Few questions about how to be more secure with passwords (lastpass, onepassword, 2 step auth)

I'm looking at the following:

1password (love the UI, don't mind the price), lastpass (love yubikey, hate the interface), keepass (hate the interface even more).

I want to use 1password however I'm scared of the following scenario because my GMail recently got "hacked".

I have 2 computers + iPhone. (one MBP, one PC).

I'm not worried about my MBP but if I'm syncing my 1password file in Dropbox between the computers and someone gets ahold of my PC, they'd be able to potentially keylog my master password and then acquire my file from Dropbox then they'd have access to everything in the password list.

Am I too paranoid to be thinking that, or is that type of vector something to be afraid of? Because of this, it makes me feel like I really want a multi-factor authentication method to really protect me.

Thoughts?

Daniel Fischer

Posted 2011-05-11T20:22:27.213

Reputation: 1 401

Answers

The scenario you suggest is theoretically possible. You can minimise the risk of it by using the Dropbox client rather than accessing Dropbox over the web. Your account will be pre-associated with your computer, and you will not be typing in your Dropbox password, so there's little chance of them grabbing it with a keylogger. Another possibility is to keep your password database on a Truecrypt encrypted USB key, or encrypted in some way on your iPhone rather than an online file sharing service, making it even trickier to get hold of your password file, as it will never be stored anywhere except where you physically are. Of course, if they have enough access to install a keylogger, they may well have enough access to grab your database file off your local storage anyway.

If you want to avoid password managers entirely but still have memorable passwords, then I recommend the approach advocated by University of Cambridge security researcher Ross Anderson. Create passwords by using the first letter of long phrases as this will enable you to generate long (i.e. difficult to crack) passwords that are still memorable. I actually use this technique (with modifications to increase entropy by including numbers and punctuation) to create master passwords that are very secure which I can remember. See http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-500.pdf for more details.

Any security measure you take will be a trade off between convenience and security. A highly paranoid user will never enter their passwords from a machine they do not control, and only ever send passwords over the Internet via https. Naturally this will limit the number of places from which you can access your password protected stuff.

Unless you think that someone is particularly likely to want your specific data, chances are any attacks on your password security will be low level trawls for low hanging fruit. As such the hacker is likely to be using automated tools, and is unlikely to go to the special effort of working out what password manager you're using, grabbing the password file etc. If you think you are likely to be a victim of targeted attacks, remembering separate high entropy passwords for all your sensitive accounts, and only accessing them from PCs you control with up to date antivirus and antimalware is probably the best way forward.

Christi

Posted 2011-05-11T20:22:27.213

Reputation: 915

The part I'm worried about is not so much that Dropbox requires a password it's the fact that since my PC or MBP is already "preauthenticated" the folders show up as a normal system. So if someone gained access to my HD either through a backdoor or physically they could copy the "master password list" and then probably also get my master password through a similar vector. – Daniel Fischer – 2011-05-12T02:15:18.583

Touching on above, it seems that the only secure thing to do would be to keep it on a "usb" drive which is also encrypted. Unless I had some multifactor authentication in place with 1password but that doesn't seem possible. – Daniel Fischer – 2011-05-12T02:16:03.417

Excellent answer. Regarding "... A highly paranoid user will never enter their passwords from a machine they do not control ...," this is where OTP (One-Time Passwords) can actually be very helpful since after one use the password is no longer valid (although this still doesn't resolve the other potential problems associated with using an uncontrolled computer): http://en.wikipedia.org/wiki/One-time_password

– Randolf Richardson – 2011-05-12T04:37:14.017

@user29336 Using a usb drive to store your password file would reduce the risk further, but if your computer is compromised, there's nothing to stop the attacker pulling the file off the USB key. All you're doing is reducing the attack window a little further. Like I say above this is trading convenience for an improvement in security, but it will not prevent attack completely. – Christi – 2011-05-21T11:11:44.863

Use a password keeper (the ones you mention are fine ... I use keepass) and make the master password the words to a song, something that could not be breached with automation in any kind of reasonable time. And a few numbers to the end.

Here is the important part. For each website or system you use make a different password, use the auto generated one from the program you're using and make different ones for each site. Don't try to have passwords you can remember except for your program. It is folly otherwise.

pcunite

Posted 2011-05-11T20:22:27.213

Reputation: 1 126

Paranoia is the foundation of good password management -- if you need to have a password for something, then paranoia is appropriate (especially where the internet is involved).

Regarding passwords, using the same password in more than place can increase the risk of exploitation by a dark hacker who determines what one of your passwords is. The problems with password mechanisms is when someone else gets ahold of them (which is basically the same problem with someone getting access to a master of list of passwords).

Unfortunately password security is a social problem that technology will never be able to solve completely as per the famous saying "where there's a will, there's a way." The fact that you're concerned about this is a good thing.

Randolf Richardson

Posted 2011-05-11T20:22:27.213

Reputation: 14 002

As a side-note: If you do keep a list of passwords somewhere, make sure you keep that file encrypted. Although there are many solutions, you may find that http://www.TrueCrypt.org/ (free and open source) is the most convenient because it can encrypt your entire hard drive (including your bootable drive), or a small virtual hard disk that resides in a file of whatever size you specify (unlike many hard drive encryption tools, there's no backdoor for "the feds" with a court-order/subpoena): http://www.truecrypt.org/

– Randolf Richardson – 2011-05-11T20:36:21.473