Menu Sign In Contact FAQ
Banner
Welcome to our forums

How do you store passwords and other confidential information ?

I’m glad things have moved away from using mother’s maiden name as recovery/backup.

I had problems years ago with this in UK and US: for a name with an apostrophe for elision (e.g. d’Artagnan) some people wouldn’t allow the first letter to be lower case, some wouldn’t allow an apostrophe, some wouldn’t allow the second letter capitalised, etc etc, so you have to remember which version you’ve used where, and also if you just gave up and used a different name

In any event, I would have thought any reasonably capable person would be able to find a mother’s maiden name without much effort (e.g. on facebook).

EGHO-LFQF-KCLW, United Kingdom

Capitaine wrote:

I’m glad things have moved away from using mother’s maiden name as recovery/backup.

In your dreams…. I had to answer such silly question as late as yesterday.

ESKC (Uppsala/Sundbro), Sweden

it checks that the phone is unrooted

Google magisk root.

I know a guy who does this for a living, supposedly for private detectives. Probably for suspicious spouses occasionally

I don’t know what the equivalent for IOS is but obviously it exists, since the police can unlock an Iphone and get everything out of it, and if they can do it, so can any competent hacker. Then you just need to develop a root method which (like magisk) conceals itself from specific apps.

Unless you have a secure chip with the cpu on it, this is no good.

Obviously it helps if the phone owner does not realise it is gone. And many people will give it a day or so because they may have left it at home, etc.

I had to answer such silly question as late as yesterday.

This won’t go away anytime soon, because until everybody has a surgically implanted crypto token, a system has to be in place for dealing with lost login credentials, etc.

Administrator
Shoreham EGKA, United Kingdom

Peter wrote:

What would be the correct way?

It definitely isn’t connecting it with SIM e.g. using SMS OTP (I’m aware of €1 mil stolen from accounts in one Polish bank using fraud with SMS one time passwords). Today’s phones’ memory is safe enough to store keys used for generating dynamic passwords, although not tamper-proof. Hardware tokens are still the best choice although not the most practical solution. The key is in the implementation, using data related to transaction itself in generating dynamic password to avoid man-in-the-middle type of attacks when the fraudster uses legitimate dynamic password somehow fished from user.

In following scenario, it’s not easy to imagine how would fraudster steal money if user pays any attention to what he’s doing in online banking application:
1. User enters transaction in web banking, and web banking application generates digitally signed QR code with transaction details encoded within.
2. User starts mobile token application, providing PIN which unlocks application vault with keys and scans QR code.
3. Mobile application validates signature of QR code, extracts transaction details and presents them to user. If it’s consistent with what user previously entered, he can request generating dynamic password based on these transaction details, user’s private key and current timestamp.
4. Mobile application generates dynamic password which user enters to web application. Web application validates dynamic password vouching it’s consistency with previously entered transaction, current time and user’s identity.

Transport mechanism (scanning QR code and typing in dynamic password) can be replaced with alternative e.g. sending as out-of-band data via mobile internet.

LDZA LDVA, Croatia

Been using password safe for some years, https://pwsafe.org/
Any thoughts on it please?

EGNS, Other

Peter wrote:

Can you give an example? Sure you can defeat it with “social engineering”.

Sorry for the late answer … it wasn’t on my radar screen.
For examples I refer you again to Schneier (one of his various news letters on the subject). I cannot sum it up any better.

AJ
Germany

I have been using LastPass for a few years. I don’t trust it with my email password as if the hackers get that you are screwed!

Does anybody have comments on LastPass?

United Kingdom

Lastpass has a “zero knowledge” model for security, which means that your data is encrypted and decrypted locally and never leaves your computer in unencrypted form. Shared folders and “emergency access” likewise rely on key (pairs) which are stored the same way.

There are possible attacks, but they are all on your machine – for example, it does not protect against keyloggers (hence 2FA is a good idea), and malicious plugins in the browser could interfere with it. And of course in principle the Lastpass plugin itself and the website could be modified to act in a different way.

The only thing that is more secure is something that has an open-source standalone application AND enough people interested in it to validate that application.

For all good password managers, it does not matter where the encrypted data is stored (“cloud”, USB stick or anything else). All plausible attacks are at the password entry stage or on the machine where the data gets de/encrypted.

Biggin Hill

From google:

The service is built in a way that makes LastPass very, very secure. Basically, LastPass encrypts all your passwords and secure info on your computer, using a security key that only you know – your “master password.” Then it transmits the encrypted blob to LastPass online servers

OK; that is how it should be done. If they get hacked, the hacker gets nothing.

The vulnerabilities I can think of might be:

  • their encryption may contain a back door (under law enforcement pressure, and going on past precedents with various forms of key escrow they are not going to advertise it) or just be some crap scheme
  • you have installed a compromised lastpass executable, which sends everything to china
  • somebody has compromised your machine and replaced the executable you installed originally, with a compromised one
  • a keylogger installed on your machine will grab everything anyway, especially the master pwd and then they can get the rest
  • hackers (or trojans) look in well known places on a machine (e.g. in the old days when a browser could rummage around a PC, they went for the M$ Outlook address book) and here you are putting everything when they can find it

Bear in mind that millions of PCs are compromised and are remotely controlled, to generate spam emails. Most probably don’t have keyloggers on them. I’ve just installed a VOIP phone system and get ~ 2 hack attempts per second. It’s a fertile area; a friend lost £5k when his VOIP box got hacked.

Unfortunately I can’t say with 100% certainty the machine I am typing this on isn’t compromised. I am damn sure it is not a zombie (for bulk mailing) because I would know by now. But it could have been compromised by somebody really clever, who didn’t want to trash anything. I have known people who were smart enough for that…

Hence I use Chrome password storage for all the trivial stuff, and keep banking ones on paper or in my head

Post crossed with Cobalt; we are saying the same.

Administrator
Shoreham EGKA, United Kingdom

You can make 2FA increase security a lot.

For example, a bank I use uses:

- a physical “calculator style” challenge/response device you put your debit card in and enter your PIN in response to a challenge
- requires SMS verification for every logon

in addition to the normal login stuff (which is unique for that account).

So for an attacker to be able to transfer money to their account, they would need to get hold of my debit card, my phone (or an SMS hack), my username (which is not used anywhere else), my password (which is not used anywhere else) and my PIN.

A “wetware” attack (social engineering) is far more likely to succeed than a technological one in this case. On top of it all I try to keep the account balance to a minimum working level so if I did lose my debit card AND someone got my PIN there’s limited damage they can do anyway.

Andreas IOM
Sign in to add your message

Back to Top