Silk Road forums

Discussion => Security => Topic started by: hee57 on January 28, 2013, 11:41 pm

Title: What is the best password container software?
Post by: hee57 on January 28, 2013, 11:41 pm
Hey, I tried searching to see if this topic had been posted earlier but I couldn't find anything.
I've always been pretty good about remembering all my passwords but as of late I've had to make quite a bit and keeping track of them all while using different ones has become quite irritating. I was curious to know if anyone uses an application to keep track of all their passwords for their different accounts. If so, what software do you use and why do you recommend it?
Thanks.
Title: Re: What is the best password container software?
Post by: talawtam on January 28, 2013, 11:54 pm
i have my passwords in a text file, in a truecrypt file container on a truecrypt hidden partition on a usb stick and backed up in multiple safe locations. cant go wrong really
Title: Re: What is the best password container software?
Post by: SelfSovereignty on January 29, 2013, 12:16 am
If you're really cautious, sure thing, that'd probably work just fine... personally I think a PGP encrypted text file would be good enough, but I guess that depends on how hard you expect somebody to be trying.
Title: Re: What is the best password container software?
Post by: FramedAgain2222 on January 29, 2013, 03:24 am
I keep mine in Password Safe, whose file is in the hidden partition of a TrueCrypt container.

We use Password Safe at my work too.
Title: Re: What is the best password container software?
Post by: kesser on January 29, 2013, 09:25 am
I don't see any reason why you need to go much further than just having your passwords pgp encrypted in a text file, even then i still do not write down the entire password i still only have them abbreviated in order to jog my knowledge in case i do forget them.
Title: Re: What is the best password container software?
Post by: impkin on January 29, 2013, 12:31 pm
Figaro's Password Manager 2
Title: Re: What is the best password container software?
Post by: Hungry ghost on January 29, 2013, 04:47 pm
I've just started using KeePass 2 after seeing it mentioned in a thread here. It's open source which (i hope) means that someone qualified can examine source code and ensure there's no security back doors etc. it's free, and it let's you keep all your passwords in a AES 256bit encrypted database or several databases, secured with a pass phrase and /or key file.
      I'm not sure if this offers anything more than just storing them in a PGP encrypted text file.
It just has a more userfreindly interface, you can use it to generate extremely strong random character and symbol passwords which you just copy paste into the appropriate place. Password databases created by this software can also be used with MiniKeePass an iPhone app, although no doubt this is a huge security faux pas
Obviously these solutions are better than trying to keep track of all different passwords. I used to have all mine in a GPG encrypted text file, but I forgot i had done this and deleted the key to make a stronger one!
My more recent system has been to use a simple, always the same password for things I don't really care about, and then individual more complicated ones for stuff I want to be secure. I then write down clues to these that (hopefully) will remind me but not help anyone else. For instance: I might use the phrase "You can tell by the way I use my walk I'm a woman's man no time to talk" to create password:YcNtLlBytHwYsMyWlKmWmNsMnNtMtTlk. I would then write down SR: Brothers Grimm. The idea is that I then can reconstruct the password by thinking BG>Staying alive> just consonants alternating upper lower case.
However often I'd find myself staring at the clue thinking "Brothers Grimm? What the fuck?!"
Obviously a new solution was needed. I hope this KeePass is it. Obviously, you need to make your master password something secure, because if you reveal that, you're fucked.
*the system above is not exactly what I used but you get the idea.

My silk road password and all pass phrases pertaining to Truecrypt GPG etc, however I just commit to memory. It's worth the effort. Once you have got them sunk in they are there for good.
Title: Re: What is the best password container software?
Post by: Hungry ghost on January 29, 2013, 04:57 pm
Another way is to have a book and for each password specify a page number; you then generate a password from the characters on that page using a system only you know. That way you can just write SR 135 and as long as no one knows the book you're ok.
It's important not just to use sentences or sequences of letters as these are more susceptible to dictionary or brute force attacks.
I'm not at all an expert and I'd appreciate some expert critiques of these ideas. I'm planning to go through all my passwords and replace them with randomly generated strong ones from keePass; but then I need to ensure my master password is extremely secure.
       It's the basic problem: either weak passwords that are easy to remember, or strong passwords that you then have to write down somewhere!
Title: Re: What is the best password container software?
Post by: Hungry ghost on January 29, 2013, 05:21 pm
Another thing which has just occurred to me: if you have all you strong random character passwords stored in an encrypted container; which you open and copy paste to the password box: How secure is your clipboard?! My phone for instance has the useful feature of saving clipboard history. This is great if you have to fill a lot if forms with the same info; but if you are using the clipboard to transfer passwords, all your passwords will be sitting there for any attacker to take. I doubt the clipboard history is encrypted.
Title: Re: What is the best password container software?
Post by: Hungry ghost on January 29, 2013, 05:36 pm
Aah I notice that both KeePass and MiniKeePass clear the clipboard after a user defined number of seconds. So that's one less thing to worry about!
Title: Re: What is the best password container software?
Post by: SelfSovereignty on January 29, 2013, 05:40 pm
I'm not sure if you still can, but at one point any website was able to request the contents of your clipboard and get it without the user ever being notified by their browser.  Just came to mind -- point is, deleting it may not be good enough.

This was... well, quite a few years ago.  I should hope the major browsers decided that was a very bad thing to be giving out, but I never bothered checking on it again.
Title: Re: What is the best password container software?
Post by: impkin on January 29, 2013, 11:02 pm
Another way is to have a book and for each password specify a page number; you then generate a password from the characters on that page using a system only you know. That way you can just write SR 135 and as long as no one knows the book you're ok.
It's important not just to use sentences or sequences of letters as these are more susceptible to dictionary or brute force attacks.

Great idea. My problem is that I always think, yeah, of course I'll remember that - but then 3 months later I'm wondering what the hell I was thinking. This technique is brilliant.
Title: Re: What is the best password container software?
Post by: raynardine on January 29, 2013, 11:09 pm
I've just started using KeePass 2 after seeing it mentioned in a thread here.

Yay!

KeePass 2 is really awesome, and I'm glad it helps you!

Everyone here should use it, really.
Title: Re: What is the best password container software?
Post by: raynardine on January 29, 2013, 11:19 pm
Aah I notice that both KeePass and MiniKeePass clear the clipboard after a user defined number of seconds. So that's one less thing to worry about!

I would eventually buy an Android phone and root it.

Even if it is illegal to root your phone, I would do it anyway.

In the USA, unlocking one's phone is not the same thing as rooting it.

Though both things are exercises of one's digital freedom, IMHO, unlocking refers to removing the carrier-specific bonds from your phone, while rooting means taking superuser (administrator) control over your phone.

I would not trust an iphone as far as I could throw the damned thing.
Title: Re: What is the best password container software?
Post by: Banjo on January 30, 2013, 01:00 am
When you copy/paste anything, you open yourself up to a couple problems. When you copy/paste something, it's stored temporarily in RAM. RAM is cleared when the device loses power for more than five minutes (DDR3 is less than that). Unfortunately, a couple things can happen that will result in your password being saved to your hard disk without your knowledge or input.

1.) Systems will periodically write the contents of RAM to disk to make room for other things without losing the data.
2.) Some systems (notably Windows 8) will save a lot of your current session to hard disk so that the system can resume very quickly, even if the device has been powered off.

When either of these things happens, you password will be written to your hard disk, which makes them much more difficult to securely remove from your system. You can go a long way to preventing this by doing the following:

Encrypt your entire hard drive with TrueCrypt. Don't simply use a password for this. Use a combination of a password, and then store an additional key file on a flash drive or some other removable media. I have a small USB drive that fits on my keychain, so it's with me at all times, and I don't lose it. You won't be able to decrypt your system without both of them, so make sure you have a backup of the USB drive somewhere as well. This also prevents a keylogger from being able to break your encryption, because even if your password is logged, it's only half of what's needed to decrypt the drive.

I'd completely steer away from using any password storage software on any phone or tablet. I wouldn't even use Tor on my phone.
Title: Re: What is the best password container software?
Post by: Hungry ghost on January 30, 2013, 07:39 am
Aah I notice that both KeePass and MiniKeePass clear the clipboard after a user defined number of seconds. So that's one less thing to worry about!

I would eventually buy an Android phone and root it.

Even if it is illegal to root your phone, I would do it anyway.

In the USA, unlocking one's phone is not the same thing as rooting it.

Though both things are exercises of one's digital freedom, IMHO, unlocking refers to removing the carrier-specific bonds from your phone, while rooting means taking superuser (administrator) control over your phone.

I would not trust an iphone as far as I could throw the damned thing.
My iPhone is  jail broke and I have changed the root password, also disable OTA updates. I'm fairly familiar with its file system. Probably will be going over to android though next time!U
As I say, my SR passwords and login I trust only to memory.
I think the creators of KeePass are aware of the copy paste problems which is why they have it clear clipboard so quickly. When you say windows writes ram to HD is this the page file? Or something else. I think I'd be wary of using copy paste anyway.
        I had my whole system encrypted with Truecrypt, but then I decided to just have portable Truecrypt on a USB Stick with all my SR stuff in a hidden volume. That way there is nothing on my computer at all. I guess I was thinking that having my computer encrypted was in itself suspicious. I think this was naive! Now I think about it more, I guess if I get to the stage where LE are looking at my computer they would be suspicious already!
The other problem is I leave my computer switched on a lot, is there someway to configure Truecrypt so it would ask for authentication if my computer wasn't used for a few minutes or something?
Title: Re: What is the best password container software?
Post by: Hungry ghost on January 30, 2013, 07:48 am
Sorry raynardine I'm answering multiple posters there not just you!

Another problem is that in my country you can be legally compelled to reveal passwords. So if I was to encrypt my whole system I'd have to be doing the whole hidden OS bit. This seemed to involve multiple reinstalls of windows and seemed a bit daunting at the time.
Title: Re: What is the best password container software?
Post by: Banjo on January 30, 2013, 04:20 pm
Aah I notice that both KeePass and MiniKeePass clear the clipboard after a user defined number of seconds. So that's one less thing to worry about!

I would eventually buy an Android phone and root it.

Even if it is illegal to root your phone, I would do it anyway.

In the USA, unlocking one's phone is not the same thing as rooting it.

Though both things are exercises of one's digital freedom, IMHO, unlocking refers to removing the carrier-specific bonds from your phone, while rooting means taking superuser (administrator) control over your phone.

I would not trust an iphone as far as I could throw the damned thing.
My iPhone is  jail broke and I have changed the root password, also disable OTA updates. I'm fairly familiar with its file system. Probably will be going over to android though next time!U
As I say, my SR passwords and login I trust only to memory.
I think the creators of KeePass are aware of the copy paste problems which is why they have it clear clipboard so quickly. When you say windows writes ram to HD is this the page file? Or something else. I think I'd be wary of using copy paste anyway.
        I had my whole system encrypted with Truecrypt, but then I decided to just have portable Truecrypt on a USB Stick with all my SR stuff in a hidden volume. That way there is nothing on my computer at all. I guess I was thinking that having my computer encrypted was in itself suspicious. I think this was naive! Now I think about it more, I guess if I get to the stage where LE are looking at my computer they would be suspicious already!
The other problem is I leave my computer switched on a lot, is there someway to configure Truecrypt so it would ask for authentication if my computer wasn't used for a few minutes or something?

I figure the having your entire system encrypted isn't that suspicious. But I guess it would depend on who you are and where you live. I'm a consultant to several different companies, so I've got a lot of sensitive information on my work laptop and desktop (neither of which would I ever use with Tor/SR). So, both of those are completely encrypted in case they were lost or stolen. Then I have my personal desktop, which is also encrypted, but since my other computers are encrypted, I don't think it would raise any red flags.

Quote
When you say windows writes ram to HD is this the page file?
Yes. Although Windows 8, and I think some newer versions of OS X go a step further, and write much of the state of your system to disk when they shutdown so that they can boot back up faster, and you can resume what you were working on without reopening everything. I don't know whether or not the contents of your clipboard are written to disk in such cases, but it would be worth checking out.  I honestly don't think the copy/paste issue is really big enough to spend a lot of time worrying about it. If people are recovering passwords that you simply copy/pasted, then at that point you likely have bigger problems to worry about anyway. I just pointed them out so people would be aware of them.

You're also right about it being a pain in the ass to use a hidden OS with truecrypt. The thing with security is that it's almost always opposed to convenience. You can have one or the other, and so it's up to each person to strike a balance between the two that works for them.
Title: Re: What is the best password container software?
Post by: Jediknight on January 30, 2013, 05:52 pm
I'll store your passwords for you .
Title: Re: What is the best password container software?
Post by: wasta on January 30, 2013, 10:34 pm
Hey, I tried searching to see if this topic had been posted earlier but I couldn't find anything.
I've always been pretty good about remembering all my passwords but as of late I've had to make quite a bit and keeping track of them all while using different ones has become quite irritating. I was curious to know if anyone uses an application to keep track of all their passwords for their different accounts. If so, what software do you use and why do you recommend it?
Thanks.

You can Take the first 5 letters from the site and combine the letters with capital letters and signs.
A good password has not to be difficult, but only long!
So the first 5 (or 3) letters has to be followed by for instance 15 dots.
The password of this site will be ;

DkN255...............

The dots you count in three times vife dots.
You will have never the same password twice and each passwrd is 20 digits long and now dictionaryl-ist will hack your password.

Just an example
Witch password do you think is safer;
D0g...............
or
Po(9*&?.>lLkUhgTb

Answer the first password is saver, because it is longer.
The second password looks more difficult the crack, but is not.
It is just more harder to remember then the first password.

Lastpass is a good option if you know how to use it.
For lastpass users, look or search for .csv extension from lastpass.
Lastpass.csv and see every password you have ever used.

Great for someone who has lost or forgot a password.
99% chance you will find your lost password there.

So go for my first option and keep them all in your head.
You only have to remember the 15 or 20 dots.
You take just the first 3 or last 3 letters of the site where you have to log in.
Use Always a capital letter as the first letter of your password.

I used to use laspass, but found out that the lastpass.csv file with all mine passwords was keep coming back.

Again, the longer your password is the better.

In this time and age the 3 tmis 5 dots method is safe enough.
But when the quatumcomputers are combined like in B.O.I.N.C then the computing power will increase dramatically.
Like computers are combined in projects as SETI@home etc.
Time will tell if my methode was safe enough.
Experts recommend at least 22 digits to be safe as a password.
You will have to use phases, because there aint that nuch words of 22 digits/letters.
And it is not smart to use one password for multiple sites.