Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: what are the best ways to store a critical password -

  1. #1

    Default what are the best ways to store a critical password -

    hello dear linux-experts

    is it a good Way to Manage the Passwords in cookies?

    well for some sensible accounts i have made up my mind and created some very very difficult passwds

    in the past i stored some of these critical passwds in cookies
    so that i did not need to retype this.

    BUT wait: is this a secure way to do so?`

    note: i run opensuse-linux but i think that this is no guarantee that all is safe.

    so what do you suggest:

    a. create a passwd that i can remember and do not need to story in the cookie
    b. create a very very hard passwd that i cannot remmeber at any time and store it in the coookie.

    love to hear from you

    greetings
    dilbert ;-)
    Wordpress-development - a Toolset: wpgear.org

  2. #2
    Join Date
    Jul 2008
    Location
    Seattle, WA
    Posts
    17,054

    Default Re: what are the best ways to store a critical password -

    On Sun, 14 Jun 2015 19:06:01 +0000, dilbertone wrote:

    > hello dear linux-experts
    >
    > is it a good Way to Manage the Passwords in cookies?


    It depends. Are you encrypting the cookies somehow?

    > well for some sensible accounts i have made up my mind and created some
    > very very difficult passwds
    >
    > in the past i stored some of these critical passwds in cookies so that
    > i did not need to retype this.
    >
    > BUT wait: is this a secure way to do so?`
    >
    > note: i run opensuse-linux but i think that this is no guarantee that
    > all is safe.
    >
    > so what do you suggest:
    >
    > a. create a passwd that i can remember and do not need to story in the
    > cookie b. create a very very hard passwd that i cannot remmeber at any
    > time and store it in the coookie.
    >
    > love to hear from you


    In either case, there's a key used to decrypt the password for use, so
    the strength of the password is generally not an issue (other than for
    the site it is actually for), but the strength of the key used becomes
    critical.

    Jim




    --
    Jim Henderson
    openSUSE Forums Administrator
    Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

  3. #3
    Join Date
    Nov 2009
    Location
    West Virginia Sector 13
    Posts
    15,742

    Default Re: what are the best ways to store a critical password -

    Assume you mean having the browser manage the password. This is not really a cookie. The passwords are usually encrypted. ( check your browser settings). So it is relatively safe. But it always depend on how much interest and resources someone has to break the encryptions and exactly how much resources and time you have to stop them.

    Your passwords in any case are much more likley to be expossed from a break in at the other end. Remember your password is stored in two places . On your machine and also on the server you connect to.

  4. #4

    Default Re: what are the best ways to store a critical password -

    hello dear googlathorp hello dear Jim,

    many many thanks for the answers. Great to hear from you!

    Well both of you are very right - the firefox stores the passwd in a cookie - it only manages it.


    well i will try to not Firefox for storing any part of my authentification: i will try to avoid to use it myself as even though they are stored in an encrypted format in Firefox, doing so could give someone access to my accounts if they got hold of my computer.

    besides fireFox.



    i want to learn something new: what about keepassx. I ve heard about this technique.


    I try to store my passwords using keepassx as my password manager and log in / out as needed. we can use keeppassx in different modes: The way I want to set up keepassx requires a key file and a master password to be allowed in. I keep the key on a USB key and backed up on another one. An auto-generated keepassx (160 bit) password looks like this gJLMsn+~>1Vepl0/3!'K/hk/jolly_|



    Well googlathorp and Jim, how do you like this? So they passwd created with keepassx seem to be very, very strong.
    So strong that at least i would feel safe with it and the best thing of all:

    With keeppassx you don't have to type it, just use the copy password menu item and paste it in the appropriate field.

    What do you think!? Should i give it a try!?

    love to hear from you! Have a great day

    dilbert ;-)
    Wordpress-development - a Toolset: wpgear.org

  5. #5
    Join Date
    Jul 2008
    Location
    Seattle, WA
    Posts
    17,054

    Default Re: what are the best ways to store a critical password -

    On Mon, 15 Jun 2015 15:26:01 +0000, dilbertone wrote:

    > i want to learn something new: what about keepassx. I ve heard about
    > this technique.


    Doesn't matter if it's Firefox, Keepassx, or any other 'vault' - if you
    don't use a secure password to secure the vault, you will have the same
    potential for compromise of all saved passwords.

    A vault is only as good as the combination that protects the contents.

    Jim



    --
    Jim Henderson
    openSUSE Forums Administrator
    Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

  6. #6
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,251
    Blog Entries
    2

    Default Re: what are the best ways to store a critical password -

    Technically speaking,
    No one should ever store sensitive personal and security data in a cookie.
    That's very well known and any Dev that comes up with that idea should be spanked out of the project.
    And, it's because ordinary cookie storage is considered open and accessible to everyone/everything... And that's why it's so nice for use by Advertisers to track your Internet behavior, they can search for cookies dropped by various sites on your machine.

    Flash cookies is a specific type of cookie that's handled differently than regular cookies but has become the poster child for abuse but not typically because it's used intentionally to pass passwords.

    There is one exception I've run across... Python websites like Django use a special cookie but it's not stored in the same place with other cookies, it's encrypted and the people who designed its use seem to be fully aware of the drawbacks of normal cookies so have done everything they can to address those issues. I don't like the idea of using these Python cookies, but today it's more my own personal attitude rather than any compromising reason.

    There is a proper way to use cookies, which generally is to store a random identifier so the Server can "remember" the client, and sometimes some non-sensitive information can be stored (like what those Advertisers do). But, that is just temporary data, usually related to sessions and <not> real security credentials which have permanence.

    So,
    If you're attracted to the idea of using cookies to pass anything like passwords, DON'T. EVER. NEVER. Or, you may be written up one day as "the" guy who either didn't know what he was doing or knew and did it anyway and wrecked his Users.

    HTH,
    TSU

  7. #7
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,607
    Blog Entries
    3

    Default Re: what are the best ways to store a critical password -

    Quote Originally Posted by dilbertone View Post
    Well both of you are very right - the firefox stores the passwd in a cookie - it only manages it.
    I don't think that's right. At one time a particular website password was stored in a cookie. But that was the decision of the website, not of firefox. That site has since tightened up its security.

    I allow firefox to remember passwords. I do set a master password, so that they are encrypted on disk.

    Firefox does not store that password in a cookie. However, websites where I login do set a cookie that allows them to remember that I have authenticated. But the password is not in that cookie. Usually there is some sort of token which presumably is used to look up data in the website database.
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

  8. #8
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,251
    Blog Entries
    2

    Default Re: what are the best ways to store a critical password -

    Just a FYI
    Off the top of my head some ways to handle client authentication... And you'd probably get a full list with a Google search...

    - Use client certificates instead of passwords. Certificate usage still has to be done correctly and might not make any diff for many machine hacking, but it'll generally block human hacking. Certificates are generally issued and used as 2 main types, machine and user. On personal devices like mobile devices, "machine" and "personal" are practically synonomously, but on potentially shared devices they are more likely different. Oftentimes certificates are stored securely by default.

    - If you must use a password, then apps like keepass or lastpass can be used. Oftentimes if the User is logged into network security (like a business use of LDAP or AD), then you can often store credentials in the user's account.

    - If you are a Developer, you can embed various security methods into your app. Depending on the OS, username/password pairs can be stored in different places. On a Windows machine, they can be stored in the SAM. If you're deploying a web farm, you'll likely want to store credentials server-side.

    - Another common approach which shouldn't ever be used is passing credentials in the URL. I think the company I worked for was one of the first to explore client authentication in an online pharmacy. Although Dev did everything they could to randomize identifiers for every transaction, they overlooked the Search Engines who capture URLs so guess what... the URLs which included authentication id's were captured and re-published in their entirely which allowed anyone to replay a transaction. Dev did some crash emergency re-design to completely re-work authentication. So, passing id's in URLs is like using cookies. Don't.

    HTH,
    TSU

  9. #9

    Default Re: what are the best ways to store a critical password -

    If:
    - you use Firefox or derivatives
    - you have Seahorse / 'Passwords and Keys' installed and use it (which usually means you are using GNOME)
    - you don't trust Firefox on password security
    (- you want an easier way to figure out your password if you have forgotten it and need to enter it on a different computer)

    You can use the GNOME Keyring Integration extension to make Firefox save all passwords in the GNOME Keyring. This way they are secure, and you can still take a look at them when you need them. Do note that the GNOME Keyring is usually automatically unlocked when you log in, so when someone logs in to your computer and opens Seahorse, they will be able to see all your passwords. However, as long as you use a good password for your user account (which you should), this is never a problem. You can also just save any kind of password with Seahorse and it'll be secure (again, only if you have a good user password, though). I think it's possible to stop the keyring from automatically unlocking after logging in, but that sort of defeats the purpose of it, as you'd need to unlock it to use/save any passwords anyway. You can use a different keyring, though. One thing Seahorse does not have that KeePassX does, to my knowledge, is the key file, but I've always seen this as unnecessary as a good password (with a good encryption method/algorithm) already keeps everyone out, no exceptions.

  10. #10
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: what are the best ways to store a critical password -

    On 2015-06-15 21:46, sdfghjk123 wrote:


    > Do note that the GNOME Keyring is usually automatically unlocked
    > when you log in,


    which is protected by the user password, which is typically not very
    strong. A password vault should have a separate and very strong
    password, longer and more complex than the rest.

    --
    Cheers / Saludos,

    Carlos E. R.

    (from 13.1 x86_64 "Bottle" (Minas Tirith))

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •