Author Topic: Storing Master PW on hard drive vs typing it...  (Read 11998 times)

Offline maikur

  • Normal Members
  • *
  • Posts: 5
Storing Master PW on hard drive vs typing it...
« on: January 08, 2007, 09:43:37 AM »
What's the consensus here? Is it better to store on the hard drive or type it out each time? The thing that attracted me to this program in the first place is I did not like how other password programs stored lists of passwords on the hard drive.

On the other hand, I have read some posts from people who claim that typing out the master pw makes you vulnerable to keyloggers.. So I'm kind of confused.

I guess I'd ask the developers of this program... what do you do? Type it out or store it on the hard drive?


On other dumb question... the FAQ makes it clear... lose your password? Yes, you're screwed... wouldn't that also be the case if you somehow lose your settings?

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
Storing Master PW on hard drive vs typing it...
« Reply #1 on: January 08, 2007, 12:06:15 PM »
Quote from: maikur
What's the consensus here? Is it better to store on the hard drive or type it out each time? The thing that attracted me to this program in the first place is I did not like how other password programs stored lists of passwords on the hard drive.

This is a good question, but due to its nature, one that each person has to answer for themselves...

The fundamental question is one of convenience vs security...

When you store the MP (Master Password) on disk (or in memory), it is stored encrypted - but, because PM is open source, and because PM must be able to decrypt the MP, it would not be difficult for a cracker to write some code to steal your MP if they were able to install their code on your computer.

Quote
On the other hand, I have read some posts from people who claim that typing out the master pw makes you vulnerable to keyloggers.. So I'm kind of confused.

Understandable, but there are acceptable options, even for those super paranoid folks like us!

Yes, if your computer is compromised with a keylogger, the keylogger could grab your MP - but NOT your generated password(s), because they are not actually typed on your keyboard.

There are different ways to deal with these issues, but to give you some ideas...

One thing you can do - and I highly recommend that you do this, but give it some serious thought, and work out a system first - is to modify the Default Settings, and the settings for all of your Custom Accounts (ie, important financial accounts, etc) in such a way as it would be difficult to guess how you had modified them - but in such a way that you could reproduce these modifications if it became necessary. Even better, you could use different settings for different types of accounts (which is what I do) - one for unimportant accounts (like online forums, etc), and one for financial accounts.

Also, keep good backups of your RDF file.

Another way to add another layer of security is to develop a simple yet not easily guessable pattern of adding/replacing characters in your generated passwords that is stored in one place that crackers haven't figured out how to access yet - your head. For example, you could add a certain character (for example, the '$'), in the 3rd position of every generated password. So, when PM populates your password field, you'd have to place your mouse in the field, move the cursor to the 3rd position, and manually enter the '$' character.

Of course, this is also subject to being detected by keyloggers.

The fact is, the only truly secure computer is one that is not plugged into a wall socket. If your computer is compromised by a keylogger, then you have more serious problems you need to deal with.

Quote
I guess I'd ask the developers of this program... what do you do? Type it out or store it on the hard drive?

Although I'm not a developer, personally, I don't store mine at all. I use different MP's for different account types - in fact, I have 5 different ones, for different 'categories' of accounts. I sat down and figured out a system that I was comfortable with on how to categorize them, and it has worked well for me.

Quote
One other dumb question... the FAQ makes it clear... lose your password? Yes, you're screwed... wouldn't that also be the case if you somehow lose your settings?

Yep - which means don't lose them. Suggestions for recovering from a situation where you do lose them, in preferred (most secure) order:

1) modify the settings, but in such a way that you could reproduce the modifications from memory, and/or

2) write down the modifications you make, and put this information a safe place, or

3) don't modify the settings from the Defaults.

If you are truly paranoid, your head is the safest place (as long as you don't talk in your sleep and your wife/partner doesn't work for the NSA or the IRS or ...), and/or maybe in your Safety Deposit Box at your bank - although this information would be available to law enforcement if they knew about it. This is actually not a bad idea, for one reason: if you have secret stuff that your loved ones may need access to if something happens to you. This is actually something that has concerned me. My system is such that I can re-create these with ease from memory, but if something happened to me, no one would be able to get into my accounts. Now, I'm sorry to say, I don't have millions stashed away in a secret Panamanian bank, but seriously, if I did have anything of substance, I would do something like this so that my wife could get access to everything.
« Last Edit: December 10, 2009, 11:24:36 AM by tanstaafl »

Offline maikur

  • Normal Members
  • *
  • Posts: 5
Storing Master PW on hard drive vs typing it...
« Reply #2 on: January 08, 2007, 07:27:06 PM »
Thanks for the helpful response...  Password management has become a serious issue for myself (and I suspect may others) as I move toward having all my credit card, bank, and stock accounts to paperless online electronic statements..(personally, I think you're far more vulnerable to the postal service than a hacker... can't tell you the number of times the mailman has put the wrong mail in the wrong mailbox at my building, not to mention the possibility of postal employees intercepting sensitive mail... but I digress).

For the various forums, and online newspapers, etc., even the "eatshitanddie" variety of password is problematic because you still have to remember the various usernames. Some usernames are already taken, while others require login with the email address as the username, so it is hard to keep track without a password program.

The problem with other solutions is they rely on software that resides on your computer , and I think most of us have home computers, laptops, computers we use when visiting parents, friends, etc.  So you're definitely on the right track with your program. I'll keep tinkering with the settings before diving in head first!

One final question.. do you know if the RDF is considered a data file that will be swept in for automatic backups by software such as Windows OneCare?
« Last Edit: June 01, 2007, 04:08:55 PM by tanstaafl »

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
Storing Master PW on hard drive vs typing it...
« Reply #3 on: January 08, 2007, 08:06:18 PM »
Quote
One final question.. do you know if the RDF is considered a data file that will be swept in for automatic backups by software such as Windows OneCare?
I'm not familiar with OneCare, so cannot speak specifically for it, but as long as it backs up your Profile folder (C:\Documents and Settings\username\, unless you installed on a drive other than C:) - or, at a minimum, everything in C:\Documents and Settings\username\Application Data - then yes, it would.

Currently, you cannot specify a different directory/path for the RDF file, so it is not currently possible to change where it is stored, but that is a current FR (Feature Request), so feel free to mosey over to the FR list and add your vote. You get a total of 5, so be sure to look over the rest of the Feature Requests and vote for any others you like.


Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
Storing Master PW on hard drive vs typing it...
« Reply #4 on: January 11, 2007, 03:02:39 AM »
Great conversation in this thread! Tanstaafl, if you're inclined to copy/paste any of your suggestions to the primary website (passwordmaker.org), let me know and I'll get you access to do so.

LkonKbd

  • Guest
Re: Storing Master PW on hard drive vs typing it...
« Reply #5 on: August 07, 2008, 02:06:57 AM »
Thank you for this warning:
"Warning: this topic has not been posted in for at least 120 days.
Unless you're sure you want to reply, please consider starting a new topic."

Maybe we should setup a thread and call it "True Confessions . . of the DUMBONES" or just the first two words.

"Tanstaafl,"

I for ONE and sure not the only ONE that can agree to the MAX with your post below:

http://forums.passwordmaker.org/index.php/topic,1252.msg1279511.html#msg1279511

and add as a voice of experience.  Just as a HABIT do a back-up of that file to a Memory Stick (or whatever you want to call those handy little USB plugins that you may carry around with you) at least once every day like just before going to bed.  Keeping them as child, parent, grandparent or aunt, uncle, nice, cousin, well whatever you like to call them.  In other words several copies as back-up, or only when you make any additions or changes to any of your passwords.

Print-out your RDF file every day for a year and then paper your computer room with them and then let anyone that wants to copy them by hand.  That should take them about two or three years of daily visiting your computer room and by then you will know who is stealing your data.  In case you do not recognize this, it is a JOKE.

Thank you for reading my roaster posty,

PasswordMaker Forums

Re: Storing Master PW on hard drive vs typing it...
« Reply #5 on: August 07, 2008, 02:06:57 AM »