I don't know where else to ask, so I will try inthis topic..
What about this?
There are passowrds saved in plain notepad.txt file, and this file is in truecrypt container. Mounted only when needed (but mostly during the entire day), dismounted for night or when I'm away from PC for long time (even when I leave to the shop for 15 minutes). The truecrypt password is very long. Mounting it only on my own PC. Surf the web with sober mind (no crack/unknown/any other dangerous site), but using Skype + ICQ + meebo site...
My theory is, it is safe unless someone uses keylogger on my PC, or somebody hacks it from the outer online World (I don't know how likely is this, but it is not impossible), or somebody sneaks into my room while I'm away.
If I lose the data when dismounted, it should be nearly impossible to open it, I think (guess)...
Do you think this is save enough or just too weak protection ?
I back up that container (only few MB large) each night I dismount it, the purpose for this step is, I can recover day old data if something strange or unpredictable happens to the container (like once happened to me - container on USB stick corrupted, I noticed it just 1-2 weeks after this, it was EATING up my data for such long time period!!!! in those notepads there were squares instead of ABCDE text.. and I lost some pass which were very hard to recover (calling to CS and they though I'm insane ) and I keep that backup simply in My Documents with dates attached to the filename, + once or twice a month I copy all back ups to the USB stick (which is protected by different very long password), but this part is not entirely OK yet, so I thought I will copy it to my external HDD. Still not very safe, because if somebody blows up EMP bomb in my area, I will lose everything, entire life work and can jump under train... So I thought about it and I keep one safe USB stick in my grandma's place ) I could upload one copy of the container to the email account located in USA for example too, but.. who knows how smart PC's they do have over there, maybe they would crack that long password, I don't want to type how long, but its nearly longest possible pass offered by truecryp )
Wow you know your stuff.. Good call on keeping a USB stick at your grandma's place in case of an EMP attack
I think it's great you got your head around Truecrypt, but even so I think you'd be better having the passwords stored in a proper password db like Keepass, mainly because those kinds of applications are focused on security whereas apps like notepad aren't.
Originally Posted by Melissa
So one example - if the worst happened and a keylogger was installed then it's plausible you could be compromised if you edit the password file in notepad and the keylogger picks it up, whereas with something like Keepass you never actually have to enter the password string by typing the actual characters, you can use the random password generator to create the password string and then to enter the username/password you just hit 'ctrl-alt-a' and I *think* keyloggers don't pick up strings transmitted that way (but I might be wrong!).
Another example might be malware that searches memory to look for password strings etc - I think Keepass is protected to some degree from that kind of thing but again honestly not 100% sure. Both of these examples involve you being compromised in the first place anyway, but if they do happen then at least you're safer.
Another thing that comes to mind is that obviously plain text passwords kept in a plain text file are human readable by say someone shoulder surfing (whereas passwords by default are 'starred' out and you have to hit a button to display the actual password strings, which you wouldn't do if you had someone stood behind you!). I know it's probably not a big issue if you only ever use it at home, but it's still something.
But really the main thing is you don't have a lot to lose by using Keepass. It's not that hard to set up Keepass (especially if you managed to get your head around mounting Truecrypt drives! ) and it's dedicated to the purpose of managing passwords securely anyway, that's it's main reason for being. You also get the option to have Keepass passwords expire after a certain amount of time, which prompts you to update the passwords regularly as well which adds an extra level of security.
If you ever did want your passwords in plain text there's an option to export the passwords to a text file I think in Keepass. You can also probably import accounts into Keepass as well by using a plugin if you want to speed that up.
yea, my pass is generated from random chars, from abc and ABC and 123 and !@#
but I don't trust anyone in the offline World that much to give them a password
I guess she/he would just lose it or trash it after some time, and if I would say "it's question of life and death" they would be very curious what function it has and so on...
So I rather relly on my own mind :/
It's quite easy to memorize when I use it every single day, but.. when I won't use it for month for example
Well, I made a song from my password so, I just need to memorize the rythm and the charactes show up themselves almost
But that book idea is awesome! Very good protecton against brute force attack, just the name of the book MUST BE secret, so noone use this tactic - like brute force the book or something Well even if so, it would take a very long time, as there are almost 10^dozens options how to make that password...
If password security is of utmost importance to you another idea is to keep a dedicated cheapo laptop (with the appropriate encryption on the filesystem itself + any other security features you want to add) that you store your passwords on. And simply airgap that laptop, i.e. never EVER connect it to the Internet or any other network. No need to worry about keyloggers etc then.
You still need to cover the physical aspect of course, i.e. make sure no-one steals it or attaches something like one of these:
Hardware Keylogger - KeeLog
Yes, but if I have a keylogger on the mahcine which is connected to the Internet and on which I enter the password when I log in, then it's bad too...
I was thinking about that idea like you said Fella, but it would be too hard to airgap such random generated passwords
But it's the best passowrd protection indeed (as not connected to the Internet...)
Does anybody knwo how to do the below? I have tried but when creating a new e-mail address g-mail won't accept +. Is the answer that you don't creat anything but when you register at said bookies you enter your e-mail address as email@example.com and the corrospondance gets sent to firstname.lastname@example.org.
In short the account email@example.com does not exist except on the bookies system.
If you don't have your own domain, Gmail does have a useful feature that allows you to create multiple email aliases from a single gmail address. If your gmail account is firstname.lastname@example.org, Gmail allows you to create aliases using '+' as a separator - so for example all of the following:
will be delivered to the same Gmail inbox for 'email@example.com'. Using this you can create unique email addresses for all the different accounts you have. (The only drawback with this method is that quite often online sites don't allow '+' in the email field - they should do since it is an allowed character in an email address, but some sites don't.)
Great thread this, glad to hear there are other paranoid people out there!
I was going to suggest writing a phrase to help you remember the passwords and not the actual password ever but you got there already (the book idea). Only you know what the key to the encryption is in that case. There is no way anyone else can know as it is in your head.....However as soon as you type it then you could be in trouble. I bet a lot of people use laptops connected via wireless to the internet. That is going to be a weak link in the chain even if you are secured via top encryption.
The other one is what about people logging on to sites via their mobile phones....surely that is asking for trouble, you have no idea of the encryption that is being used. I've not done it but i've got a friend who says when you enter your password (because it is a numbered keypad) it displays the text characters as you have to scroll through to get the letter you need, much like writing a text......
I'm off to reformat drives and eat anything that has a suggestion on what a password might be!! ;o)
Either that or get keepass.....
Tags for this Thread