7

I tried finding answers on my own before submitting this question, but I failed.

I have banking information which I would like to securely share with my wife. For some reasons she can't just go to a bank and access those accounts.

So I am thinking to write up a document which will contain all of the necessary information.

I need a way to store it securely somewhere accessible. Preferably in the cloud. Of course I wouldn't want to store it just in plain text.

The only way I can think of is putting the document in the password protected ZIP file.

schroeder
  • 123,438
  • 55
  • 284
  • 319
mobdob
  • 71
  • 2
  • 2
    Why does it need to be stored online? Do you not have access to the same computers? Also, what operating systems do you use (Android, iOS, Windows, MacOS, etc.)? Do you expect to need to access the file from mobile devices? – CBHacking Nov 05 '16 at 20:04
  • There are many services that allow you to do exactly this. All use encryption, and all allow you to access the data from a variety of devices. Is that the kind of thing you are looking for? – schroeder Nov 05 '16 at 20:10
  • @CBHacking Both of us are using Windows PCs. And we would prefer an online solution. Computers get broken or stolen. – mobdob Nov 05 '16 at 20:34
  • @schroeder Yes, this exactly what I am looking for :) – mobdob Nov 05 '16 at 20:35
  • 1
    You could use a secure variant of Dropbox, such as http://spideroak.com. However, if I were you, I would keep my banking information offline. – Out of Band Nov 05 '16 at 22:12
  • By "bank information" are you asking about passwords and login information, routing/account numbers, etc. or do you mean things like statements and other financial records? – Ben Nov 06 '16 at 00:06
  • 1
    @Ben I meant Usernames and passwords and all other necessary information allowing my wife to access the accounts if she needed it. – mobdob Nov 06 '16 at 11:05

7 Answers7

6

As soon as I hear store sensitive information, I think of password managers. That is what they are made for, and some of them do it very nicely. For example the excellent Keepass allows to store additional informations associated with a particurlar account. For example, you could create a dummy account to store a Visa card number, its PIN, validity date and 3 digit key.

You can use only local storage and synchronize different databases provided they can be visible from one machine. For example it is trivial to synchronize a desktop or laptop, a tablet and a smartphone. Synchronization is indeed one of the nicest features of Keepass.

You can also have the database somewhere in the cloud, and use a random file of several kbytes as a key that you securely store on each device where you want to use it. You can even combine that key file and a password for higher security (something you have and something you know).

The only drawback is that whatever the key is, it must be the same for all devices or users if you want to share the sensitive information. And as we all know a secret that is shared between more than two persons/devices is no longer a secret. But anyway, it would not be worse than an encrypted zip file, and the key file would even add some security because it will resist by design to dictionary attacks, and even brute force will be hard to use because the entropy of the key file is high.

Tanath
  • 127
  • 5
Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
  • The OP has confirmed in comments they're talking about sharing login information, so a password manager is probably the best solution here. It's worth noting that many of the big-name password managers (e.g. LastPass, 1Password, Dashlane) actually offer secure password sharing as a feature. I use KeePass myself but using one of the big paid services would be easier for many people than juggling multiple password databases like you'd need to do to share passwords in KeePass. – Ben Nov 07 '16 at 13:29
  • @Ben: I used Keypass as an example of a password manager here, because I know it. Maybe others are better but I do not know them enough to do a honest comparison. – Serge Ballesta Nov 07 '16 at 13:57
2

For that situation you can use GPG Encryption + Stenography

Simple example with a picture of your preferred cat:

  1. Encrypt the information file.txt gpg -c file (will create file.gpg)

  2. Put the file in a picture and secure with another password steghide embed -cf cat.jpg -ef file.gpg

Share that with your wife where you wish from social network to Google drive, she will just have to extract the data:

  1. Extratct the file.gpg from the picture with: steghide extract -sf cat.jpg

  2. Make the file readable gpg file.gpg

Done.

aurelien
  • 253
  • 2
  • 13
  • 1
    So yes that mean that my own logo here contain more than you can just see! – aurelien Nov 06 '16 at 19:34
  • If that could help you, I have just create a simple command line program to do that https://github.com/aurelien-git/cryptosteg – aurelien Nov 06 '16 at 22:19
1

As for myself, I use Cryptomator to encrypt some of my Google Drive stuff on the cloud. This app even encrypts the filenames (but not the timestamps) and also takes care of the Windows 256-byte path length limit.

Simon East
  • 440
  • 5
  • 10
Ron
  • 11
  • 1
0

Using something like gpg would be more secure than just a password-protected file, because passwords can be brute-forced but PGP/GPG private keys cannot. The problem is that this requires having your key handy when you need to decrypt the file. It also requires having an OpenPGP client to use that key. Such clients are pretty commonplace - gpg is a free and open-source one available for multiple platforms - but a random library computer or whatever probably won't have one.

If you do use password-protected ZIP, make sure it's the newer version of Zip encryption; the original one is weak and very easily broken. Of course, not all Zip handlers support the new version. I use 7-Zip personally (on Windows; there are other options for other platforms), and it works quite well, but again not all computers will have it.

It's unclear why you need to store this information online, or how you plan to access it. With more information we could offer more suggestions.

CBHacking
  • 40,303
  • 3
  • 74
  • 98
  • Thanks again for your explanation. We are using Windows based PCs and we would prefer online solution because it just seems more convenient. Hard drives brake, laptops get stolen, pendrives get lost. I also would need a solution which would provide a reasonable amount of protection whilst remaining easy to use. Yes I know, that means sacrificing security for convenience. That means using PGP would complicate things in case my wife needed to decrypt the information on her own. – mobdob Nov 05 '16 at 20:44
  • 1
    @mobdob `Computers get broken or stolen.` -- encrypted file uploaded to some cloud service, such as [MEGA](https://mega.nz). – Samuel Shifterovich Nov 05 '16 at 21:33
0

Open two GMail accounts and store the banking information in one, the bank information on the other, as messages sent to the accounts themselves.

E.g.

From: john.doe@gmail.com
To  : john.doe@gmail.com
Subj: Account Alpha

user foo
pass bar

From: zeke.ruesch@gmail.com
To  : zeke.ruesch@gmail.com
Subj: Account Alpha

First Merchant Bank, https://firstmerchantba.nk/login

That way:

  • an attacker would need to guess both account names (you won't use your own name, also for convenience, since these accounts will be used for nothing else - you'll have perhaps hubbyandwifeflowers and hubbyandwifebees), and both passwords.
  • anyone getting a peek at any one of the two accounts (but not both, of course) would find himself unable to use the information,
  • you can access the accounts from anywhere, provided there's a connection and GMail is up.
  • the pages being accessed via HTTPS, they won't be stored on the local PC, and they won't be intercepted in transit.

All that remains is making sure the PC you're using is not laden with spyware and keyloggers, and is not perhaps connected to a rogue AP performing MitM. So if you're traveling in Lower Crookia and checked in a hotel, and the PC says something fuzzy about the security certificates, please remember not to log in.

On the security of encrypted ZIP documents

Probably we would need to agree on some use case scenarios. The fact that secure key storages (with cloud backups) are famously available for most smartphones - I myself use SplashID - and yet we're debating encrypting ZIPs makes me think that two important requirements have to be: - accessibility from anywhere, i.e. relying on third-party hardware - possibility of flexible storage, i.e. not simply user/password pairs, possibly not even the multiple fields of SplashID.

In this scenario, an encrypted ZIP file is by no means secure, and possibly not even available. The PC being used needs a ZIP compatible software installed with password support, and the password must be entered through the keyboard, making it exactly as vulnerable to keyloggers as any other method.

Moreover, the text file will have to be read once decrypted. On most systems this means not only that the file will be available in plain text on the system for as long as it's being read (which does not happen for HTML pages on HTTPS sites, for example), but that parts of the text, and possibly the text in its entirety, will be still available for an unknown period of time in the memory swap file and/or disk temporary areas and/or or filesystem slack space. Depending on what the text editor actually is, a backup of the unencrypted file might be left lying on the system with the user none the wiser.

LSerni
  • 22,521
  • 4
  • 51
  • 60
  • ...would the downvoter please explain? This *does not* claim to be a recommended practice in any way, just something that meets the OP's requirements of cloud storage and accessibility. Depending on the scenario, the proposed encrypted ZIP storage might actually be **less secure**. – LSerni Nov 06 '16 at 18:27
0

If you are up to using an online service, do you not mind the service provider to technically be able to read your data? If so, use any major web-based online notes service that utilizes HTTPS (for example, Evernote) and share the account username/password with your wife in some secure way.

You could also use those online services to share encrypted or password-protected files (e.g. ZIP as you suggested), but bear in mind that in that case your wife would need to download the file on her computer and unencrypt (which would compromise the data if her computer is hacked) — as opposed to only seeing the data in the browser over HTTPS while the window is open.

Greendrake
  • 669
  • 1
  • 8
  • 17
  • It seems that having a password protected ZIP file is the most convenient option for me. Thank you for your comment. – mobdob Nov 06 '16 at 11:06
-1

Standard passworded document (which covers the .zip part explained above since docs are actually .zips so it is pretty much useless putting the document in the password protected ZIP file) inside an encrypted container like the ones TrueCrypt can make.

That way, you have a file that is the container and it can hold any brute force attacks as long as the password is good enough, and then you have the password of the document itself as secondary safety.

Overmind
  • 8,779
  • 3
  • 19
  • 28