Advice on Password Storage

Hi Guys.

Being totally useless at remembering passwords (due to age ) I use a method where I have concealed a (random) password
in this completely normal text file:-

The password is more than 13 characters in there somewhere, that I can immediately recognise and use.
My question is, is there a weakness in my thinking, in that I am giving a cracker a head-start by allowing this text file to be available?

 

I have no clue. If there's something that's obvious to you, I'd worry that an attacker could recognize it.

I do note that "bEr$UrF2pux67PEhpe3seq4!?TS?bar-=htarWUXeRc7P&&MurdEM_-=-RfuZar?" and "?raZufR-=-_MEdruM&&P7cReXUWrath=-rab?ST?!4qes3ephEP76xup2FrU$rEb" are each repeated three times. I also see that a pair of one repeat frames "9Pr9SUF5xawR5Da4razAXenesucHaj7PaP9wraTHuzEThExAPRa2reBe" and that a pair of the other repeat frames an inverted copy "eBer2aRPAxEhTEzuHTarw9PaP7jaHcuseneXAzar4aD5Rwax5FUS9rP9".

Am I getting close?

 

Thanks for the input. Very observant of you, but fortunately for me not close.
I actually didn't realise that there were repeats in there, so maybe it's quite good that there is a "red herring" to throw someone in the wrong direction.
Thanks again.

 

.
Have you considered using LastPass, which will encrypt your passwords while relieving you of the need to remember them? I use it and it enables me to use more complex and unique passwords since I don't need to either remember or be able to type them.

 

Or consider free KeePass (I recommend version 1.x (what I use.)) http://www.keepass.info/news/n091205_1.17.html

Or, you could use something very simple like free LockNote http://www.steganos.com/us/products/for-free/locknote/overview/ Basically, it's a text file that is self encrypting.

 

My overall sense is that you would be much better off remembering a lower-quality password rather than secretly encoding a near-plaintext copy of a higher-quality password. The security of your secret encoding method can't be measured, but keep in mind that it would have to be fairly easy to use, otherwise you wouldn't be using it, and this fact considerably reduces the number of possibilities that a cracker would have to test.

It all boils down to this: Rather than relying on the time it takes to brute force a good password, you are relying on cleverness, subterfuge and luck. However, keep in mind that other people can be clever too, as well as skilled, so your cleverness doesn't really gain you much (if any) advantage. And assuming you don't intend to rely on luck, all that remains is subterfuge. Basically, you're hiding your password in plain sight. Will your attacker realize that the file contains your password? Will they discover your encoding method? It's impossible to say, and thus it's impossible to calculate your method's overall security (wheras the strength of a conventional password can be easily calculated.) And that's the big weakness of your method -- you simply can't know how weak or strong it is.

An analogy that springs to mind is that you're kind of like a person who tends to always loses his keys, and so you've decided that rather than carrying your front door key on you, you'll hide it somewhere on the property (but relatively near the front door). It's a fairly clever spot, but it's also fairly accessible (otherwise you wouldn't use it). Will a burglar figure it out someday? Maybe. (Especially if they're watching).

 

My apologies guys. I should have said that the hidden password is the Master Password for Keepass which holds all the other passwords.

@dantz

Very useful input for which I thank you. Very good analogy, and I take your point, BUT, having accepted that the password is "upfront" for all to see, it is instantly recognisable to me (for some reason) but not in any way obvious to an intruder.
I suppose what I am really asking is if it would be easy to crack given that they have a head start by seeing something which they know contains a password....somewhere.

Anyway, no big deal, but very grateful to all.

Regards

Ken

 

Unless you're a high value target, I wouldn't expect anyone to spend much time trying to crack your scheme. If you're still uneasy though, you could instead use a text file that contains hints as to what the real password is, without actually giving the password. For example "the name of my first dog followed by the last name of my first love followed by the last 4 digits of my social security number followed by the name of my favorite childhood music group, all in lower case and containing no spaces." Try to make sure that the answers to all of the questions are likely known by nobody except you.

 

Not uneasy with my ability to remember the password as it is MrBrian, but was curious to know if there was a fatal flaw in my system of "putting it all out there" to be cracked. Not what you would call a high value target, but certainly use Keepass for online banking etc, so maybe high value to me.
Thanks for your input.

 

It seems to be a giant palindrome, but I'm guessing that somewhere the sequence is broken. I'll leave it for someone else to earn a well deserved headache!

maybe in: feCuyedarurpABeR

 

why 1.x? while 2.x is out and provide even better security ?

"[2.x] Protected In-Memory Streams: When loading the inner XML format, passwords are encrypted using a session key."

you can find it here


http://keepass.info/features.html

 

2 reasons...

First, 2.x requires .NET Framework. I don't have anything particularly against .NET Framework but don't see the need to run 2 programs just to get a password.

Second, 1.x can be made 100% portable (with no dependencies) and ran from a flash USB drive. This is my preferred method (although I don't always use it this way.)

 

version 2 also got portable state , i am using it atm....

 

Yes, 2.x can be carried on a flash drive. But try using it on a PC that has no .NET Framework. A situation I can't live with.

 

Seems like little gain in playing hide and seek with your password. Also, I fail to see the advantage of playing that with the password to your KeePass database which holds your passwords. If your database is in on an encrypted drive, or your system at all - access to the database means all bets are off anyway. Physical security comes first.

At some point, one has to go with best practices and not invent new and dubious schemes. For example, you could choose to encrypt your password which gains access to an encrypted file which holds your password to the encrypted password of the file that has your 'hide n' seek' password which would, alas, open your KeePass database. That could go on forever and for little gain.

Not that it matters, but I'm a believer in Roboform Pro and it is my single most prized piece of software. As far as I'm concerned, everything else is 'wannabe' in this category.

 

Well this topic is really fun IMO, and i am no security expert, hardly a rookie:
- using one key to get to second one is useless. If i break first safe that contains a key to second safe, that has a key of the third one... and so on, that wouldn't enhance security, it would only take a minute more to get to hidden treasure.
- your pass is hidden from any random person, not wanting to get your pass intentionally, but a skilled hacker could use this txt file as some sort of dictionary and then go for it with its "pass cracking software".
- but if we want to keep it simple, i would suggest that you hide txt inside of a bmp file. Just use (copy /b "bmpfile" + "txtfile" "newbmpfile") in command prompt
- i read somewhere that mostly used and effective methods for gaining a password are social engineering and keyloggers.
- so if your password container is hidden, then it can't be cracked, (since no app can use it) no meter if it is plain text or 256 AES encrypted. Then just be careful that it is not your pet's name in it and that you use a virtual keyboard (neo safekeys is good)