Security question on just typing passwords

Discussion in 'other security issues & news' started by phkhgh, Sep 3, 2008.

Thread Status:
Not open for further replies.
  1. phkhgh

    phkhgh Registered Member

    Joined:
    Aug 17, 2007
    Posts:
    166
    NET BANKING NET BANKING NET BANKING!!! ;)

    Assuming no malware is on my PC, is info like user IDs or PWs when logging into a bank acct, etc., stored anywhere else, temporarily or permanently?

    Don't store any important user IDs or PWs on my PC, even in something like Pass Word Safe. Also clear cache & overwrite paging file (XP home, SP3) when shut down.

    Using Firefox 3. Don't have "remember what I enter in forms & search bar" checked, but usually delete / erase that file periodically.

    Are there other steps / prgms that will make typing important passwords or info even safer?

    Thanks.
     
    Last edited: Sep 3, 2008
  2. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,741
    Location:
    New York City
    Keyscrambler. It will provide protection even if you are infected with some keyloggers.
     
  3. phkhgh

    phkhgh Registered Member

    Joined:
    Aug 17, 2007
    Posts:
    166
    Thanks Thankful.

    I stumbled across Key Scrambler after posting this.
    It "supposedly" keeps keyloggers / java script from capturing keystrokes. Can't attest to its overall effectiveness or reliability. Some gave good reviews - some not. As always, a lot of probs w/ software comes from "operator error." I'm sure there are other such prgms - free or not. If any ideas on good ones, let me know.

    I've used Pass Word Safe for some time. No complaint about its function, but don't know about its true security. Don't know if once you open a databank, & either c & p, or it auto types ID / PW, if the PW is still encrypted (mainly in RAM or clipboard). It's been around a good while, but I find few specifics on details like this.

    KeePass is another PW manager I only read about today. Developer says "PWs are still encrypted while it's running, or even if Windows caches the process to disk." Seems to have some safety features PWS doesn't, but really don't have full documentation on either. Maybe others have fully investigated?

    May a combo of a more secure PW mgr & some key scrambling type util might offer more relative safety than one aloneo_O
     
  4. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    I use a couple of different solutions. On my personal laptop i use a fingerprint scanner to help enter personal details safely. Any key/screen logger is useless as no keys are pushed and no personal details are revealed on screen.

    On my other system i use a combination of keyscrambler and hashpass to help keep my personal details safe.
     
  5. phkhgh

    phkhgh Registered Member

    Joined:
    Aug 17, 2007
    Posts:
    166
    Obviously, if I wanted a lot of input, I should have made the subject, "What do I need to do to ensure password safety for Net Banking."

    Of course, that's exactly what my question was about, but not much response. But thanks to those who did.
     
  6. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    I have heard some horror stories about those, where criminal cut off peoples fingers.
     
  7. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    Use Linux for Netbanking, eg. Ubuntu liveCD. It's free!

    Then you will never have to worry about spyware, keyloggers, virus, trojans, rootkits etc.

    I use Ubuntu whenever I access my Bank and CC websites. I would never use Windows for such tasks.
     
  8. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    Even the Free version?
     
  9. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,741
    Location:
    New York City
  10. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    The Free version doesn't seem to work properly on my banking site.
    I guess only the Paid versions would offer protection there.
     
  11. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Well if they have physical access to you and are ready to cut off your finger, what is stopping them putting a gun to your head and asking for your password?
     
  12. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,741
    Location:
    New York City
    I use the free version for banking.
    Send them an email, support[at]qfxsoftware[dot]com
    Their support is excellent and friendly.
     
  13. phkhgh

    phkhgh Registered Member

    Joined:
    Aug 17, 2007
    Posts:
    166
    Thanks all for input!
    "Never" is a long time. Why "never?"

    Don't know much about Ubuntu, but like idea of using Linux on liveCD. How complicated is it to get up & running? Which browser(s) will run on it?

    (side note: not so worried about having my finger cut off)

    Thanks Stijnson,
    Read what I could find on key scrambler. Some complained it didn't stop some keyloggers. Others said very effective (assume talking about free ver).

    Have you seen real testing results from reputable sources that know what they're doing? (operator error / not reading documentation is often reason for complaints).

    Someone (including me) that's used prgm 'X' & never had a security breach could be because they've never been attacked, not because of prgm 'X's' effectiveness.

    Stijnson,
    It may not work on your bank, but may just need some configuration. Don't give up so quickly. Security w/ financial sites is serious & merits a good deal of reading & time to get it right (includes me).

    For certain things, I've called the bank's web tech dept to get help. Often, the problems are simple to fix, once u have the right info.

    STILL INTERESTED in security differences in Pass Word Safe & KeePass, if anyone's knowledgeable on both.
     
  14. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    I'll do that, thanks. :thumb:
     
  15. Creer

    Creer Registered Member

    Joined:
    Jun 29, 2008
    Posts:
    1,345
  16. phkhgh

    phkhgh Registered Member

    Joined:
    Aug 17, 2007
    Posts:
    166
    Thanks Creer. Good work!

    Not criticizing (I haven't done ANY testing w/ keyloggers), but there are so many keyloggers. KeePass might be effective against some but not otherso_O

    I read some "amatuer" reviews on their tests of Key Scrambler against various keyloggers. One tester might say it passed against all they tested; another would say it failed against XYZ. Very confusing. Guess the effectiveness of any tool depends on knowledge & skill of the user.
     
  17. Creer

    Creer Registered Member

    Joined:
    Jun 29, 2008
    Posts:
    1,345
    Thanks.

    I don't use KeyScrambler because only paid version works with Opera.
    My current security configuration until logging process to e-services containing KeePass v2.05 Alpha and Online Armor with HIPS and "Banking Mode" which allow to enter only these sites which i configurated earlier as "Protected", so any others connection with Internet are blocking when I am in this mode.

    Here you can find my recent pool in this subject :cool:
    https://www.wilderssecurity.com/showthread.php?t=219533
     
  18. phkhgh

    phkhgh Registered Member

    Joined:
    Aug 17, 2007
    Posts:
    166
    Just did a *little* testing on Pass Word Safe - latest ver 3.14 (avail from SourceForge). Only tested to see if it keeps the PW encrypted when use the "copy PW to clipboard option." It doesn't. But, if configured, it does clear the PW from clipboard as soon as PWS is minimized or closed. However, if a "clipboard monitor" was on your machine, it would only take a fraction of a sec to capture the data.

    W/O a keylogger to test, I've no idea if PWs remain encrypted when PWS auto types into login page. I doubt it.

    For KeePass 1.x (guess 2.x a?) says "it has protection against clipboard monitors (other apps won't get notifications clipboard content has changed)." I can't confirm if PWS 3.14 has same protection.

    My guess is for all these that can auto type PW / user ID into forms, it has to be in clear text, or the site wouldn't be able to read the data. That's where a key scrambler comes in, I guess. (I'm NO guru in this area. If completely wrong, someone please correct me).
     
  19. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    Get Ubuntu LiveCD and simply boot from the CD. It contains Firefox etc, everything you need to do your netbanking.

    Simply login to your bank, type the information. Very safe, because the CD is not infected with anything.

    Seeing you are booting the CD, there is nothing resident in RAM, no keyloggers etc active as you login to your bank.

    Using the LiveCD Ubuntu is probably the safest and most secure way to do netbanking. :thumb:

    http://www.ubuntu.com/getubuntu/downloadmirrors

    If you have any questions, go to #ubuntu on irc.freenode.net
     
  20. Creer

    Creer Registered Member

    Joined:
    Jun 29, 2008
    Posts:
    1,345
    On KeePass site in FAQ we can find info:

    But in my case, KeePass v.2.05 Alpha with default set options (even unchecked TCATO), pass KeyLogger test... strange o_O
     
  21. phkhgh

    phkhgh Registered Member

    Joined:
    Aug 17, 2007
    Posts:
    166
    Thanks Creer & truthseeker,

    I understand the CD (if new) isn't infected, but once you boot the CD, what runs the prgms? I'm no guru, but believe it'd be in RAM. That's not to say the liveCD isn't a good idea.

    Creer:
    I'm testing KeePass 2.05 a, & find it very erratic on auto typing. With or w/o TCATB checked, even on same site, 1 time it DOES type PW correctly, another 3 - 4 times, type it incorrectly or not at all - just types ID & nothing in PW field. These sites definitely work w/ Pass Word Safe's auto typing.
     
  22. Creer

    Creer Registered Member

    Joined:
    Jun 29, 2008
    Posts:
    1,345
    phkhgh: really strange, i never noticed that in my KP. My KP Alpha as far now, works very good. Maybe the main reason is that when you enter on website and want login before press key combination (which fill the username, password form), did you left-click your mouse on first empty form? i.e. Login:
    And after that press key combination.

    Maybe it will be help for you.
     
  23. phkhgh

    phkhgh Registered Member

    Joined:
    Aug 17, 2007
    Posts:
    166
    Creer:
    Never used KP before now, so don't know what's "normal" behavior for it.

    When login page is loaded, & KP is open, if hi lite the KP entry 1st, then click on the page's 1st login field (usu user ID), the KP hi lited entry "dims." If I 1st click the login form, then select the KP entry, it "deletes" the cursor from the login box. This is pretty much w/ every site I tried. Some it logs into, some not.

    In either of above cases, using CNTRL + V or R-clicking KP entry, then "Perform Auto Type" still starts the auto type process, but often it only types the user ID, but either doesn't type a PW (nothing shows in box) or types it incorrectly (apparently). This is w/ or w/o TCATB checked. If copy/paste PW from KP, works fine.

    Does the behavior about dimming / deleting cursor occur in your installation of KP?
     
  24. Creer

    Creer Registered Member

    Joined:
    Jun 29, 2008
    Posts:
    1,345
    My KeePass works for me in the background, so when i'm in the login page first i click on the username or user id empty form on this site, and then i only press key-combination which start Auto-Type mode and automaticly fill username/user id and password.
    In every entry in your db of KP you can choose method of the filling form on pages. Right click on the entry with passwords, then select tab Auto-Type, here you will find 2 options. I think second which is shadowed form with "{USERNAME}{TAB}{PASSWORD}{ENTER}" - it is the standard fill form rule for KP if you click this u can edit rule and fit it to your preferences on every page.

    I'm not sure, i'm not KeePass Guru ;-)

    No.
     
  25. phkhgh

    phkhgh Registered Member

    Joined:
    Aug 17, 2007
    Posts:
    166
    Checked MD5 hash when d/l KeePass, but may need to d/l again & reinstall.

    Checked about 5 sites. On this one, the ctrl + alt + A works, but not ctrv + V or R-clicking the KP entry, then "Perform auto type." On other sites w/ exact same login fields setup (visually, anyway), the ctrl + alt + A does nothing at all. Using the other auto type methods (on most sites I've tried) types ID correctly, but get msg "have entered incorrect PW."

    One or 2 sites worked w/ ctrl + V. I don't think it's how my data is set up in KP, or what method I'm using to login, or even the site(s). I think it's either bad installation, instability or conflicts w/ something on my system. Even disabled (shut down) KIS to try it.

    Thanks for help. I'll reinstall it & see.
     
Loading...
Thread Status:
Not open for further replies.