Keepass - a further leap ahead with OptionLock

Discussion in 'privacy technology' started by discs, Aug 7, 2012.

Thread Status:
Not open for further replies.
  1. discs

    discs Registered Member

    Joined:
    May 17, 2011
    Posts:
    41
    Location:
    UK
    Hi,

    Rather than updating many parts of the older thread on Keepass and OptionLock I posted a couple of days ago:

    https://www.wilderssecurity.com/showthread.php?t=329627

    I thought I would take this opportunity to post a new update thread with a proper heading (title) - which corrects my failure to highlight the subject of the thread, 'OptionLock'!

    The developer of OptionLock has now made the plugin available on GitHub, where users can download the source code and the PLGX plugin without an account (no need to log in to GitHub).

    https://github.com/TLHobbes/OptionLock - go to bottom of page for download link
    https://github.com/downloads/TLHobbes/OptionLock/OptionLock.plgx - direct download

    OptionLock is a plugin for Keepass, and the developer posts on the Keepass forums (which is where I found out about the plugin); so, if you need more information, or want to comment directly then go to: http://sourceforge.net/projects/keepass/forums/forum/329220/topic/5495354.
     
  2. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    Installed, thanks.

    PD
     
  3. aladdin

    aladdin Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    2,986
    Location:
    Oman
    Thanks Discs,

    Best regards,
     
  4. happyyarou666

    happyyarou666 Registered Member

    Joined:
    Jan 29, 2012
    Posts:
    802
    this should be interesting was a longtime lastpass believer thou perhaps i should follow suit as have alot of wilders members apparently keepass is the nr.1 pass manager not to mention the database being on your pc instead of some unknown server aes encrypted or not, i like it
     
  5. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    I use both in conjunction. KP for anything that isn't a website (including LP's Master Pass, which I don't know and is 260bits long), and LP for websites. LP is just too darn convenient/easy to use without jumping through hoops, for web sites.

    PD
     
  6. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    Nice plugin. :thumb:

    Thanks discs.
     
  7. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    I don't understand. If this is such a big deal, why doesn't Dominik Reichl rewrite his program?
    Maybe you can help me with that. :)
     
  8. EncryptedBytes

    EncryptedBytes Registered Member

    Joined:
    Feb 20, 2011
    Posts:
    449
    Location:
    N/A
    I'd argue password length for most users doesnt matter when the answers to all their account "security questions" are posted on public facebook pages. :D
     
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Very very true. I can't believe some websites use a security question.
     
  10. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    As I noted to a fellow member yesterday, my security question answers always have absolutely nothing to do with the question.
    I either treat them like a 2nd password, or I run several words together that are unrelated to the question.
    Coupled with the fact that I have no FB account, I'd have to say that the answers to all my account security questions are a little more difficult to ascertain. :cool:
     
  11. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,127
    Location:
    USA
    Interesting idea to not provide literal answers to security questions. However that defeats the purpose of a security question which is to provide an alternative to remembering passwords. You can use a password manager to keep track of the "non-answers" to the questions, but as a methodology for average users it really needs to be thrown out. Since pretty much everyone has a cell phone web operators should push hard to get everyone into two-factor (SMS) authentication. That provides some significant protection along with the password (the name of your cat :) )
     
  12. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    I'm not sharing a method that I purport to be ideal for the masses.
    Nevertheless, I wouldn't be so quick to dismiss it, Victek123.
    I've shared the idea with more than a few people who all find it to be useful and simple to remember.
     
  13. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    What does this Plugin do? :D
     
  14. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,127
    Location:
    USA
    I can see how it's an effective way of dealing with the weakness of the method and I'm sorry it came across as a critique. I was speaking more generally about the plight of the average user. Password management among the vast a majority is truly horrible and I don't see this trick with security questions as being viable for them. They can't remember the answers to security questions and password hints when they're meant to be literal, so the if the questions were answered in an abstract way they would be unanswerable down the road. People just can't manage their information. I suggested cell phone based two-factor authentication because all it requires is having the phone at hand which is generally the case.
     
  15. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,088
    Uhm, can we NOT encourage them to push people into handing over cell phone numbers? Many like to keep that private and only give it out to friends/family. Many don't want it falling into the hands of companies in general. Some don't want to have text messaging enabled. Some don't want web companies in general being able to acquire their name and address from that phone number.
     
  16. Snowden

    Snowden Registered Member

    Joined:
    May 2, 2012
    Posts:
    68
    I can't remember the last time I used an actual answer to a security question. I tend to store them in an encrypted file

    Web Site -> Question -> Answer

    What *really* makes me mad is when they limit the characters to something ungodly small

    I'm hesitant to use any type of plugin that is the master db for all of my passwords although this plugin sounds great....
     
  17. EncryptedBytes

    EncryptedBytes Registered Member

    Joined:
    Feb 20, 2011
    Posts:
    449
    Location:
    N/A
    There are throw away virtual phone number services on the internet, just as you would use a bogus account for just one service online.
     
  18. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,127
    Location:
    USA
    Well, "push" wasn't the best word - how about "educate"? If average users understood the benefit of two-factor authentication (TFA) and the convenience of using cell phone/SMS they might prefer it over writing their passwords on sticky notes or simply forgetting them, and/or having their accounts hacked. I agree that whenever your share personal information there are privacy considerations. I don't share my cell phone number widely, however sites on which I do financial transactions, such as my bank, already have the number (and my name and address) as a necessary component of identity validation, so using the phone for TFA doesn't incur an additional privacy concern. Those folks who don't have cell phones or don't enable text messaging obviously can't use this option, but many people already do which is why it would be easy to adopt.
     
  19. Montmorency

    Montmorency Registered Member

    Joined:
    Oct 9, 2011
    Posts:
    181
    You must be joking.
    Maybe you can consider KeeFox a leap... but this?

    Get a grip.
     
  20. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,088
    Thanks for pointing that out.

    Educating people and giving them options sounds good to me :)
     
  21. SirDrexl

    SirDrexl Registered Member

    Joined:
    Apr 14, 2012
    Posts:
    545
    Location:
    USA
    Will they accept incoming text messages and reroute them to you? That's what would be needed in this case.
     
  22. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,088
    Wouldn't the user (possibly) have to respond to the text message with some kind of authorization code (as a confirmation and protection against a scenario involving a lost/stolen phone)? IOW, might not the user also want some outgoing text messages anonymously routed through the "alias service" too?

    FWIW, any time I've run into the automated "requires confirmation by phone" scenario there was an option to do it via voice prompting and pick which number on record to use (cell or non-cell).
     
  23. SirDrexl

    SirDrexl Registered Member

    Joined:
    Apr 14, 2012
    Posts:
    545
    Location:
    USA
    In Google's case you apparently only need the one message. The idea is that it's highly unlikely anyone would have both the user's password AND the phone. But, I wouldn't be surprised if some people write down the password in a place where it could be stolen along with the phone, or even store it openly on the phone itself.

    Not having it used it myself, I hadn't thought about the voice option.
     
  24. EncryptedBytes

    EncryptedBytes Registered Member

    Joined:
    Feb 20, 2011
    Posts:
    449
    Location:
    N/A
    No they would not, the ones I've played with, SMS and a small voice audio file used for authentication, say with Google, would be routed to an email inbox.
     
  25. happyyarou666

    happyyarou666 Registered Member

    Joined:
    Jan 29, 2012
    Posts:
    802
    interesting ,is there any free virtual phonenr. service?
     
Thread Status:
Not open for further replies.