What will keep my passwords secure for access over the Net

I have 100+ passwords for everything ranging from forums and library cards to really sensitive commercial data. I change the passwords now and then. I can’t remember them all. Is there a way to access a master document/storage of the passwords with total security remotely? I mean that while I’m away from the office I’d like to lookup the passwords stored back at the office. I suppose it has to be over the internet probably in a web browser? And I suppose that remotely there won’t often be a Linux platform, most of the machines I could use at remote locations are of course windows machines.

Maybe I can put them in the cloud, but I feel very uneasy about that concept.

I have web access to an Apache2 server in Linux in the office. And standard microsoft accessing like RDP & VNC access to a windows computer in the office (in the real world I can’t dodge microsoft).

The key issue is that the process must be completely secure. I can’t see a secure solution.

Any ideas? Maybe it’s not feasible?

Thanks
swerdna

swerdna wrote:
> I have 100+ passwords for everything ranging from forums and library
> cards to really sensitive commercial data. I change the passwords now
> and then. I can’t remember them all. Is there a way to access a master
> document/storage of the passwords with total security remotely?

The short answer is no. Nothing is uncrackable. You could use ssh or
some other secure communications but it can all get messy.

Why not store the passwords on an encrypted USB stick, then no need for
the internet. Or even on a slightly more intelligent device that you
carry (phone?)

Anything can be cracked, but I feel quite safe now.

Your problem was my problem too. Until some customer password-protected a LibreOffice document and lost the (strong) password. A couple of wizkids cracked it in the end, but it took them a lot of time and computer power. This was last summer.

What I have now is this:

  • a USB adapter for micro SD
  • a bootable micro SD card with openSUSE 12.2 KDE Live
  • a second SD card with password-protected docs with credentials.

At the moment I’m thinking of using a Mega account, what I read is that their services should be top safe, but I’m very reluctant to store stuff like this in the cloud.

On 01/23/2013 01:01 PM, Dave Howorth wrote:
> Why not store the passwords on an encrypted USB stick

i’ve been wondering how to make an encrypted stick i can read on my home
Linux, or on (say) a friends Mac or a Windows…


dd
openSUSE®, the “German Engineered Automobile” of operating systems!

dd wrote:
> On 01/23/2013 01:01 PM, Dave Howorth wrote:
>> Why not store the passwords on an encrypted USB stick
>
> i’ve been wondering how to make an encrypted stick i can read on my home
> Linux, or on (say) a friends Mac or a Windows…

What’s the problem? I’m no expert but AFAIK you either buy a ready-made
product or use TrueCrypt.

On Wed, 23 Jan 2013 11:46:01 +0000, swerdna wrote:

> The key issue is that the process must be completely secure. I can’t see
> a secure solution.
>
> Any ideas? Maybe it’s not feasible?

Can you SSH to the remote system (maybe through httptunnel)? If you can,
then use encfs to encrypt a directory with the data in it.

Another option, if you can use dropbox, is to sync an encrypted directory
(I do this myself, store the encrypted directory in ~/Dropbox and decrypt
it to a directory outside the ~/Dropbox directory so it doesn’t sync
decrypted contents) between the machines.

Another option is to pick a password scheme that’s easy to remember but
difficult to guess. I know some people who do things like munge a word
and insert identifiers in specific places to identify the system - for
example (not a real-world example, natch):

Keyword: Pa$$w0rd
Facebook PW: Pa$$FBw0rd
Banking PW: Pa$$BKw0rd
Forum PW: Pa$$FMw0rd

etc.

Not something a dictionary attack is going to break, not easy to guess.

Another option is to generate the keyword using something like pwgen,
which generates pronouncible passwords that aren’t actually words and
apply an algorithm like the above to it.

pwgen is in the standard repos for 12.2. The way I tend to use it is to
generate about 50 password values and then pick one I can remember.

Jim

Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

On Wed, 23 Jan 2013 15:23:54 +0000, dd wrote:

> On 01/23/2013 01:01 PM, Dave Howorth wrote:
>> Why not store the passwords on an encrypted USB stick
>
> i’ve been wondering how to make an encrypted stick i can read on my home
> Linux, or on (say) a friends Mac or a Windows…

Truecrypt. :slight_smile:

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

On Wed, 23 Jan 2013 15:32:58 +0000, Dave Howorth wrote:

> dd wrote:
>> On 01/23/2013 01:01 PM, Dave Howorth wrote:
>>> Why not store the passwords on an encrypted USB stick
>>
>> i’ve been wondering how to make an encrypted stick i can read on my
>> home Linux, or on (say) a friends Mac or a Windows…
>
> What’s the problem? I’m no expert but AFAIK you either buy a ready-made
> product or use TrueCrypt.

(I also just answered that truecrypt could work for this - but there is a
downside - IIRC the Windows version requires administrator rights to
install its driver - don’t think there’s a standalone version).

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

Hey a good set of ideas here. I rather like the idea of Linux on a stick bootable from any computer, with the data truecrypted in the stick somewhere.

I’ll play with that over the weekend.

Thanks all. Still thinking, will try a few of your ideas.

Jim,
Yes Truecrypt does require it to be installed, but after that it’s pretty much standalone on the Windows machine.
The only passwords that will open a Truecrypt file are the ones that you put in. Once those are in the windows admin cannot open them. Only you can with the passwords installed.

On 01/23/2013 04:32 PM, Dave Howorth wrote:
> I’m no expert but AFAIK you either buy a ready-made
> product or use TrueCrypt.

maybe i don’t know enough to ask the right question: but is a TrueCrypt
protected USB stick readable on all random Windows machines (in a
library, netcafe, etc)

or, any other “ready-made product” are all/any readable on any random
Linux/Mac/Win machine?


dd

On Wed, 23 Jan 2013 21:46:01 +0000, Sagemta wrote:

> Yes Truecrypt does require it to be installed, but after that it’s
> pretty much standalone on the Windows machine.
> The only passwords that will open a Truecrypt file are the ones that you
> put in. Once those are in the windows admin cannot open them. Only you
> can with the passwords installed.

True, but to use it on Windows you need more than guest access, that’s my
point. But one thing that might work is a portable install of VirtualBox
with a small VM that uses full disk encryption - the VB executables
could /probably/ be run without installing anything.

Though I /do/ have a vague memory of a portableapps install of TrueCrypt,
too.

Jim

Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

On Wed, 23 Jan 2013 21:56:10 +0000, dd wrote:

> On 01/23/2013 04:32 PM, Dave Howorth wrote:
>> I’m no expert but AFAIK you either buy a ready-made product or use
>> TrueCrypt.
>
> maybe i don’t know enough to ask the right question: but is a TrueCrypt
> protected USB stick readable on all random Windows machines (in a
> library, netcafe, etc)

Yes. You can read about it at truecrypt.org.

But basically, when you create an encrypted volume (which can be a full
device or a file in a filesystem), you specify if it’s to be usable
crossplatform. That then creates a “container” that if formatted with a
cross-platform filesystem (like fat32) can be read on any system that can
read it.

> or, any other “ready-made product” are all/any readable on any random
> Linux/Mac/Win machine?

There are plenty of tools that can do that type of thing - think cross-
platform applications that have their own doc formats. Heck, OpenOffice/
LibreOffice can run cross-platform and read ODF files and other file
formats) cross-platform on any random Linux/Mac/Win machine. A simple
(and far less, I might add) secure option would be to use encrypted ODF
files (ie, “Save with password” in the save dialog).

Jim

Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

I keep my passwords in an encrypted file.

Actually, it is an encrypted email message. I keep copies of that email on several systems. As long as I can read encrypted email, I can get at the passwords. And, of course, I periodically update the email.

On 2013-01-23 22:56, dd wrote:
> maybe i don’t know enough to ask the right question: but is a TrueCrypt
> protected USB stick readable on all random Windows machines (in a
> library, netcafe, etc)

If that is possible to do, then I would not use a random machine. It
could be a hacked machine that records my keytaps and copies the file.

For that situation I would use one of those small pocket computers with
my own encrypted system and files.


Cheers / Saludos,

Carlos E. R.
(from 11.4, with Evergreen, x86_64 “Celadon” (Minas Tirith))

A free service available online i LastPass. This is the only one I’d
consider endorsing and while it may not be perfect (if you’re truly,
completely opposed to ever having any form of your password outside your
control) I believe they do this the best way possible. Specifically that
way is:

On your computers (cross-platform), usually in your browser, runs a plugin
which watches for password fields and prompts you giving you the option to
store them.

On your computer goes a passphrase that you should keep insanely private
since it is the key to your kingtom.

On your computer the encryption of your passwords (as you tell LastPass to
do it) happens using a key protected by your passphrase.

Your computer then sends that encrypted value to LastPass.

When LastPass loads on your computer it accesses the account you have with
lastpass.com (authenticated connection) and pulls down the ciphertext (vs.
cleartext) version of your passwords.

LastPass then decrypts those passwords and inserts them when needed into
forms as you have told it to.

To me this is the right way to handle this centrally because even if
lastpass.com is hacked and all of the ciphertext versions of your
passwords are lost they are invalid without your passphrase (which you
keep very close to the vest). Of course, could a brute force of
passphrases eventually break through that? Sure, and if you use a weak
passphrase you get what you deserve just like if you use a weak password
on a site.

Regarding others’ comments, I would not store my passwords in anything off
of my local, completely-trusted computers. That includes encrypted drives
mounted to other untrusted boxes, or documents with passwords on them
containing all other passwords. It would be trivial to have a piece of
malware either access the contents of encrypted things (behind the scenes,
of course) and forward them on, or for it to simply send
interesting-looking documents along with the logged keystrokes to the bad
guys, all without you knowing. Sure it was encrypted, or
password-protected, but if you put your keystrokes into an untrusted
computer then you are giving up access to those data forever. Mounting an
encrypted volume to a windows box gives access to anything on that system
(other users’ processes, compromised system processes, your web browser
with vulnerable Flash/Java plugins) access to your data directly. For
some, that may not be a big risk, but I’d never do it. This means I am
sometimes inconvenienced when wanting to check my e-mail (“Want to use my
computer to check your e-mail?” “Heck no.”) but that’s fine with me.

Good luck.

Jim Henderson wrote:
> On Wed, 23 Jan 2013 21:56:10 +0000, dd wrote:
>> or, any other “ready-made product” are all/any readable on any random
>> Linux/Mac/Win machine?
>
> There are plenty of tools that can do that type of thing - think cross-
> platform applications that have their own doc formats. Heck, OpenOffice/
> LibreOffice can run cross-platform and read ODF files and other file
> formats) cross-platform on any random Linux/Mac/Win machine. A simple
> (and far less, I might add) secure option would be to use encrypted ODF
> files (ie, “Save with password” in the save dialog).

I was thinking more of these kind of products :slight_smile:

http://www.istorage-uk.com/datashur.php
http://fingerprint-usb-review.toptenreviews.com/transcend-jetflash-220-usb-flash-drive-review.html

Dave Howorth wrote:
> I was thinking more of these kind of products :slight_smile:
>
> http://www.istorage-uk.com/datashur.php
> http://fingerprint-usb-review.toptenreviews.com/transcend-jetflash-220-usb-flash-drive-review.html

Oh, and as ab pointed out, nothing is secure if you plug it into an
untrusted running system.

On Thu, 24 Jan 2013 11:14:38 +0000, Dave Howorth wrote:

> Oh, and as ab pointed out, nothing is secure if you plug it into an
> untrusted running system.

That is certainly true. :slight_smile:

Bootable USB might be a good alternative, but that won’t prevent a
keylogger doing its thing, either.

Jim

Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

IMO
The OP didn’t describe his requirements well enough.

Automatic or Manual encryption?
Local or remote storage?
Integrated with existing security or not?

BTW - If you’re looking for a USB fob with keypad, Apricorn makes a line of USB sticks and USB drives protected with keypads.

Most answers to this point have centered on automatic encryption (eg Truecrypt).
But, perhaps more than most other OS, Linux also provides tools to encrypt at any level including individual file (Once encrypted, you can copy your list anywhere including Dropbox, your favorite Server, in an email attachment, on a regular USB key, etc.

So, you don’t have to look far for good solutions, you just need to specify how automatic you want to make things and of course remembering that by making life easier for yourself you might also be making it easier for the info to be hacked.

TSU