Keepass - a further leap ahead with OptionLock

[discs]

Hi,

Rather than updating many parts of the older thread on Keepass and OptionLock I posted a couple of days ago:

http://www.wilderssecurity.com/showthread.php?t=329627

I thought I would take this opportunity to post a new update thread with a proper heading (title) - which corrects my failure to highlight the subject of the thread, 'OptionLock'!

The developer of OptionLock has now made the plugin available on GitHub, where users can download the source code and the PLGX plugin without an account (no need to log in to GitHub).

https://github.com/TLHobbes/OptionLock - go to bottom of page for download link
https://github.com/downloads/TLHobbe...ptionLock.plgx - direct download

OptionLock is a plugin for Keepass, and the developer posts on the Keepass forums (which is where I found out about the plugin); so, if you need more information, or want to comment directly then go to: http://sourceforge.net/projects/keep.../topic/5495354.

[PaulyDefran]

Installed, thanks.

PD

[aladdin]

Thanks Discs,

Best regards,

[happyyarou666]

this should be interesting was a longtime lastpass believer thou perhaps i should follow suit as have alot of wilders members apparently keepass is the nr.1 pass manager not to mention the database being on your pc instead of some unknown server aes encrypted or not, i like it

[PaulyDefran]

I use both in conjunction. KP for anything that isn't a website (including LP's Master Pass, which I don't know and is 260bits long), and LP for websites. LP is just too darn convenient/easy to use without jumping through hoops, for web sites.

PD

[pegr]

Nice plugin.

Thanks discs.

[Page42]

Quote:

Originally Posted by discs

But, in one important respect, it fails to ensure that a user is enabled to protect the access and use of their password data by unauthorised persons or software.

I don't understand. If this is such a big deal, why doesn't Dominik Reichl rewrite his program?
Maybe you can help me with that.

[EncryptedBytes]

I'd argue password length for most users doesnt matter when the answers to all their account "security questions" are posted on public facebook pages.

[Hungry Man]

Quote:

I'd argue password length for most users doesnt matter when the answers to all their account "security questions" are posted on public facebook pages.

Very very true. I can't believe some websites use a security question.

[Page42]

As I noted to a fellow member yesterday, my security question answers always have absolutely nothing to do with the question.
I either treat them like a 2nd password, or I run several words together that are unrelated to the question.
Coupled with the fact that I have no FB account, I'd have to say that the answers to all my account security questions are a little more difficult to ascertain.

[Victek123]

Quote:

Originally Posted by Page42

As I noted to a fellow member yesterday, my security question answers always have absolutely nothing to do with the question.
I either treat them like a 2nd password, or I run several words together that are unrelated to the question.

Interesting idea to not provide literal answers to security questions. However that defeats the purpose of a security question which is to provide an alternative to remembering passwords. You can use a password manager to keep track of the "non-answers" to the questions, but as a methodology for average users it really needs to be thrown out. Since pretty much everyone has a cell phone web operators should push hard to get everyone into two-factor (SMS) authentication. That provides some significant protection along with the password (the name of your cat )

[Page42]

Quote:

Originally Posted by Victek123

Interesting idea to not provide literal answers to security questions. However that defeats the purpose of a security question which is to provide an alternative to remembering passwords. You can use a password manager to keep track of the "non-answers" to the questions, but as a methodology for average users it really needs to be thrown out.

I'm not sharing a method that I purport to be ideal for the masses.
Nevertheless, I wouldn't be so quick to dismiss it, Victek123.
I've shared the idea with more than a few people who all find it to be useful and simple to remember.

[Noob]

What does this Plugin do?

[Victek123]

Quote:

Originally Posted by Page42

I'm not sharing a method that I purport to be ideal for the masses.
Nevertheless, I wouldn't be so quick to dismiss it, Victek123.
I've shared the idea with more than a few people who all find it to be useful and simple to remember.

I can see how it's an effective way of dealing with the weakness of the method and I'm sorry it came across as a critique. I was speaking more generally about the plight of the average user. Password management among the vast a majority is truly horrible and I don't see this trick with security questions as being viable for them. They can't remember the answers to security questions and password hints when they're meant to be literal, so the if the questions were answered in an abstract way they would be unanswerable down the road. People just can't manage their information. I suggested cell phone based two-factor authentication because all it requires is having the phone at hand which is generally the case.

[TheWindBringeth]

Quote:

Originally Posted by Victek123

Since pretty much everyone has a cell phone web operators should push hard to get everyone into two-factor (SMS) authentication

Uhm, can we NOT encourage them to push people into handing over cell phone numbers? Many like to keep that private and only give it out to friends/family. Many don't want it falling into the hands of companies in general. Some don't want to have text messaging enabled. Some don't want web companies in general being able to acquire their name and address from that phone number.

[Snowden]

I can't remember the last time I used an actual answer to a security question. I tend to store them in an encrypted file

Web Site -> Question -> Answer

What *really* makes me mad is when they limit the characters to something ungodly small

I'm hesitant to use any type of plugin that is the master db for all of my passwords although this plugin sounds great....

[EncryptedBytes]

Quote:

Originally Posted by TheWindBringeth

Uhm, can we NOT encourage them to push people into handing over cell phone numbers? Many like to keep that private and only give it out to friends/family. Many don't want it falling into the hands of companies in general. Some don't want to have text messaging enabled. Some don't want web companies in general being able to acquire their name and address from that phone number.

There are throw away virtual phone number services on the internet, just as you would use a bogus account for just one service online.

[Victek123]

Quote:

Originally Posted by TheWindBringeth

Uhm, can we NOT encourage them to push people into handing over cell phone numbers? Many like to keep that private and only give it out to friends/family. Many don't want it falling into the hands of companies in general. Some don't want to have text messaging enabled. Some don't want web companies in general being able to acquire their name and address from that phone number.

Well, "push" wasn't the best word - how about "educate"? If average users understood the benefit of two-factor authentication (TFA) and the convenience of using cell phone/SMS they might prefer it over writing their passwords on sticky notes or simply forgetting them, and/or having their accounts hacked. I agree that whenever your share personal information there are privacy considerations. I don't share my cell phone number widely, however sites on which I do financial transactions, such as my bank, already have the number (and my name and address) as a necessary component of identity validation, so using the phone for TFA doesn't incur an additional privacy concern. Those folks who don't have cell phones or don't enable text messaging obviously can't use this option, but many people already do which is why it would be easy to adopt.

[Montmorency]

Quote:

a further leap ahead with OptionLock

You must be joking.
Maybe you can consider KeeFox a leap... but this?

Get a grip.

[TheWindBringeth]

Quote:

Originally Posted by EncryptedBytes

There are throw away virtual phone number services on the internet, just as you would use a bogus account for just one service online.

Thanks for pointing that out.

Quote:

Originally Posted by Victek123

Well, "push" wasn't the best word - how about "educate"?

Educating people and giving them options sounds good to me

[SirDrexl]

Quote:

Originally Posted by EncryptedBytes

There are throw away virtual phone number services on the internet, just as you would use a bogus account for just one service online.

Will they accept incoming text messages and reroute them to you? That's what would be needed in this case.

[TheWindBringeth]

Quote:

Originally Posted by SirDrexl

Will they accept incoming text messages and reroute them to you? That's what would be needed in this case.

Wouldn't the user (possibly) have to respond to the text message with some kind of authorization code (as a confirmation and protection against a scenario involving a lost/stolen phone)? IOW, might not the user also want some outgoing text messages anonymously routed through the "alias service" too?

FWIW, any time I've run into the automated "requires confirmation by phone" scenario there was an option to do it via voice prompting and pick which number on record to use (cell or non-cell).

[SirDrexl]

Quote:

Originally Posted by TheWindBringeth

Wouldn't the user (possibly) have to respond to the text message with some kind of authorization code (as a confirmation and protection against a scenario involving a lost/stolen phone)? IOW, might not the user also want some outgoing text messages anonymously routed through the "alias service" too?

FWIW, any time I've run into the automated "requires confirmation by phone" scenario there was an option to do it via voice prompting and pick which number on record to use (cell or non-cell).

In Google's case you apparently only need the one message. The idea is that it's highly unlikely anyone would have both the user's password AND the phone. But, I wouldn't be surprised if some people write down the password in a place where it could be stolen along with the phone, or even store it openly on the phone itself.

Not having it used it myself, I hadn't thought about the voice option.

[EncryptedBytes]

Quote:

Originally Posted by SirDrexl

Will they accept incoming text messages and reroute them to you? That's what would be needed in this case.

No they would not, the ones I've played with, SMS and a small voice audio file used for authentication, say with Google, would be routed to an email inbox.

[happyyarou666]

interesting ,is there any free virtual phonenr. service?