What if my Password Vault's master password was leaked?

I always hesitate to use a password vault because I think it is way too dangerous if my master password was leaked to someone somehow.

It will be an All GAMES OVER! You guys don't worry about it?

 

Well yes, I am sure everybody worries. But what are the alternatives to using a password vault?
Using the same complex password for all services? BAD
Using easy passwords and memorize them? BAD
Using complex passwords different for each service? GOOD... but quite unlikely.

Remember that the password vault is usually a file, that you can store on a (encrypted) media and keep it always with you.

Just my 2c

 

Nope, I don't worry about it. If you have concerns about your master password (which isn't written down anywhere) then you need a password manager that also does something like a key file and or Windows credentials verification in addition to the master password. I use KeePass 1.x which doesn't have the last but can use the first two - with the key file on my USB stick.

http://keepass.info/help/base/keys.html

 

Hi Markoman,

What about my password policy:

I have about 3 passwords:

a. for everyday use on regular websites.

b. better made password for login important mails and banks

c. the most complex password for money transfer in banks

I change my password every half a year or so.

For exmaple, my first password for b is "b1ngo",after about half a year,I change it to "b2ngo".

Easy to remember. 3 passwords in my head only.

 

I'm thinking about using keepass. Good to know that they have keyfile feature.

 

Just backup your keyfile and put it in a secure location. There's always something to worry about and another layer we need to protect what's protecting that which needs protecting.

 

It is true that relying only upon a password can be risky but making the password significantly complex can reduce the risk somewhat. Use of keyfiles is also good to add another layer as Gerard Morentzy mentioned.

The basic layers are:

- something you know [eg. passphrase]
- something you have [eg. keyfile or token]
- something you are [ie. biometric stuff - retina, palm print, anus print [kidding]]

Until biometric readers are more wide-spread, however, we make do with two layers

 

OK, let's talk about keyfile.

Where is a good place to store my keyfile? What if I stupidly lost it?

I don't know what can be called a "same“ keyfile. So I think I may creat a text file and add one song's lyrics to it as a keyfile. I don't even need to store the keyfile on my computer. When I want to use the keyfile,I can make one at once. Does it accept it as the same keyfile? Isn't it a good idea?

 

The risk is that if you lose your keyfile then you also lose access to the data. As a result, you should make a couple of backups of the keyfile on USB flash drives [they're so cheap] and then keep them in physically separate locations.

Using song lyrics is OK as long as no-one knows that's what the content of the keyfile is. TrueCrypt has a keyfile generator built into it. I'd suggest using that instead.

 

Sometime when you know you're going to be out of town, be sure you have your keyfile with you, stop in at a Marriott Hotel with their free business centers, create a Gmail account that you'll never touch again except in an emergency (keyfile is lost/destroyed). Upload your keyfile as an attachment and put it in drafts. Be sure you remember the login details, don't write it down anywhere and NEVER access it from home, from your machine, etc. It will always be there, in the cloud, not connected to you in any way - just in case.