Password storage device?

Discussion in 'hardware' started by dorn2, May 5, 2011.

Thread Status:
Not open for further replies.
  1. dorn2

    dorn2 Registered Member

    Joined:
    May 5, 2011
    Posts:
    7
    With the recent hack of PSN/SoE I've decided to switch to per-site unique passwords. I was already doing this for important stuff but trying to do it in my head for all of them is going to be a bit much.

    I'm very good about not catching viruses or key loggers or what not. Even still though I don't really want to trust any password software on a computer that could at some point be compromised.

    So I've been looking for an external solution that's a bit more secure. I haven't been able to find anything at all though so I'm a bit stumped. If anyone knows of such hardware it'd be a big help.
     
  2. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Password software on the computer can be encrypted very securely.
     
  3. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    2,272
    Location:
    Nebraska, USA
    Here's a little extract from one of my canned texts:

    Use strong passwords, preferably 8 characters or more, consisting of upper and lower case letters, numbers, and special characters (! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~). Do not use family names, pet names, birthdays, anniversaries, addresses or other easy to guess passwords. Do not write your passwords down on a notepad or a sticky note. Use a password manager to store your passwords such as LastPass, Password Safe, KeePass Password Safe, or RoboForm. For PDA users, I highly recommend SplashID which includes SplashID Desktop, an excellent Windows password manager that "hotsyncs" your encrypted passwords with your PDA.​
     
  4. dorn2

    dorn2 Registered Member

    Joined:
    May 5, 2011
    Posts:
    7
    I guess I've never understood this. What good is the encryption when someone who has a key logger on your system is going to catch the master password?

    It seems about the same as storing passwords in plain text on your hard drive to me.
     
  5. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    What good is an external solution if you have a keylogger on the computer?
    There are plenty of protection against keyloggers, all available on this forum if you browse more.

    You are sadly mistaken if secure encryption (AES, Twofish, Serpent, etc.) means plain text to you.
     
  6. dorn2

    dorn2 Registered Member

    Joined:
    May 5, 2011
    Posts:
    7
    Not much if it's a shoddy external solution. If it has something fancy like https support then it'd do a great deal. Or perhaps a hard coded proxy server which intercepts the login etc etc.

    Either way it doesn't really matter. I'm already fully aware of stuff like keepass in the first place. The only information I'm asking for is about hardware specifically. I want to know what's out there even if it sucks.

    BTW nice word twisting there trying to imply "about the same" is anything like logical equivalence.
     
  7. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    2,272
    Location:
    Nebraska, USA
    That's a peculiar question. What good is a lock on the door if YOU leave the door open? If you have a keylogger on your system YOU failed to keep the door closed and locked. Infections are always due to human failure. The best security in the world is useless if the weakest link, the human, fails on their end.

    I really don't see a need for drive encryption - except perhaps on a notebook. Notebooks grow feet - a lot. Notebooks are left behind and lost. In those cases, having an encrypted drive will prevent a badguy from pulling the hard drive and installing it in another machine or enclosure and accessing the data files.
     
  8. dorn2

    dorn2 Registered Member

    Joined:
    May 5, 2011
    Posts:
    7
    I am just a programmer not a security expert. I have never had a keylogger/virus/trojan/etc since I got my first 386 and started bbsing near to a couple decades ago. I'm not going to plan on being so smart that I can avoid such forever though. Not to mention I must run Windows on this computer so I have a guaranteed weak link in the first place.

    I have to be clear I wouldn't even remotely consider putting plain text pw's on a hard drive. Just the browser exploits I've seen over the years would make me shudder to do that.


    Frankly I'm really surprised at the hostility to my implication that software is a not really the best solution. Any security expert I've talked to would shudder at the thought of not even using a hardware token for two factor authentication. I've even seen many be disgusted at the idea of token generation via cell phone.
     
  9. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    2,272
    Location:
    Nebraska, USA
    Not a fair statement. Windows (and Windows 7 in particular) is quite safe. The failure of you being infected over the last 20+ years is a good indication of that. Windows 7 itself it quite secure - but that does not mean you don't need further protection in the way of a firewall and active anti-malware solution. I use Windows Firewall and MSE. It also means you must keep your system current.

    I never got the impression you were going to use plain text for passwords. Might as well put them on a sticky note and stick it to your monitor.

    I don't detect any hostility - certainly none meant from me. Passion, maybe - but not hostility. In fact, I offered several software based solutions. As I noted, I use SplashID and love it. I just checked, and I have over 100 entries - not just for my website credentials, but bank PINs, credit cards, bank accounts and you name it. And what I really like is it syncs with my PDA so I can carry all my passwords with me.

    Nah! That may be necessary for corporate networks that allow remote access, but not home networks.

    While it is critical to remember lessons learned from the past, it is also important to note this is not the past. Windows 7 and IE9 should IN NO WAY be compared to Windows XP and IE6.

    I am!!!! It is when you let your guard down and relax your discipline that leaves you and your computer exposed. Therefore, I definitely plan on staying smart precisely so I can avoid such forever.
     
  10. dorn2

    dorn2 Registered Member

    Joined:
    May 5, 2011
    Posts:
    7
    No not from you sorry I didn't mean to imply you've been such. You've been trying to be very helpful.

    I think I misworded that statement a bit. What I meant was I'm not arrogant enough to think I can avoid such forever.

    I disagree with your statements on how far Windows UAC still has to go but that's a side topic. Personally I consider my luck for so long is mostly due to home computers not being so worthy of targeting in the past. Catching the low hanging fruit was all anyone needed for bot nets.

    Moving forward the value of stuff like WoW accounts and other assorted things makes everyone far far more of a target. And not to mention the very real fact that Windows IS getting better makes those of us who are smart much closer to those low lying fruit in fact.

    Anyways this is all sort off topic. I'm still kind of stumped on finding info here. The only thing I've found so far is: http://www.ironkey.com/personal. I feel like portability must be a consideration for some people so there should be more "stand alone" solutions but I can't really seem to find the right googlefu.
     
  11. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    2,272
    Location:
    Nebraska, USA
    Yeah, arrogance has no place here. But you can certainly be confident you will never be infected if you follow just a few very simple safe computing practices.

    1. Keep Windows updated.
    2. Use a current real-time anti-malware solution like Avira, Avast, or my preferred, MSE.
    3. Use a PC based firewall. The one in Windows, especially Windows 7 is just fine.
    4. Do not open unsolicited attachments or downloads or click on unsolicited links or popups.
    5. Do not participate in risky practices like using pirated software, visiting illegal porn or gambling sites, or illegal filesharing of copyrighted materials such as songs and videos via P2P sites and torrents.​

    #1 and #5 are most important. #1 to ensure newly discovered vulnerabilities are patched in a timely bases and #5 because badguys gather and wallow in seedy locations and consequently use these places frequently to distribute their newly coded malware. This is significant because the new malware may be so new that it exploits a potentially unknown vulnerability not yet patched by Microsoft, and for which the security/anti-malware industry has yet to address in their latest definition/signature files.

    If you blunder into the center of the enemy's camp, even the best defense will fail.
     
  12. dorn2

    dorn2 Registered Member

    Joined:
    May 5, 2011
    Posts:
    7
    I have to laugh at this one a bit. You can definitely torrent most video/music formats without any realistic chance of infection via them.

    I don't really agree overall though. The biggest problem is you can barely use the web anymore with javascript turned off. I can't even switch to Chrome because it lacks Noscript. Sooner or later that is going to turn into a real epidemic.

    Then you have the real problem of trusting software. If you're smart you can filter out risky stuff but sooner or later you'll make a mistake and your AV won't catch it.
     
  13. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    2,272
    Location:
    Nebraska, USA
    You have to laugh? Hmmm. Note I said, "using pirated software, visiting illegal porn or gambling sites, or illegal filesharing".

    You can disagree all you want, but you would be wrong. Anyone even remotely involved in network, computer, or Internet security is fully aware those activities are primary sources of malware and system compromises. To suggest otherwise is a huge mistake and an indication of a lack of understanding of the threat.

    Suggesting it is okay to participate in any of those risky activities is unwise advice, and simply wrong.
    Which EXACTLY illustrates my point! Thank you. Now I suggest you heed your own warning! And note too, as I pointed out above, if you participate in those illegal activities, you risk exposing yourself (your identity anyway) and your system to zero-day exploits and other brand new malicious code that the anti-malware industry has yet to address.

    o_O I don't know who you are conversing with, but it is not me, or anyone else in this thread. I never mentioned anything even remotely related to UAC.

    Security dongles work great - when they work, or don't get lost.
     
  14. dorn2

    dorn2 Registered Member

    Joined:
    May 5, 2011
    Posts:
    7
    No that's not what you said at all. You said all of that + illegal filesharing of video and audio content.

    You are completely incorrect if you think using a torrent to obtain a video file leaves you open to attack (other than giving out your IP which 100's of things do). I would suggest you investigate how these technologies work before you think that's a danger.

    Good job being quick to label me as participating in those activities too. I simply laughed at the implication that they are dangerous. It's not literally impossible to get something from a raw data file but it's close enough and you can't avoid downloading raw data files anyways. You're simply being confused by the fact that looking for pirated software and stuff like flash files is what's dangerous. Also no a flash file is not video.

    I don't know who told you that kind of info but they were simply generalizing to give you a useful rule of thumb. Indeed for many people telling them "don't engage in illegal filesharing" is very smart because certain forms of that are extremely dangerous.

    Also please stop patronizing me (not to imply you are doing it on purpose). I'm not a security professional but I think you are confused by that statement. I have been coding since I got an Amiga 1000 at a very young age. I have degrees in computer engineering and computer science. I have full understanding how all known forms of exploits and attacks work. Certainly even people with my experience are fools who learn nothing about how they can be at risk. I am not one of them though.
     
  15. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    2,272
    Location:
    Nebraska, USA
    Exactly. o_O

    I am not trying to argue - but we need to get on the same page here - and who knows? We might both learn something new.

    To start, note I specifically said, "illegal filesharing". So please, let's keep it in that context. There are perfectly legal, legitimate and secure methods to participate in legitimate filesharing via P2P sites and torrents. Companies do it all the time. But this is about "illegal filesharing".

    Here are the facts.

    • Regardless the copyrighted material (video, audio, or published documents), if the copyrighted material is copied without the required citations, compensation, or royalties, it is illegal! It is stealing.
    • If the "media" of these stolen materials is software, as in a data "file", then it is illegal filesharing. Also known as software theft or software piracy.
    • Badguys have capitalized on the proliferation of illegal filesharing, and it's often careless participants.
    • Consequently, illegal filesharing via P2P sites and torrents has become a known and widely recognized major source of malware!
    Those are the facts. Accepted common knowledge by governments, corporations, and the academia. If you are disputing those, please provide some supporting evidence/links.

    That is out of context. I did not say "using a torrent". I said, "illegal filesharing via P2P and torrents...". Big difference. Again, there are perfectly legal, legitimate and secure methods to participate in legitimate filesharing via P2P sites and torrents.

    If you follow the link in my sig, you will see we are more alike, than different. My career has been spent surrounded by hundreds of IT experts, many with credentials far more impressive than yours or mine. But most users, including those with impressive IT backgrounds, are not security experts! Security is but one part of IT, albeit a very important one. So, I was not talking down to you - my apologies if that is how it "felt". I am not good at typing in "tone" and facial expressions. I'm here to share and advise so I try to type to all readers of all skillsets, now and in the future.

    Those involved in the Consumer Security side of the PC industry know that illegal filesharing is one of the primary sources and methods of distribution of malware - for the reason I stated earlier; badguys love it!

    The Top 10 Cluprits Causing Malware Infections

    How Malware Spreads - How did I get infected

    How did I get infected in the first place?

    Tony Klein's - How did I get infected

    Bottom line is this - stealing copyrighted materials (software, songs, videos, etc.) via P2P and torrents is not only illegal, but it creates the potential to expose the offender, the computer, other networked computers, and the users' contacts to zero day exploits and other malware.

    You being an IT professional automatically puts you apart from the "normal" user. Having the ability to defend against possible threats does not mean it is fine, or safe to participate in those risky practices. Nor is right, at least in my opinion, to advise it is okay. For that reason, I say again,
    And I did not label you as anything.
     
Loading...
Thread Status:
Not open for further replies.