Keepass - a further leap ahead with OptionLock

Hi,

Rather than updating many parts of the older thread on Keepass and OptionLock I posted a couple of days ago:

https://www.wilderssecurity.com/showthread.php?t=329627

I thought I would take this opportunity to post a new update thread with a proper heading (title) - which corrects my failure to highlight the subject of the thread, 'OptionLock'!

The developer of OptionLock has now made the plugin available on GitHub, where users can download the source code and the PLGX plugin without an account (no need to log in to GitHub).

https://github.com/TLHobbes/OptionLock - go to bottom of page for download link
https://github.com/downloads/TLHobbes/OptionLock/OptionLock.plgx - direct download

OptionLock is a plugin for Keepass, and the developer posts on the Keepass forums (which is where I found out about the plugin); so, if you need more information, or want to comment directly then go to: http://sourceforge.net/projects/keepass/forums/forum/329220/topic/5495354.

 

Installed, thanks.

PD

 

Thanks Discs,

Best regards,

 

this should be interesting was a longtime lastpass believer thou perhaps i should follow suit as have alot of wilders members apparently keepass is the nr.1 pass manager not to mention the database being on your pc instead of some unknown server aes encrypted or not, i like it

 

I use both in conjunction. KP for anything that isn't a website (including LP's Master Pass, which I don't know and is 260bits long), and LP for websites. LP is just too darn convenient/easy to use without jumping through hoops, for web sites.

PD

 

Nice plugin.

Thanks discs.

 

I don't understand. If this is such a big deal, why doesn't Dominik Reichl rewrite his program?
Maybe you can help me with that.

 

I'd argue password length for most users doesnt matter when the answers to all their account "security questions" are posted on public facebook pages.

 

Very very true. I can't believe some websites use a security question.

 

As I noted to a fellow member yesterday, my security question answers always have absolutely nothing to do with the question.
I either treat them like a 2nd password, or I run several words together that are unrelated to the question.
Coupled with the fact that I have no FB account, I'd have to say that the answers to all my account security questions are a little more difficult to ascertain.

 

Interesting idea to not provide literal answers to security questions. However that defeats the purpose of a security question which is to provide an alternative to remembering passwords. You can use a password manager to keep track of the "non-answers" to the questions, but as a methodology for average users it really needs to be thrown out. Since pretty much everyone has a cell phone web operators should push hard to get everyone into two-factor (SMS) authentication. That provides some significant protection along with the password (the name of your cat )

 

I'm not sharing a method that I purport to be ideal for the masses.
Nevertheless, I wouldn't be so quick to dismiss it, Victek123.
I've shared the idea with more than a few people who all find it to be useful and simple to remember.

 

What does this Plugin do?

 

I can see how it's an effective way of dealing with the weakness of the method and I'm sorry it came across as a critique. I was speaking more generally about the plight of the average user. Password management among the vast a majority is truly horrible and I don't see this trick with security questions as being viable for them. They can't remember the answers to security questions and password hints when they're meant to be literal, so the if the questions were answered in an abstract way they would be unanswerable down the road. People just can't manage their information. I suggested cell phone based two-factor authentication because all it requires is having the phone at hand which is generally the case.

 

Uhm, can we NOT encourage them to push people into handing over cell phone numbers? Many like to keep that private and only give it out to friends/family. Many don't want it falling into the hands of companies in general. Some don't want to have text messaging enabled. Some don't want web companies in general being able to acquire their name and address from that phone number.

 

I can't remember the last time I used an actual answer to a security question. I tend to store them in an encrypted file

Web Site -> Question -> Answer

What *really* makes me mad is when they limit the characters to something ungodly small

I'm hesitant to use any type of plugin that is the master db for all of my passwords although this plugin sounds great....

 

There are throw away virtual phone number services on the internet, just as you would use a bogus account for just one service online.

 

Well, "push" wasn't the best word - how about "educate"? If average users understood the benefit of two-factor authentication (TFA) and the convenience of using cell phone/SMS they might prefer it over writing their passwords on sticky notes or simply forgetting them, and/or having their accounts hacked. I agree that whenever your share personal information there are privacy considerations. I don't share my cell phone number widely, however sites on which I do financial transactions, such as my bank, already have the number (and my name and address) as a necessary component of identity validation, so using the phone for TFA doesn't incur an additional privacy concern. Those folks who don't have cell phones or don't enable text messaging obviously can't use this option, but many people already do which is why it would be easy to adopt.

 

You must be joking.
Maybe you can consider KeeFox a leap... but this?

Get a grip.

 

Thanks for pointing that out.

Educating people and giving them options sounds good to me

 

Will they accept incoming text messages and reroute them to you? That's what would be needed in this case.

 

Wouldn't the user (possibly) have to respond to the text message with some kind of authorization code (as a confirmation and protection against a scenario involving a lost/stolen phone)? IOW, might not the user also want some outgoing text messages anonymously routed through the "alias service" too?

FWIW, any time I've run into the automated "requires confirmation by phone" scenario there was an option to do it via voice prompting and pick which number on record to use (cell or non-cell).

 

In Google's case you apparently only need the one message. The idea is that it's highly unlikely anyone would have both the user's password AND the phone. But, I wouldn't be surprised if some people write down the password in a place where it could be stolen along with the phone, or even store it openly on the phone itself.

Not having it used it myself, I hadn't thought about the voice option.

 

No they would not, the ones I've played with, SMS and a small voice audio file used for authentication, say with Google, would be routed to an email inbox.

 

interesting ,is there any free virtual phonenr. service?