KeePass desktop/blackberry

Discussion in 'privacy technology' started by Fontaine, Aug 31, 2008.

Thread Status:
Not open for further replies.
  1. Fontaine

    Fontaine Registered Member

    Joined:
    Jan 29, 2008
    Posts:
    245
    I've been using eWallet to store passwords for a few years. I used to have a windows mobile OS on my phone and it synced up very well. I switched to a blackberry a few months ago, and cannot wait any longer for the eWallet blackberry software to come out.
    I always knew about KeePass but just found out they have a blackberry plugin to keep the desktop/phone synced up. It's free, so I'll try it, but does anyone have experience with it? Anything to be aware of?

    In general, what other password storage software do you all use?
    I've always found it difficult to have totally random passwords such as: kJdiu*4:cool:$kP.
    Even with a password manager, it's a pain to type it in all the time. I guess software such as Roboform auto-populates the browser, but I'm not sure I'd use a feature like that.

    edit: for additional question below.
    The KeePass site says:
    # SHA-256 is used as password hash. SHA-256 is a 256-bit cryptographically secure one-way hash function. Your master password is hashed using this algorithm and its output is used as key for the encryption algorithms.
    # In contrast to many other hashing algorithms, no attacks are known yet against SHA-256.
    # Protection against dictionary and guessing attacks: by transforming the final master key very often, dictionary and guessing attacks can be made harder.

    Can anyone explain hash to me? I've tried to read about it, but cryptography topics throw me off a bit. And I'm particularly interested in the final comment above regarding the dictionary attacks being almost a non-threat. Any comments about that?
    Thanks!
     
  2. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    I use Roboform and robofor2go. Every webpage has its own password (like: KwCk&`BSJ*^9udNp/)vftD on every page ) I store all other sensitive info there too (safe notes)
    No keylogger can afaik catch them and it is a breeze to use it. I would find it hard to browse without it. Roboform doesnt auto populate the password fields, you havve to click a button for it to enter the username and pw

    But I understand Firefox has extensions that can remember complicated passwords, you just use one master password...
     
  3. Fontaine

    Fontaine Registered Member

    Joined:
    Jan 29, 2008
    Posts:
    245
    I'll give Roboform a second look right now. May as well since I'm shopping around.

    As an aside question, when encryption is, say, AES 256, does achieving the 256 depend on the makeup/length of the password? So if I use the password "dog" then I'm on getting a few bits? Or is the 256 representative of something different? Anyone know?
     
  4. KookyMan

    KookyMan Registered Member

    Joined:
    Feb 2, 2008
    Posts:
    367
    Location:
    Michigan, USA
    I use KeePass. Have for years.

    It has an AutoType, as well as Clipboard features. AutoTypes can be intersected by software keyloggers, but there is a limit of how high you can hook into the OS to do things. I'd have to have more information (And more skill in this dept as a whole) to tell you if Roboform really can defeat loggers. Actually, there is a program available that has the code used by a significant portion of keyloggers (multiple ways of hooking and catching keystrokes) and you can run it and try whatever program you want. It will tell you what it was able to catch.

    Never used the blackberry addon though, but I love KeePass.
     
  5. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    Maybe there are key loggers or clipboard loggers that can catch the passwords from Roboform, but I just did a test with a keyboard and clipboard logger and they did not notice anything when I logged into different sites. So I guess it isnt the easiest task to catch Roboform (or other pw software that pastes the pws from a encrypted file.)
     
  6. KookyMan

    KookyMan Registered Member

    Joined:
    Feb 2, 2008
    Posts:
    367
    Location:
    Michigan, USA
    I've seen this one mentioned in the past, and based on the content of the site, looks to be fairly conscious of security.

    It allows you to test your application against 7 known keystroke theft methods. If an application can pass all 7, I'll be impressed.

    Whoops, a url helps : http://firewallleaktester.com/aklt.htm
     
  7. Z32

    Z32 Registered Member

    Joined:
    Jul 20, 2008
    Posts:
    49

    Used it to test Keyscrambler & RoboForm...didn't catch a thing of use to a keylogger :) . Very happy!
     
  8. KookyMan

    KookyMan Registered Member

    Joined:
    Feb 2, 2008
    Posts:
    367
    Location:
    Michigan, USA
    The way you say that it did catch something... What did it catch?
     
Loading...
Thread Status:
Not open for further replies.