BitShares Forum
Main => General Discussion => Topic started by: fuzzy on December 03, 2013, 06:39:16 pm
-
I heard somewhere using windows on-screen keyboard is the safest way to enter passwords. Is this correct?
Or, better yet, are there any programs/plugins that automatically encrypt your passwords when you are connected to the inet?
Interested in keeping my stuff safe...
-
I am interested in knowing the best practices here... so please help provide suggestions. In particular I want solutions that do not depend upon specialized hardware or centralized services.
-
I am interested in knowing the best practices here... so please help provide suggestions. In particular I want solutions that do not depend upon specialized hardware or centralized services.
2FA like Google Authenticator for my opinion it's a best solution but not many services support it.
Keep passwords secure it's very complicated task at least in Windows environment where a lot of viruses/mallware exists.
-
I use keepass, you can just copy the pw/username. no need to use your keyboard
-
I use keepass, you can just copy the pw/username. no need to use your keyboard
Virus can easily 'keylog' your clipboard.
-
I am interested in knowing the best practices here... so please help provide suggestions. In particular I want solutions that do not depend upon specialized hardware or centralized services.
I guess that rules out LastPass, which I use with Google Authenticator primarily for synchronization of my password information between devices and generating strong passwords. The Firefox plugin can automatically fill in the username and password without copying and pasting from the clipboard. I would definitely prefer an open source, decentralized, and well-supported alternative to LastPass that is also convenient and easy to use.
Prior to switching to LastPass, I used Clipperz (https://www.clipperz.com/).
-
I heard somewhere using windows on-screen keyboard is the safest way to enter passwords. Is this correct?
Or, better yet, are there any programs/plugins that automatically encrypt your passwords when you are connected to the inet?
Interested in keeping my stuff safe...
The onscreen keyboard still passes events that can be captured with software.
http://superuser.com/questions/473536/bypassing-keyloggers-virtual-keyboard/473641#473641 (http://superuser.com/questions/473536/bypassing-keyloggers-virtual-keyboard/473641#473641)
-
In every entry system, there is always going to be some kind of flaw. Don't focus on the actual flaws in the system, focus on how difficult they are to exploit. As long as you make it economically unfeasible to exploit the flaws, the system will be safe enough
-
Hi
If you don't want to use any additional software one simple system I read about was to type in your password with additional characters then highlight and remove before clicking enter or type your password in a different order i.e. if your password was krystalwhite - put your cursor in the password box and type 'whi' move the cursor to the front and type in 'kryst' - then to the back and input 'te' - then middle and input 'al'.
You can type part in and cut/paste the rest from a file on a usb stick.
If your password is also protected by an additional key phrase which requires you to input certain characters from the phrase using drop down boxes i.e. characters 2,4,8 and the character required changes.
Finally the other option is an sms (text) number to your mobile/cell phone to input - although this might become a pain if you are using it everyday.
Or you could have an audio word/number to type in each time but this would have to be designed for all languages.
Key loggers with screenshots are the most difficult to get around.
Cheers
kw
-
I use keepass, you can just copy the pw/username. no need to use your keyboard
Virus can easily 'keylog' your clipboard.
KeePass has an option called autotype with two channel autotype obfuscation
I wrote my own keylogger and cliboard sniffer and it seems that they are not working with autotype obfuscation.
Maybe my keylogger and cliboard sniffer are too slow and can't log from KeePass autotype due to my poor knowledge in programming so I would like to know can anyone confirm above statement about obfuscation.
Another way to go is to add an option where you need password with keyfile to unlock Keyhotee. (In KeePass you can use any file that has reasonable size, for example you have USB stick with few hundred songs on it, one song is your keyfile....no one would ever suspect that your stick has keyfile on it)
If above 2 are combined with two factor autentication I think security level goes to extreme.
When enabling two factor autentication allow direct printing of QR and backup text code but not saving or selecting it. Ones that printscreen and save backup picture of code are naive fools so there should also be warning about NOT storing this info on a PC.
To conclude, to unlock Keyhotee you need:
1. Classic password that is typed in by KeePass with two channel autotype obfuscation (or by classic keyboard input regardless of keyloggers and clipboard sniffers)
2. Keyfile (any type of file, jpg, gif, mp3, mp4, avi, dll, pdf,...whatever)
3. Two factor autentication
also you can have an option where you choose which methods of authentication you want, if you want to have password only, ok, but it's your own risk