Secure Master Password entry

Discussion in 'privacy technology' started by jamon, Mar 13, 2010.

Thread Status:
Not open for further replies.
  1. jamon

    jamon Registered Member

    Joined:
    Dec 19, 2009
    Posts:
    1
    Greetings! As recommended, I did search first. I must say, though, after following the threads that turned up, there’s some real easily-irritated people posting on this forum at times. I’m almost afraid to ask a simple question that I haven’t been able (so far) to find an answer to.

    Many of the password managers (I refer to the most popular freeware hits turned up) offer features that, I think, are supposed to enhance security further, such as integrated virtual keyboards and the option to drag and drop user names and passwords to their appropriate fields. If I understand the user’s guides supplied, this is, aside from convenience, to foil key-loggers.

    Sooo, my question is: what safeguards are provided for keying in the master password (beyond using a good, secure password)? This would seem to me to be the biggest vulnerability as far as key-loggers are concerned. Interestingly (I hope), is my inability to get any of these password managers to allow me to drag the master password to it's field from an otherwise-helpful app called “neo safekeys”, a standalone virtual keyboard that provides a few “trick” features to foil key-loggers. Any ideas on how I might do this or if it’s even necessary at all would be appreciated.
     
  2. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Hi Jamon and welcome to Wilders.

    I think the vulnerability of your master password is really not as big a threat if you think it through. At least not from an online perspective. There's not much one could do with a master password without access to the database, which they won't have.

    After looking at your post again, maybe you're talking about local security? As in people in the family, etc? That's a problem, IF they have access to your database to type the master password into. Maybe one idea is to keep your password program on a USB drive and keep it with you on your keychain or similar. So that even if they had your master password, it wouldn't do them any good.

    Good question though and probably one a lot of people grapple with.
     
  3. KookyMan

    KookyMan Registered Member

    Joined:
    Feb 2, 2008
    Posts:
    367
    Location:
    Michigan, USA
    The simplest foil to this is to use a password manager that supports keyfiles. I'm a fan of KeePass. You can use v1.x or v2.x (Still use 1.x myself, it is still actively developed) and use both a password and a keyfile. Keep the keyfile on a USB key with you or hidden. If anyone does manage to get ahold of your password with a logger, it will be useless without the keyfile. If someone gets the keyfile its useless without the password. If someone gets both, your sunk, but security is a cat and mouse game. No form of security is absolute (Except for a 6 ft thick steel reinforced wall on all six sides of whatever you want to secure. No doors, no windows.... And then its only as secure as it will take to jackhammer it.)

    Additionally, if your that worried about someone getting your passwords(or that someone is after them) create two databases. One for day to day use, passwords you need daily or that are of 'low' security, such as forums, news sites, games, and a second database for high security, such as banking information, etc. That way, you are likely to only reveal your high security master password a fraction of the time that you reveal the low. Most likely you don't bank daily, or even weekly, so if someone does compromise you, depending on how long they are monitoring you, its possible they might 'give up' after so long, or not think that your password is your password if they only see it once in a week, as opposed to your 'low' password which may appear as often in a log once every couple hours.
     
  4. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    I agree with LockBox. IMO, it's not a great risk as long as the master PW is not the same as any other password in the database.

    But if it's a physical thing, then that always presents additional challenges. If this is truly an issue, then you need to have better control of the PC. Don't give others admin privledges (which limits their ability to install keyloggers.) If it's not your PC (or you can't limit privledges), then you need to figure out the best way to limit access to the PW database. (Personally, I use the flash drive idea that LockBox mentioned.)

    I'm sorry that the posts from some here may have intimidated you. EVERYONE here at one time or another was a newbie or had little experience in all of this. So don't hold back from posting. We're glad to help! :)
     
  5. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
Loading...
Thread Status:
Not open for further replies.