password management... what (not) to do?

[nielchiano]

I'd like to brainstorm a bit for a solution to store my passwords in a safer way than a post-it.

Currently I have all my passwords stored on my Palm Vx, encrypted with a passworded Blowfish (edit: was IDEA) encryption. The problem with this setup is: If the PDA breaks/lost/stolen, I don't have my passwords anymore.
Here are some "contraints":

• I work a lot an someone elses machine, and need my passwords there.
• I'm a bit paranoid when it comes to security
• I'd like a portable way to store them.
• It should be free (preferably as in speech, but beer is also good), or at least cheap

Storing them in an encrypted text file on a USB-device looks good. However, it has some problems:

• If the computer I'm working on is infected with some malware, it can take a screenshot of my open password file, compromising everything
• Even a regular keylogger + USB-copier will have the same effect

So the idea of viewing passwords on a private, personal device looks a lot more secure: they'll literaly have to watch over my shoulder, which is easyer to notice!

On the other hand: it's a single point of failure: palm breaks, passwords gone. AND it's not realy portable.

Are there any other idea's?

[omp]

I'd say keep using your Palm to store passwords and just occasionally print a copy of all the passwords and store them somewhere safe in your house. This way if the Palm breaks (or stolen/lost), you will still have all the passwords.

[nielchiano]

I'd say keep using your Palm to store passwords and just occasionally print a copy of all the passwords and store them somewhere safe in your house. This way if the Palm breaks (or stolen/lost), you will still have all the passwords.

Well, I do have my daily hotsync backups, so the PASSWORDS won't realy be LOST, but my "viewer" will be.

[badchien]

nielchiano, I do/did the same thing as you for years... until my Palm Vx recently broke (cracked the screen). I am getting a new Palm TX for christmas (tomorrow, yea!) and I am going to start storing my passwords in it. I think I have the same paranoia as you about my passwords and general security. I still believe encrypted db of passwords on palm is probably the best solution available. I never made printed or unencrypted copies of my db, but I did keep my palm backed up regularly, with my palm data also stored on removable media.

What encrytped password database program do you use? I used to use a program called cryptinfo but I would like to find something different for my new palm. Currently I'm looking at gnukeyring but I would like to have something that encrypts key names as well.

[badchien]

One more thing about losing the "viewer"... I said my palm vx broke, well since then I access my passwords using Pose If you don't know about it, it is a palm os emulator. My passwords aren't portable anymore unless I take my laptop with me, but at least I haven't lost access to the passwords just because my palm broke. This has worked fine in the time until I get a replacement palm.

[nielchiano]

I never made printed or unencrypted copies of my db, but I did keep my palm backed up regularly, with my palm data also stored on removable media.

Well, mine are stored on my network drive (off course, still encrypted) in my SOHO network. Not really the securest way, but I do have backups of them.

What encrytped password database program do you use? I used to use a program called cryptinfo but I would like to find something different for my new palm. Currently I'm looking at gnukeyring but I would like to have something that encrypts key names as well.

I use YAPS (http://www.msbsoftware.ch/yaps.html), because it was the only program that fitted my needs:

• encrypts the data (duh...): only the name is in the clear
• auto-locks when the palm is turned off (either manualy, or after xx minutes)
• free (beer)

[nielchiano]

I access my passwords using Pose

That's my backup plan too... but then I'll have to install windows

[badchien]

Huh? You don't need windows to use pose. I haven't run windows in years. Pose works just fine on my Gentoo system. It's even in portage. http://packages.gentoo.org/search/?sstring=pose

[nielchiano]

Huh? You don't need windows to use pose. I haven't run windows in years. Pose works just fine on my Gentoo system. It's even in portage. http://packages.gentoo.org/search/?sstring=pose

Hmm... I get smarter every day...

I took a look at your programs. They all rely an 3DES. I don't know how IDEA compares to 3DES concerning "crackability"

[allucid]

Both IDEA and 3DES are considered safe. There are faster algorithms available, though.

[nielchiano]

There are faster algorithms available, though.

Like which ones?

[badchien]

Yes I was reading about yaps too. It sounds from the website that it uses Blowfish with 256bit key but they don't mention IDEA. 3DES may be be aging but in practice it should still be reasonably secure. I think it would take the resources of some government or huge corporation to have a chance at breaking it. If they want my passwords it would be easier to torture me or something

[nielchiano]

it uses Blowfish with 256bit key but they don't mention IDEA.

you're right... I was confused.

If they want my passwords it would be easier to torture me or something

As always... the human factor is the weakest link

[allucid]

There are faster algorithms available, though.

Like which ones?

AES and Blowfish are both pretty fast.

[gurke]

"it's the mind"

cant crack, can loose (but not so likely)

[nielchiano]

"it's the mind"

cant crack, can loose (but not so likely)

but can forget!

[Lokheed]

Have 3 that vary at what complexity level they are. Use them for:

"dont care if anyone hacks or gets into"

"would be inconvenient if someone broke it but not life threatening"

"this is the end of my world as I know it"

Now you have to manage merely three. In your brain build up (vivid image) of what level should be used for what purposes. Sit down and make some mnemonics to better recall the passwords. The safest place is your in your head and with practice, you can recall enormous amounts of information (be it works better on numbers). Studies have shown that with practice, people can recall strings of hundreds of numbers in a row. Chunking helps (which is why your CC number or even phone numbers are grouped into 3 to 4 digits) and so does using your own variation of numbers replacing letters (1337).

The worst mistake I see is people always using various types of passwords and start to cumulate so many different passwords that they forget them when they arent used that often. 3 to 4 is usually ideal. Cant trust a computer to store the stuff, but you can always trust your brain. Everything is in there, just gotta be smart and learn how to access it. G'luck.

[nielchiano]

While I totaly support your idea, it's not usable.

Using the same password for everything (of the same level) isn't "secure".
Also to be secure, you should change your password from time to time. Not every day, but at least every year.
Good passwords should be long (at least 8 symbols), and random (or at least should look random to everyone but you).

Combination of these 3 point will have me remember dozens of passwords, every year again. Since I don't use every password regularly, I'll probabely forget some of them.

But you're right: the head is the best place... but my head is too small (or I'm too paranoid)

[gurke]

if you got lots of important passwords, the mind is not the ideal place to store. i did categorize my password by complexity, so i have a convenience pass for stuff like my windows comp, etc, then a few really random passwords 7/8/9 digits, sorted by importance. theyre only stored in my mind. lets see where it gets me.

[nielchiano]

i have a convenience pass for stuff like my windows comp, etc, then a few really random passwords 7/8/9 digits, sorted by importance. theyre only stored in my mind. lets see where it gets me.

Hmm... OK...
I have (already in my mind)

• 5 passwords, 20+ symbols each, totaly random (the "important ones")
• something like 8-10 "normal passwords", at least 8 chars each.
• Some convenient ones. (mostly other people's passwords that I need from time to time) mostly 5-8 letter words.
• some dozens of corresponding usernames/computernames/websites/port-numbers

And since I recently needed another "important" (=20+ chars) I toucht that it might be usefull to have them somewhere "written down"...

BTW, my "really important" passwords are usualy RSA (or equivalent) keys of 2048+ bits long, stored on a removable media, AND encrypted with a password.

Ok, I confes... I'm paranoid

[joey_knisch]

A biometric HID standard needs to be created so that companies can write standard devices and developers can create standard drivers. That will be the best answer I think. It takes the weakest link out of it and provides for minimum effort from the end user.

[nielchiano]

biometric

That is indeed the keyword: very easy to remember, very hard to loose, but difficult to fake.

A biometric HID standard needs to be created

That will be a problem.... standards always take ages to be defined

[allucid]

biometric

That is indeed the keyword: very easy to remember, very hard to loose, but difficult to fake.

A biometric HID standard needs to be created

That will be a problem.... standards always take ages to be defined

Many biometrics methods have proven easy to bypass/fake.

[Lokheed]

While I totaly support your idea, it's not usable.

Sure it is. I think rather than "not usable," you mean, its not for me...

Security is something of a construct that everyone has different interpretations for.

There are other tricks for generating and recalling passwords. Look around you and use whats there. Keyboard serial, mouse serial, every second digit would do. The top row of your keyboard starting with Q to P. Every second letter caps. Spell your name (surname included) backwards.

The person that is going to crack your pass it not going to use heuristics, he/she is going to use brute force, that is where you have an advantage.

You can make easy passwords to remember or rather, you can remember passwords a lot better when they arent so random. Still the best place is your long term memory. As far as we know its bottomless and has no data loss (retreival another factor).

I still stick with the brain idea.

On a side note, I changed my ATM pass when my pass was the number one pass listed in a survey in a local paper, can you say ouch? But that was years back, really I know what I am doing now

[badchien]

The person that is going to crack your pass it not going to use heuristics, he/she is going to use brute force, that is where you have an advantage.

It is very helpful that you are able to foresee that. I have no such gift, so I use password database like nielchiano.