best way to digitally store private information

[joecool]

I have recently realized just how bad my "system" of passwords for on line access is, and am making some big changes. As a result I will have more passwords than I have now and remembering them all will be a challenge. My first thought was to store them all in a word doc I have that lists account numbers and other important info, that is itself password protected. However it occurs to me that this is probably not very secure either.

Now I'm wondering how I can record my passwords and other important info in a way that is both secure and safe. Paper is out - there's too much information to have to constantly update and keep track. Also, I want something I can back up. But what digital form can I keep this in and keep it safe? I use an app called eWallet that syncs w/my phone and is encrypted. Is that good enough?

 

[RebateMonger]

I believe that recent versions of MS Office have pretty decent encryption if you choose the stronger options. I use an Excel spreadsheet for my passwords and notes. There are also automated password managers. Of course, you have to trust the maker of the password manager....

 

[sourceninja]

http://agilewebsolutions.com/products/1Password

 

[Modelworks]

http://lastpass.com/features_free.php

It will keep all your passwords safe and allows you to generate safe passwords for sites.
The way it works is the passwords are encrypted on your pc and then sent to their servers to store. You only need remember a good master password. If you lose the master password then nobody not even lastpass can get them back since they never have access to the unencrypted passwords.

If you want to save a copy locally you can select to do that too.

They also have one time passwords you can generate so you can use lastpass from any computer to login to access your passwords, then when you log out the password you just used to access the lastpass account cannot be used to gain access again. This protects from keyloggers or people standing over your shoulder in public places.
Some of the other features:

Secure notes - works like a notepad where the notes are stored on the server, encrypted.
Automatically fills forms so no having to enter address, email over and over

I am really picky about security software and have been using lastpass for over a year now . For a free application it is well worth it. It got pcmag and pcworld top ratings along with a bunch of others.

If you want to go to the premium version, $12 a year you can also use it on mobile phones.

Steve Gibson of GRC.com said this about it

"This thing is secure every way you can imagine. And it's simple," Steve says at one point. "I've completely switched my entire solution for managing passwords, after spending days researching it and testing it and playing with it, over to LastPass."

I am in no way connected with lastpass, just a happy user.

 

[KeithP]

LastPass would be a good choice. If you pay for the premium version you may also want to pick up a Yubikey.

http://helpdesk.lastpass.com/security-options/yubikey-authentication/

-KeithP

 

[DnetMHZ]

Another vote for LastPass

 

[FoxFifth]

And you can also add me to the list of very happy LastPass users!

 

[joecool]

thanks all for the referrals to lastpass. i'm giving it a try and liking many things about it, however, i have a few questions about the best usage model. specifically:

1) despite all of their safeguards, it seems unwise to put ALL my password eggs in the lastpass basket. specifically, i'm not sure if i should store the passwords to critical sites (basically, financial institutions) on lastpass. i'm thinking what i might do is use it for everything BUT financial institutions and email accounts; that way even if my lastpass account is compromised those critical sites will still be safe. does anyone else do this? is it worth the trouble or am i making unnecessary work for myself?

2) it seems to me that lastpass has two vulnerabilities: first, a keylogger could capture my password when i enter it (yes i know they have an on-screen keyboard you can use, but this is a hassle, and i understand keyloggers will now take screen caps as well, defeating the on-screen keyboard). second, the encoded password file could be cracked. how likely or unlikely are either of these scenarios? what can i do to protect against them?

thanks again,

joe

 

[seepy83]

thanks all for the referrals to lastpass. i'm giving it a try and liking many things about it, however, i have a few questions about the best usage model. specifically:

1) despite all of their safeguards, it seems unwise to put ALL my password eggs in the lastpass basket. specifically, i'm not sure if i should store the passwords to critical sites (basically, financial institutions) on lastpass. i'm thinking what i might do is use it for everything BUT financial institutions and email accounts; that way even if my lastpass account is compromised those critical sites will still be safe. does anyone else do this? is it worth the trouble or am i making unnecessary work for myself?

2) it seems to me that lastpass has two vulnerabilities: first, a keylogger could capture my password when i enter it (yes i know they have an on-screen keyboard you can use, but this is a hassle, and i understand keyloggers will now take screen caps as well, defeating the on-screen keyboard). second, the encoded password file could be cracked. how likely or unlikely are either of these scenarios? what can i do to protect against them?

thanks again,

joe

My opinion is that you're taking it a little too far for personal use, but I don't know the situation you're in, so you'll need to perform your own risk analysis to see what you're comfortable with. The concerns that you have are relevant (at least to some extent), but you also need a system that is going to work for you without unnecessary hassle.

If you're using this on your own computer, then you should be able to consider it trusted hardware, and you should have a pretty good comfort level that it is protected from software keyloggers, viruses, trojans, etc (assuming that you keep your AV software up to date, protect yourself with firewalls, don't engage in risky browsing/downloading behavior, etc).

If a similar question were posed asking for recommendations on how a business should protect its most critical passwords (for example, the key for decrypting/restoring all of their backup tapes), then I might suggest that they use a split-brain system where half of the password is stored in location 1 and only persons A and B have access to it and the other half is stored in location 2 and only persons Y and Z have access to it, so that it takes some coordination between multiple parties to access that critical data.

 

[joecool]

If I let my machine store cookies, can those be used to crack my passwords? I'd like to just stay logged into a site rather than having to re-login every time I open the browser, but not if cookies are a gapping security hole.

 

[FoxFifth]

If I let my machine store cookies, can those be used to crack my passwords? I'd like to just stay logged into a site rather than having to re-login every time I open the browser, but not if cookies are a gapping security hole.

One of the benefits of LastPass is that logging into a site every time you open the browser is easy, quick, painless.

 

[joecool]

One of the benefits of LastPass is that logging into a site every time you open the browser is easy, quick, painless.

that's what i've been doing, and i'm already getting tired of it!

 

[FoxFifth]

Maybe I'm missing something but I have LastPass set to auto-login into sites so for me there isn't anything to get tired of?

 

[VinylxScratches]

KeePassX

 

[seepy83]

Just another note from me, since I commented earlier. Personally, I use Password Safe. It uses a local, twofish-encrypted database, and virtually none of the bells and whistles that something like LastPass offers. I don't want my passwords backed up on a web server somewhere (even if the vendor has taken all of the appropriate precautions, as LastPass has), and I don't need any auto-logins, form fillers, etc.

My perspective is that there fewer vectors of attack using Password Safe...unless you can get your
hands on a copy of my DB, you have no way of getting at my passwords. And good luck getting a copy of my password DB...

 

[sourceninja]

I'm giving lastpass a try now. So far not bad.

 

[joecool]

Maybe I'm missing something but I have LastPass set to auto-login into sites so for me there isn't anything to get tired of?

my old way of getting to my igoogle page: click to open browser.

new lastpass way (w/cookies cleared every time i close the browser): click to open browser; type in lastpass password. click on "sign in" button on google page. click on "igoogle" to get to my igoogle page.

not a huge deal but a little annoying. if i don't delete cookies every time i exit the browser then my lastpass way looks like the old way; the only difference is i have to log in to lastpass if i want to get to a site that i logged off of or doesn't save sessions.

regarding the other password programs, none of them seems as complete as lastpass. i really like the browser integration so i don't have to cut and paste my password from the app to the browser window. the only disadvantage i see to this is if it makes lastpass less secure ... which i don't think it does.

 

[Modelworks]

My perspective is that there fewer vectors of attack using Password Safe...unless you can get your
hands on a copy of my DB, you have no way of getting at my passwords. And good luck getting a copy of my password DB...

There is no difference in what you are doing and what lastpass is doing except they are keeping a copy of the encrypted passwords on a server vs your hard drive. They can't access the passwords and nobody else can without brute force cracking them.

we first do a 'salt' of your LastPass password with your username on the client side (on your computer, LastPass never gets your password), then server side we pull a second 256 bit random hex-hash salt from the database, use that to make a salted hash which is compared to what's stored in the database.

It is very similar to a passworded .rar file. Everyone in the world can have a copy of it, but the only person that can open it will be the one with the correct key. Everyone else can try to brute force it, which shouldn't take more than several thousand years.

 

[Modelworks]

my old way of getting to my igoogle page: click to open browser.

new lastpass way (w/cookies cleared every time i close the browser): click to open browser; type in lastpass password. click on "sign in" button on google page. click on "igoogle" to get to my igoogle page.

not a huge deal but a little annoying. if i don't delete cookies every time i exit the browser then my lastpass way looks like the old way; the only difference is i have to log in to lastpass if i want to get to a site that i logged off of or doesn't save sessions.

Have you changed your igoogle password ? One of the features of lastpass is the password generator. It can make passwords that are much more complicated than anything people come up with and since you are using lastpass you don't have to type in that long annoying hard to remember password.

The generator is under the lastpass, tools option.
Sample password I just generated
iZG119q3U$$7a!Ti

Very hard to break something like that.

 

[seepy83]

There is no difference in what you are doing and what lastpass is doing except they are keeping a copy of the encrypted passwords on a server vs your hard drive. They can't access the passwords and nobody else can without brute force cracking them.



It is very similar to a passworded .rar file. Everyone in the world can have a copy of it, but the only person that can open it will be the one with the correct key. Everyone else can try to brute force it, which shouldn't take more than several thousand years.

Yes, I know this. And I agree that today no one could access the passwords. But we don't know what tomorrow's hardware innovations might bring in terms of the computing power that could be available to attack encrypted data.

With lastpass, you maintain your logical security but lastpass (the company and any business partners) maintains the physical security.

With password safe, you maintain both logical and physical security.

Edit:
Actually, lastpass (the company) is responsible for both logical and physical security to some extent.
I would rather have all of the responsibility in my own hands.

 

[melchoir]

Create an excel document and place it in a TrueCrypt volume.