What if my Password Vault's master password was leaked?

Discussion in 'privacy technology' started by bonedriven, May 15, 2009.

Thread Status:
Not open for further replies.
  1. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    565
    I always hesitate to use a password vault because I think it is way too dangerous if my master password was leaked to someone somehow.

    It will be an All GAMES OVER! You guys don't worry about it? :doubt:
     
  2. markoman

    markoman Registered Member

    Joined:
    Aug 28, 2008
    Posts:
    188
    Well yes, I am sure everybody worries. But what are the alternatives to using a password vault?
    Using the same complex password for all services? BAD
    Using easy passwords and memorize them? BAD
    Using complex passwords different for each service? GOOD... but quite unlikely.

    Remember that the password vault is usually a file, that you can store on a (encrypted) media and keep it always with you.

    Just my 2c
     
  3. Mem

    Mem Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    292
    Nope, I don't worry about it. If you have concerns about your master password (which isn't written down anywhere) then you need a password manager that also does something like a key file and or Windows credentials verification in addition to the master password. I use KeePass 1.x which doesn't have the last but can use the first two - with the key file on my USB stick.

    http://keepass.info/help/base/keys.html
     
  4. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    565
    Hi Markoman,

    What about my password policy:

    I have about 3 passwords:

    a. for everyday use on regular websites.

    b. better made password for login important mails and banks

    c. the most complex password for money transfer in banks

    I change my password every half a year or so.

    For exmaple, my first password for b is "b1ngo",after about half a year,I change it to "b2ngo".

    Easy to remember. 3 passwords in my head only.
     
  5. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    565
    I'm thinking about using keepass. Good to know that they have keyfile feature.
     
  6. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Just backup your keyfile and put it in a secure location. There's always something to worry about and another layer we need to protect what's protecting that which needs protecting. :)
     
  7. traxx75

    traxx75 Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    106
    It is true that relying only upon a password can be risky but making the password significantly complex can reduce the risk somewhat. Use of keyfiles is also good to add another layer as Gerard Morentzy mentioned.

    The basic layers are:

    - something you know [eg. passphrase]
    - something you have [eg. keyfile or token]
    - something you are [ie. biometric stuff - retina, palm print, anus print [kidding]]

    Until biometric readers are more wide-spread, however, we make do with two layers :)
     
  8. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    565
    OK, let's talk about keyfile.

    Where is a good place to store my keyfile? What if I stupidly lost it? :blink:

    I don't know what can be called a "same“ keyfile. So I think I may creat a text file and add one song's lyrics to it as a keyfile. I don't even need to store the keyfile on my computer. When I want to use the keyfile,I can make one at once. Does it accept it as the same keyfile? Isn't it a good idea?
     
  9. traxx75

    traxx75 Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    106
    The risk is that if you lose your keyfile then you also lose access to the data. As a result, you should make a couple of backups of the keyfile on USB flash drives [they're so cheap] and then keep them in physically separate locations.

    Using song lyrics is OK as long as no-one knows that's what the content of the keyfile is. TrueCrypt has a keyfile generator built into it. I'd suggest using that instead.
     
  10. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Sometime when you know you're going to be out of town, be sure you have your keyfile with you, stop in at a Marriott Hotel with their free business centers, create a Gmail account that you'll never touch again except in an emergency (keyfile is lost/destroyed). Upload your keyfile as an attachment and put it in drafts. Be sure you remember the login details, don't write it down anywhere and NEVER access it from home, from your machine, etc. It will always be there, in the cloud, not connected to you in any way - just in case.
     
    Last edited: May 22, 2009
Loading...
Thread Status:
Not open for further replies.