Author Topic: Safe Password Entry Practices?  (Read 3403 times)

0 Members and 1 Guest are viewing this topic.

Offline Kenof

  • Full Member
  • ***
  • Posts: 71
    • View Profile
I use keepass, you can just copy the pw/username. no need to use your keyboard

Virus can easily 'keylog' your clipboard.

KeePass has an option called autotype with two channel autotype obfuscation

I wrote my own keylogger and cliboard sniffer and it seems that they are not working with autotype obfuscation.
Maybe my keylogger and cliboard sniffer are too slow and can't log from KeePass autotype due to my poor knowledge in programming so I would like to know can anyone confirm above statement about obfuscation.

Another way to go is to add an option where you need password with keyfile to unlock Keyhotee. (In KeePass you can use any file that has reasonable size, for example you have USB stick with few hundred songs on it, one song is your keyfile....no one would ever suspect that your stick has keyfile on it)

If above 2 are combined with two factor autentication I think security level goes to extreme.
When enabling two factor autentication allow direct printing of QR and backup text code but not saving or selecting it. Ones that printscreen and save backup picture of code are naive fools so there should also be warning about NOT storing this info on a PC.

To conclude, to unlock Keyhotee you need:
1. Classic password that is typed in by KeePass with two channel autotype obfuscation (or by classic keyboard input regardless of keyloggers and clipboard sniffers)
2. Keyfile (any type of file, jpg, gif, mp3, mp4, avi, dll, pdf,...whatever)
3. Two factor autentication

also you can have an option where you choose which methods of authentication you want, if you want to have password only, ok, but it's your own risk
« Last Edit: December 04, 2013, 07:37:11 am by Kenof »
Making life easier.

Offline krystalwhite

  • Jr. Member
  • **
  • Posts: 44
    • View Profile
Hi

If you don't want to use any additional software one simple system I read about was to type in your password with additional characters then highlight and remove before clicking enter or type your password in a different order i.e. if your password was krystalwhite - put your cursor in the password box and type 'whi' move the cursor to the front and type in 'kryst' - then to the back and input 'te' - then middle and input 'al'.

You can type part in and cut/paste the rest from a file on a usb stick.

If your password is also protected by an additional key phrase which requires you to input certain characters from the phrase using drop down boxes i.e. characters 2,4,8 and the character required changes.

Finally the other option is an sms (text) number to your mobile/cell phone to input - although this might become a pain if you are using it everyday.

Or you could have an audio word/number to type in each time but this would have to be designed for all languages.

Key loggers with screenshots are the most difficult to get around.

Cheers

kw

Offline phoenix

  • Sr. Member
  • ****
  • Posts: 275
    • View Profile
In every entry system, there is always going to be some kind of flaw. Don't focus on the actual flaws in the system, focus on how difficult they are to exploit. As long as you make it economically unfeasible to exploit the flaws, the system will be safe enough
Protoshares: Pg5EhSZEXHFjdFUzpxJbm91UtA54iUuDvt
Bitmessage: BM-NBrGi2V3BZ8REnJM7FPxUjjkQp7V5D28

Offline pgbit

  • Sr. Member
  • ****
  • Posts: 241
    • View Profile
I heard somewhere using windows on-screen keyboard is the safest way to enter passwords.  Is this correct? 

Or, better yet, are there any programs/plugins that automatically encrypt your passwords when you are connected to the inet? 

Interested in keeping my stuff safe...
The onscreen keyboard still passes events that can be captured with software.
http://superuser.com/questions/473536/bypassing-keyloggers-virtual-keyboard/473641#473641

Offline Evan

  • Full Member
  • ***
  • Posts: 75
    • View Profile
  • BitShares: evan
I am interested in knowing the best practices here... so please help provide suggestions.  In particular I want solutions that do not depend upon specialized hardware or centralized services.

I guess that rules out LastPass, which I use with Google Authenticator primarily for synchronization of my password information between devices and generating strong passwords.  The Firefox plugin can automatically fill in the username and password without copying and pasting from the clipboard.  I would definitely prefer an open source, decentralized, and well-supported alternative to LastPass that is also convenient and easy to use.

Prior to switching to LastPass, I used Clipperz.

Offline bytemaster

I use keepass, you can just copy the pw/username. no need to use your keyboard

Virus can easily 'keylog' your clipboard.
For the latest updates checkout my blog: http://bytemaster.bitshares.org
Anything said on these forums does not constitute an intent to create a legal obligation or contract between myself and anyone else.   These are merely my opinions and I reserve the right to change them at any time.

Offline fav

  • Hero Member
  • *****
  • Posts: 4278
  • No Pain, No Gain
    • View Profile
    • Follow Me!
  • BitShares: fav
I use keepass, you can just copy the pw/username. no need to use your keyboard

Offline testz

I am interested in knowing the best practices here... so please help provide suggestions.  In particular I want solutions that do not depend upon specialized hardware or centralized services.

2FA like Google Authenticator for my opinion it's a best solution but not many services support it.
Keep passwords secure it's very complicated task at least in Windows environment where a lot of viruses/mallware exists.

Offline bytemaster

I am interested in knowing the best practices here... so please help provide suggestions.  In particular I want solutions that do not depend upon specialized hardware or centralized services.
For the latest updates checkout my blog: http://bytemaster.bitshares.org
Anything said on these forums does not constitute an intent to create a legal obligation or contract between myself and anyone else.   These are merely my opinions and I reserve the right to change them at any time.

Offline fuzzy

I heard somewhere using windows on-screen keyboard is the safest way to enter passwords.  Is this correct? 

Or, better yet, are there any programs/plugins that automatically encrypt your passwords when you are connected to the inet? 

Interested in keeping my stuff safe...
WhaleShares==DKP; BitShares is our Community! 
ShareBits and WhaleShares = Love :D