious place).

No it really would not. Do you know that tools like grep and file-searching exist?

Go with TC, if you are already familiar with it.

 

[smakme7757]

Lastpass had a leak this year didn't they?

It depends on what you describe as a leak.

They had a network anomaly which was picked up by their IDS. They couldn't explain the activity so they urged users to changed their passwords.

They could have kept it a secret like everyone else. Lets face it nothing major has happened to any Lastpass customers that has been made public, so I guess this "Anomaly" turned out to be nothing.

They choose to go public and warn users. I'd bet things like this happen at least a few times a year to most other companies that just keep a lid on it.

Companies (even security companies) are not squeaky clean just because they have never had anything to report publicly? Most security breaches are reported by end users or hackers. It's very rare that a company comes out and lets people know before after the cat is out of the bag.

I suppose the big question is if it's a cause for concern? It's a hard question to answer because if Lastpass just kept their mouth shut we would have never known.

 

[mikeymikec]

You're approaching this the wrong way, security through obscurity is always a really bad idea and is always weaker. For example it's always better to have a good cryptographic lock on an obvious file/password than to store that file/password in plaintext somewhere and simply hide where that place is, that's a really, REALLY bad idea.

This isn't a discussion regarding "security through obscurity versus ... everything else". Security does not have to involve one or the other.

 

[jimhsu]

Lastpass does all encryption locally (with the plugin, or with javascript -- I recommend the plugin to mitigate possibilities of javascript hijacking attacks). If your computer is slow enough, you can actually see the encryption take place upon form submit. This is a big deal as far as password security is concerned. If you're sufficiently paranoid, you actually don't even have to use their site, or connect to the internet for that matter; the portable utility works similarily to KeePass.

As far as copy and pasting -- are you sure you don't have a trojan that's monitoring copy/paste operations right now? Autofilling doesn't solve that problem, but it helps against the more obvious attacks. Have you checked with a network sniffer that your utility of choice isn't making connections to remote servers? How about any hardware keyloggers? Concealed microphones for acoustic emissions? You can go on and on, but only you can determine what level of paranoia is "suitable" for you.

 

[ctk1981]

I use password safe for a few things I dont use too often...and then end up forgetting what the login/password was. Was developed by Bruce Shneier and uses twofish for the encryption.

http://passwordsafe.sourceforge.net/index.shtml --download page

https://www.schneier.com/passsafe.html --information from shneier.com

 

[PrincessFrosty]

This isn't a discussion regarding "security through obscurity versus ... everything else". Security does not have to involve one or the other.

When someone is proposing a possible solution as to write down your passwords and simply store them somewhere obscure, then yes, actually it is a discussion about exactly that.

It's a general principle most professionals adhere to when considering security, not to rely on obscurity for security, that principle should be followed here as well.

 

[sourceninja]

To be honest the best password management is easy password management. If you make it too difficult you will end up taking shortcuts. That's why password management software is so useful.

With regards to trusting the developer, why do you trust Truecrypt more than keepass or Lastpass?

No one has ever actually done a 100% analysis of the Truecrypt code. People just take it for granted that because it's "Open Source" (which it really isn't as you cannot edit the code because it's copyrighted) that's it's safe to use.

I don't trust Truecrypt anymore than i would trust Lastpass or Keepass, but all of those products will give me 100% protection from 99% of adversaries.

While you are current that you can't trust truecrypt just because it is open source. You are incorrect in stating you can't edit the code or make your own 'truecrypt' from the source.

Read the license yourself. http://www.truecrypt.org/legal/license it has a clause that allows you to take the code, edit it, and release it commercially or non-commercially.

I personally use lastpass. I find it it convenient and secure enough for my needs.

 

[lxskllr]

While you are current that you can't trust truecrypt just because it is open source. You are incorrect in stating you can't edit the code or make your own 'truecrypt' from the source.

Read the license yourself. http://www.truecrypt.org/legal/license it has a clause that allows you to take the code, edit it, and release it commercially or non-commercially.

I personally use lastpass. I find it it convenient and secure enough for my needs.

The licensing is iffy. It's not a free license, and it's not OSI approved. That shouldn't stop an individual from playing with the code, but "institutions" should be careful with its use. That's why it isn't included with most GNU/Linux distros.

Here's a discussion regarding the license...

http://lists.freedesktop.org/archives/distributions/2008-October/000276.html

 

[KeithP]

FWIW, there are some folks working on a TrueCrypt audit.
http://istruecryptauditedyet.com/

-KeithP

 

[ggadrian]

I use 1Password, it's easy to use and I can have it in all my devices. I don't know how sure it is, but for me it seems reasonably secure and easy to use.

 

[John Connor]

I never use a password safe, I use a Mozilla based add-on called PWDHash developed by a guy at Stanford.