Team-BHP > Shifting gears > Gadgets, Computers & Software


Reply
  Search this Thread
25,616 views
Old 16th July 2018, 12:41   #16
Senior - BHPian
 
Join Date: Dec 2008
Location: Bangalore
Posts: 3,530
Thanked: 5,474 Times
Re: My new Dijori to keep my passwords safe and handy

Quote:
Originally Posted by TheLizardKing View Post
Like another user has suggested, please try LastPass.
Quote:
Originally Posted by narayans80 View Post
Have been using Lastpass for 4 years now, it serves the purpose well.
From what I see, Lastpass is a closed-source product. In these sort of use-cases, I prefer open source applications. Therefore my recommendation (the product I have been using for many years now) is Password Safe - https://pwsafe.org. It has Windows, Linux and Android clients, don't have a server-based system so you are free to sync across devices as per your preference (I use Dropbox) and best of all in my opinion - avoids the clipboard, which is a source of leaks, on Android at least, while maintaining ease of use. It also has Bruce Schneier's name associated with it.

Quote:
Originally Posted by typlo View Post
I'm asking you to consider the possibility of Twitter/Facebook having a breach and your passwords being used on other websites that have the same one.
If Twitter/Facebook are storing passwords in plaintext or in a reversible format and it becomes known because of such a breach, they will have a serious loss of credibility - business-threatening, in my view. I am nearly certain they are not doing this.

Quote:
Originally Posted by typlo View Post
Device - Can store limited passwords using an un-known encryption method.
Device - Is standalone, not connected to any form of communication protocol.
Devices can also use tested and proven encryption algorithms. The choice of using which one is on the developer.

Quote:
Originally Posted by typlo View Post
App - Can have 3 layers of security. First - the phone passcode lock which can be alpha-numeric which is quote difficult to brute force as multiple entries can be blocked, Second - the app master password which can be alpha-numeric too and third as two-factor auth using another device.
Have you considered the situation where your phone is stolen and its storage medium is attached to another device whose alpha-numeric passcode lock is nonexistent or is known to the attacker? Plus the two-factor part with another device brings in a device in your app use-case too.

Quote:
Originally Posted by typlo View Post
App - If stolen, data can be wiped off remotely immediately rendering the stolen device useless.
This is also hit-and-miss. This remote wiping requires the service to be able to contact your device. If the attacker removes the SIM, then your mobile network is out of the question. If the attacker doesn't connect it to any Wifi, then that channel is blocked too.

Quote:
Originally Posted by typlo View Post
Do note, that the FBI had to spend well over USD 1m to get an iPhone unlocked for them from a third-party and that too, those vulnerabilities were patched in the following OS updates and that is just the phone OS, the security level of the app is another major roadblock.
One view which I think is more or less spot-on is that the reason FBI went through the court process is to have a precedence set. When it became apparent that they are probably going to set one that is detrimental to their interests they backed out and went the $1 million route.

I mentioned Password Safe. Here are a few other things I do:

1. I have two mobile numbers in different phones (long story from the non-MNP, non-single rate days). And I deal with two banks. I have different numbers at the two banks and have their netbanking app installed on opposite phones. This way even if I lose one phone the OTP comes to the other.

2. Both my phones are full-disk encrypted (incl. SD cards). This eliminates the "storage attached to another device" problem. In Android, this is done via Settings > Security > Privacy > Encryption. My laptop is also full-disk encrypted through Bitlocker.

3. I use the Password Safe app to generate secure passwords. The master password is 4 lines of a popular song. I have interspersed two lines from the Hindi version with two from the Malayalam version (took a bit of practice to hum it that way). Salil Chowdhury did both, so the tune is the same. :-)
binand is offline  
Old 16th July 2018, 15:59   #17
BHPian
 
rajivr1612's Avatar
 
Join Date: Dec 2012
Location: Chennai
Posts: 596
Thanked: 724 Times

Guys, I have been using Safe in cloud since last one year. Went for the good reviews. What's your opinion?
rajivr1612 is offline  
Old 16th July 2018, 17:11   #18
Distinguished - BHPian
 
R2D2's Avatar
 
Join Date: Oct 2008
Location: Pune
Posts: 3,231
Thanked: 5,740 Times
Re: My new Dijori to keep my passwords safe and handy

I've used (and still use) several password managers including Lastpass, Dashlane, Roboform, Keeper, Password Boss, Sticky Password and Bitwarden.

My favs are LP, Keeper, Bitwarden & Roboform. Most frequently used? LastPass.

If someone needs an open source PM consider Bitwarden. It's really well made and extremely reasonably priced @ $10/year.

As for buying a separate password device, well, thanks but no thanks. All the above PMs have iOS and Android apps that make it portable. Plus iPhones and most Androids have their file systems encrypted so it is doubly safe.
R2D2 is offline  
Old 17th July 2018, 10:07   #19
BHPian
 
Turbo Head's Avatar
 
Join Date: Nov 2007
Location: New Delhi
Posts: 322
Thanked: 215 Times
Re: My new Dijori to keep my passwords safe and handy

I have been in the same boat for years now, no. of online accounts kept on increasing and hence the no. of passwords becoming more and more difficult to remember (how much I miss the old days of keeping those phone diaries with all the important nos. jotted with ball point pens and memorising a whole lot in mind itself, these cellphones took away that good habit and made us crippled),

So I prepared an excel sheet (simplest solution) and started jotting all the passwords there (total over 225 passwords now), also made it password protected (now where should I write that password ) and stored it in my laptop.

Now as for hardware password wallets, I have heard equal no. of horror stories as most of them are not managed by any credible company/group and sold randomly online by individuals, So you never know what malware/phishing software its preinstalled with, yes you may factory reset it, but what if its written in its ROM. Also carrying an extra device is again a big hassle, not to mention the paranoia of losing it/getting it stolen.

You may ague that the laptop can also be hacked and excel password is chlid's play to crack (it's way too long and complicated though), yet I would say, in this cyber era, anything which is online is not safe and can be cracked, including your most secure banks, So all you can do it, just be li'l careful, smart and just hope you never encounter anyone smarter.
Turbo Head is offline  
Old 17th July 2018, 11:24   #20
Senior - BHPian
 
Join Date: Aug 2010
Location: Madras
Posts: 3,094
Thanked: 4,488 Times
Re: My new Dijori to keep my passwords safe and handy

Quote:
Originally Posted by binand View Post
From what I see, Lastpass is a closed-source product. In these sort of use-cases, I prefer open source applications.
Is there any reason for password manager being open source? Honestly, I haven't given a thought in that angle, hence the question.

Quote:
Originally Posted by R2D2 View Post
My favs are LP, Keeper, Bitwarden & Roboform. Most frequently used? LastPass.
A question for you, how do you migrate passwords from one provider to other?
narayans80 is offline  
Old 17th July 2018, 12:35   #21
Senior - BHPian
 
Join Date: Dec 2008
Location: Bangalore
Posts: 3,530
Thanked: 5,474 Times

Quote:
Originally Posted by narayans80 View Post
Is there any reason for password manager being open source?
You can be sure that someone, somewhere has checked that the software is not doing any shenanigans on the side; like uploading your passwords to a remote site or leaving it in plaintext form in clipboard etc. You can do this part yourselves if you wish to do so.

In general, if it is not open source you can never be certain whether the software is doing what you want it to do or something else altogether.

Quote:
Originally Posted by narayans80 View Post
A question for you, how do you migrate passwords from one provider to other?
I like the idea. Split the passwords into 2 applications. No need to migrate; just remember that bank 1 netbanking password is in app 1 and bank 2's is in app 2.

Quote:
Originally Posted by Turbo Head View Post
You may ague that the laptop can also be hacked and excel password is chlid's play to crack
Don't worry about this. Excel (Office 2007 and later, actually) uses AES-128 to encrypt documents. Your worry should be about keystroke loggers and memory scrapers.

Last edited by Rudra Sen : 17th July 2018 at 12:41. Reason: back to back posts merged.
binand is offline  
Old 17th July 2018, 13:48   #22
Distinguished - BHPian
 
R2D2's Avatar
 
Join Date: Oct 2008
Location: Pune
Posts: 3,231
Thanked: 5,740 Times
Re: My new Dijori to keep my passwords safe and handy

Quote:
Originally Posted by narayans80 View Post
Is there any reason for password manager being open source? Honestly, I haven't given a thought in that angle, hence the question.
Open source enables code reviews by other experts who can point out any defects/bugs and code conformation to security standards.

However, all is not hunky dory in the world of open source. In theory, that very open source nature could become its Achilles heel allowing hackers to inject back-doors into the code. Keep in mind those hackers could be Govt or non Govt.

Which one do I prefer? Open/closed source doesn't matter too much to me but the functionality, security and encryption features on offer do.

Quote:
A question for you, how do you migrate passwords from one provider to other?
All PMs can export data to a CSV or HTML format. The new PM can import that data. You may need to review the imported data to iron out any data anomalies. But that should be the exception not the rule.
R2D2 is offline  
Old 17th July 2018, 20:03   #23
BHPian
 
PetaWatt's Avatar
 
Join Date: Nov 2017
Location: CityOfDeadLakes
Posts: 90
Thanked: 276 Times
Re: My new Dijori to keep my passwords safe and handy

Wow, this thread started with the comparison of password manager devices and took an amazing turn to include password manager software/services too. Looks like we have left no stone unturned in this discussion.

Call me a Timex watch in this digital age, but I'll still select a dumb physical device without any connectivity over the Password Managers on cloud. Having the possession of the device with my sensitive information (encrypted or in plain text) is a big relief for me. If someone wants to hack into my device to get my secrets, they will have to plan well to get the physical access of the device without me noticing it. In case they get the access, they will have to hack into the electronic circuit/chips to get data out of it.

For Cloud Password Managers here are few more reports in addition to the Apple and Twitter reports I shared earlier.
Quote:
Originally Posted by PetaWatt View Post


Truth has been spoken by typlo
Quote:
Originally Posted by typlo View Post
Not to bash anyone, just letting the truth out there. The world is built on compromises. Just the way you sacrifice fuel efficiency for performance, you sacrifice privacy for convenience.
PetaWatt is offline  
Old 17th July 2018, 20:24   #24
BHPian
 
typlo's Avatar
 
Join Date: Jul 2016
Location: Delhi/Mysore
Posts: 120
Thanked: 243 Times
Re: My new Dijori to keep my passwords safe and handy

Haha. I would also like to mention another truth. All it takes for all your passwords and bank details to leak out is a $5 wrench.
typlo is offline  
Old 17th July 2018, 20:57   #25
Senior - BHPian
 
Join Date: Dec 2008
Location: Bangalore
Posts: 3,530
Thanked: 5,474 Times
Re: My new Dijori to keep my passwords safe and handy

Came across this:

My new Dijori to keep my passwords safe and handy-dbnxaciqxba11.jpg

Less chance of a failure than this Dijori.
binand is offline  
Old 18th July 2018, 10:06   #26
BHPian
 
Join Date: Aug 2009
Location: Bangalore
Posts: 70
Thanked: 45 Times
Re: My new Dijori to keep my passwords safe and handy

What a fantastic thread, thanks PetaWatt for such an informative stuff. Was wondering all these days how to safeguard passwords and found number of ways on this thread.

While this thread took the turn in debate of Hardware V/S app based password storage, few things come to the mind. Ideally any software based mechanism if using high standard of encryption like SHA256 is extremely difficult to break. It needs enormous amount of computing resources which is not viable if you don't know the person and his networth.

But having said this, there are many easy route available to get soft passwords. As someone has already pointed out, tracking keystrokes is the easiest way to get the password. Many times when you logged in as admin on any system, clicking malicious links may silently install programs which can keep snooping keystrokes revealing your password.

Another way is if someone get hold of your phone or email, and know your personal details like address, DoB, Mothers maiden name etc, can easily reset your password. I believe users on team-bhp doesn't need this education but my father lost 3K from his bank account due to fraud calls. Caller told him he's from the bank and needs details like Aadhar to keep account active. Later he asked for OTP as well which he revealed to fraudster. Fraudster reset his password and gain the access of account, fortunately there was only 3K in his account which he lost. While we take care of all our passwords, somewhere we need to educate parents and those who doesn't know such details.

On storing passwords, I'm more inclined towards physical and dumb device which has basic encryption then sophisticated software based connected mechanism. Even in worst case, if I loose the device, the probability of it landing with the folk having access to open and reconnect/solder to a system to run program and gain access to info is close to ZERO. While anything online and connected is available to all the highly professional hackers who can get it through various means of hacking. Though for convenience, app based solution works great as you don't have to the hassle of carrying one more device. Though I like Dumb device, currently I'm using app to store password. passwdsafe open source is what I'm using currently with DropBox to store encrypted file.

Regards
SE
speed_edge is offline  
Old 18th July 2018, 12:29   #27
Senior - BHPian
 
Join Date: Dec 2008
Location: Bangalore
Posts: 3,530
Thanked: 5,474 Times
Re: My new Dijori to keep my passwords safe and handy

Quote:
Originally Posted by speed_edge View Post
Ideally any software based mechanism if using high standard of encryption like SHA256 is extremely difficult to break.

Many times when you logged in as admin on any system, clicking malicious links may silently install programs...

Another way is if someone get hold of your phone or email, and know your personal details like address, DoB, Mothers maiden name etc, can easily reset your password.

On storing passwords, I'm more inclined towards physical and dumb device which has basic encryption then sophisticated software based connected mechanism.
The threat you are facing is not bruteforcing ("breaking") of an encryption algorithm like AES-256 - that is simply not possible/quite unlikely with today's state-of-the-art. Your threats are (a) key leakage, (b) side channel attacks, and (c) social engineering. For (c) you simply need to be prepared; for (a) & (b) choosing well-known, well-understood, well-analysed and well-audited software will help. This is where open source scores.

As a matter of fact one of the benefits of using software over hardware is that the software ones run on extremely powerful devices (PCs and modern mobile phones) whereas the hardware ones often run on very low-spec ones (you can't have an i5 in a Rs. 999 device). Therefore the amount of crypto they can do is several orders of magnitude lower, hence such implementations probably use only low-grade encryption.

Social engineering is a problem that is outside of this discussion. Not even the best encryption and security standards can survive a well-executed social engineering attack.

You'd be surprised at the number of people who can solder and run program etc. There is an underground app for practically everything. Your average electrician is well-familiar with soldering irons (heck, I am comfortable with them). PCs are so cheap nowadays. That "close to ZERO" is a big misconception.
binand is offline  
Old 23rd July 2018, 12:15   #28
BHPian
 
Join Date: May 2017
Location: Mumbai
Posts: 135
Thanked: 735 Times
Re: My new Dijori to keep my passwords safe and handy

Classic case of 'quis custodiet ipsos custodes' (who will watch the watchman)?

Much better to behave like a spymaster, and follow these tips.
VivOverland is offline  
Old 7th September 2018, 08:25   #29
BHPian
 
Join Date: Dec 2006
Location: Delhi
Posts: 196
Thanked: 0 Times
Which Password management Tool do you use?

I tried searching across the forum but didn't find a thread so thought of setting up a new thread for this, please merge with an existing thread if I missed it.

With the growing number of online accounts for social, email, investments, insurance etc. etc. managing the passwords and keeping them complex enough is challenging so I am looking for a good password management tool to use.

Features
  1. Should have a vault for storing the passwords in an encrypted form.
  2. Should be easy to use and have plugins for popular browser to auto fill since many sites don't allow using copy/paste for password and it becomes difficult to type in a 26 character random password in one go.
  3. Should support MFA
  4. Should work across multiple devices
  5. Work on both Apple and Android

Concern: What if the password management tool itself gets hacked? What kind of protection can we use e.g. MFA or any others so it doesn't become like all your eggs in a single basket kind of story?

Thanks all, looking forward to hearing your experience, feedback, suggestions and recommendations to make the right choice.
Shankyz is offline  
Old 7th September 2018, 08:29   #30
Senior - BHPian
 
samaspire's Avatar
 
Join Date: Sep 2015
Location: Manipal / Udupi
Posts: 1,629
Thanked: 4,858 Times
Re: Which Password management Tool do you use?

I use a password protected Excel file, stored in the cloud. Probably the most unsafe way to do it, but hey, I have nothing that important anyway. With Excel there are no issues with auto fill (just see and type ) and it's compatible with both windows and Android OSes.
samaspire is offline  
Reply

Most Viewed
Thread Tools Search this Thread
Search this Thread:

Advanced Search

Copyright ©2000 - 2024, Team-BHP.com
Proudly powered by E2E Networks