Browsers' password managers vs KeePass? (when auto-entering passwords)

Discussion in 'privacy technology' started by erim, Oct 1, 2012.

Thread Status:
Not open for further replies.
  1. erim

    erim Registered Member

    Joined:
    Aug 29, 2006
    Posts:
    43
    I've been using Firefox's and Opera's password managers, but I don't know how secure they are against keyloggers when inputing the username+password.

    I'm not talking about entering the master password. That one is obviously more secure in KeePass, so let's not even waste time with that.
    I want to know about the security when entering specific usernames+passwords on websites.

    KeePass describes this in detail (for the two channel auto type feature).

    But I don't have a lot of information about how browsers enter passwords.
    What happens when you click on the "wand" key in Opera, for example? Something like clipboard copy+paste, perhaps?
    There was a thread at Opera, but the developers/moderators didn't answer this specific question.
     
  2. Snowden

    Snowden Registered Member

    Joined:
    May 2, 2012
    Posts:
    68
    I can't comment on how secure it is but I've never used a browser plugin w/ keepass.

    I open it when needed, copy/paste and immediately lock the workspace. I don't even have it where it'll paste it automatically.

    I don't know if it's safer that way or not but it's just my personal practice.
     
  3. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    3,871
    I use lastpass for ease of use.Although i would think keepass is more secure because it is resident on the computer rather than using a server which lastpass does.:cautious:
     
  4. Snowden

    Snowden Registered Member

    Joined:
    May 2, 2012
    Posts:
    68
    Never used lastpass...

    one of the features about Keepass I like the most is being able to use a keyfile.

    I keep a USB drive on my keychain and my keepass db in the cloud. Comes in hand.
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
  6. Carver

    Carver Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    1,827
    Location:
    USA
    I have Chrome Version 22.0.1229.94 I reported a issue between chrome and online Bank account, in setting the check box is marked for Chrome to ask if I want Chrome to remember a password..Chrome does,t remember. I also mentioned Chrome does not have password protect on the password manager but Opera does :cautious:
     
  7. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    i'm too paranoid to store my passwords in the cloud. ;)

    and i don't trust my browser to handle those either.

    for me, i'd rather use something like Keepass or store my passwords in a encrypted text file.
     
  8. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,415
    I wouldn't trust a browser to keep my passwords, way too many things can go wrong.
     
  9. tlu

    tlu Guest

    moon, I've been there, too ;) However, I've changed my mind after looking more closely into Lastpass. I've summarized my opinion in the Noscript forum here and here.
     
  10. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    I was very skeptical of Lastpass for quite some time. They continued to release security bulletins geared to the security community that were extremely impressive. At this point, I have fewer and fewer reasons not to feel at ease with Lastpass. They've done a splendid job at separating risk factors which makes an attack on any individual user (or groups of users) almost so negligible that a legitimate attack is barely theoretical on paper. I think Lastpass might be one of the most impressive SaS applications ever developed - for security use or otherwise.

    Lastpass has a short but very solid overview of their technology deep in their website here. They also have an abbreviated user manual that is used by most, but there is also this "complete" manual that goes into great detail.

    edited to add full manual link.
     
    Last edited: Oct 12, 2012
  11. arsenaloyal

    arsenaloyal Registered Member

    Joined:
    Nov 1, 2009
    Posts:
    507
    i use last pass,its excellent and if you want to use it on other devices than a pc then $1 a month.
     
  12. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    3,871
    yes lastpass is just too damn convenient to be without.I browse to a site that requires a password and im in within seconds and no typing or anything its marvellous.:thumb:

    Although i dont understand this paranoia concerning using it.
    It depends what you have on your computer and what the passwords are for.
    Obviously if financial data is involved then yes it would be a worry but i never have confidential data on my computer anyway.:thumb:
     
  13. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    I tried a PWM once. But it's pointless. I have a good memory, have no trouble with that, and can type fast. So I don't have to trust any product with my passwords.

    Even if I had a shiite memory, I don't think I'd do that. Pen & paper, tucked inside a random book on the shelf. And you just remember that book, and 1 number (the page number).
     
  14. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    Browsers are hammered at all the time. Even if they are safe today, you can't be sure they would be that way tomorrow. I feel better using something solely designed for the encryption and storage of passwords. I used KeePass for a long time and then switched to LastPass. I like both and can recommend either of them heartily.
     
  15. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    Combine them:

    Portable browser run out of a TrueCrypt container. Container has a 64 character password, split into: 32 in memory, 32 on a Yubikey...and a Key File. KeePass Portable is also in the container, opened with a Key File and the memory/Yubikey combo. LastPass "Master" is a 256bit "monster" only known to KeePass. No, I don't *need* to do it this way, but I can, and it's fun! :D

    PD
     
  16. erim

    erim Registered Member

    Joined:
    Aug 29, 2006
    Posts:
    43
    Update:
    I did a test with two keylogger simulators. Here are the findings:

    1. they detect entering the master password in Firefox and Opera
    2. they don't detect the saved usernames+passwords in Firefox and Opera when they're automatically entered by the browser
    3. they don't detect entering the master password in KeePass (using Secure Desktop)
    4. one of them detected a good part of the username+pass entered by KeePass (using Two-Channel Auto-Type Obfuscation)

    Bottom line, to beat keyloggers: the best solution would be to have the master password protection of KeePass (Secure Desktop) and the saved password protection from browsers.
    You can add your vote for the secure desktop feature in Firefox and Opera.

    Of course, this is just one specific scenario. Maybe different keyloggers or whatever malware could also detect the browser entering password or the secure desktop password.
     
  17. happyyarou666

    happyyarou666 Registered Member

    Joined:
    Jan 29, 2012
    Posts:
    802
    if its keyloggers and the like your worried about go and get zemana al antilogger, then retry your tests , and never use a tampered pc no matter what ;)
     
  18. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,965
    Location:
    Parallel Universe
    I use lastpass. ;):thumb:
     
  19. happyyarou666

    happyyarou666 Registered Member

    Joined:
    Jan 29, 2012
    Posts:
    802
    i sure as hell wouldnt , and i sure as hell wouldnt trust any cloud based or any online based service for that matter with storing my passwords period
     
  20. Carver

    Carver Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    1,827
    Location:
    USA
    I use keepass, it is password protected with a 30 char password protected in a file encrypted with axcrypt, I am not about to put my credit card info in somebody Else's database and then the server gets hacked.
     
  21. happyyarou666

    happyyarou666 Registered Member

    Joined:
    Jan 29, 2012
    Posts:
    802
    this, thank you for stating the obvious , that some people might not have realised , tbh i didnt think id have to elaborate on this as its a real no brainer
     
  22. erim

    erim Registered Member

    Joined:
    Aug 29, 2006
    Posts:
    43
    Yeah, guys I don't want to complain too much, but most of the posts here are offtopic.
    If you want to make general recommendations or tell your "cool stories" please post in another thread. :)

    Here, I just want to discuss the functioning of password managers against keyloggers. A technical discussion more than anything else.
     
  23. happyyarou666

    happyyarou666 Registered Member

    Joined:
    Jan 29, 2012
    Posts:
    802
    as said zemana al and retry, ;), not much to explain ive already explained the most in my first post anyhow , but please continue
     
  24. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    LastPass database has been hacked at least 3 times and accounts stolen. Storing passwords in the browser, which is the most vulnerable application, is very brave indeed.
     
  25. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    3 times?? Can you give some links to this? The only time I remember talk about an intrusion was a year or so ago and they never verified any information was stolen.
     
Loading...
Thread Status:
Not open for further replies.