mouse
Premium
join:2007-03-29
australia
| Can I use Gmail to store password?
I am toying with the idea of using Gmail (always accessible, not related to my hardware) to store some passwords. Obviously there are security implications.
1) If I were to sent me an email that inconspicuously contained a password somewhere in the text (obviously without the subject password mentioned in the header or body), how likely is it that someone would notice either in transit or when hacking Gmail (not concerned about the government sifting through my mail)? Would that be safety due to "needle in a haystack" or are there programs that could and do easily search for possible password combos so that the haystack analogy does not fly?
2) If I used a zip program for encryption or a "proper" encryption program before emailing, would that make my email more "interesting" for outsiders? I assume given the volume of internet traffic, unless something specific flags any email, it's unlikely anybody would bother trying to crack an email like this - or am I wrong?
3) What is the best way to store a password or password file? I guess a harddrive can burn out, a flash-drive can be lost or stolen, so you need a backup. Where and how to store this securely and conveniently? And as this backup is probably encrypted again, we come back to pt 1). It seems silly having all your passwords in a central storage container with a secure masterpassword, when you could forget this password. |
|
SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
1 edit |  I happen to use eWallet to save passwords and other account type information in an encrypted file. In my case I save a copy off to my wife's XP Pro desktop, our Windows Home Server [WHS] and my brothers WHS (in Florida). With the WHS, in either location, I have secure remote access to the eWallet data file via a SSL data link. I feel pretty secure with that scheme.
--
"When all else fails, read the instructions..."
MS-MVP Windows – Desktop User Experience |
|
dvd536
as Mr. Pink as they come
Premium
join:2001-04-27
Phoenix, AZ
| reply to mouse
Security by obscurity is never a good idea.
if you do the passworded archive, put the file a few subdirs deep. some crackers have issues with nested subdirs.
--
When I gez aju zavateh na nalechoo more new yonooz tonigh molinigh - Ken Lee |
|
HA Nut
Premium
join:2004-05-13
USA
1 edit | reply to mouse
The hidden word Google idea might be ok to a point, but if a password doesn't stand out in an email, it seems it may not be a very good password (since dictionary type attacks try all known "regular" words are one of the first things hackers try.)
Emailing encrypted files can sometimes be a hassle depending on how filters are set up. Where I work, all archives are blocked from email, both incoming and outgoing. Of course, Gmail has a web interface which might help (although again, where I work, all .ZIP files are blocked from downloads.)
The other issue with Gmail is time. Even on high speed access, Gmail navigation sometimes feels slow to me. Especially the initial logon. (Don't get me wrong, I like it. But it's not the fastest thing going.)
As for one master password, it's a double edged sword. It may not be very safe because if it's the one and only key, and you know it, you're in. But if it's a good enough password, and it's the only one you need to remember, it may also be the overall safest to use if the database it opens contains all different, "good" passwords. (Human nature being what it is, many users tend to use the same password or minor derivatives of it at most sites and this can reduce overall safety.)
I use KeePass 1.12 and keep the databases (work and home) I use on a USB flash drive. I keep a duplicate copy of the databases on a second, well hidden, flash drive. (KeePass 2.x is nothing I will ever be interested in.)
The databases are natively encrypted by KeePass when not in use and I use only single character file names, so it's not very intuitive to figure out what one is looking at. (Of course, if someone who looks at the flash drive knows what a .kdb file is, they would know it's a KeePass file. But that's all they would know.)
»keepass.info/ |
|
Pentangle
With our thoughts we make the world.
Premium
join:2006-06-01
Vancouver BC
 ·Shaw
| I follow similar procedures to HA Nut  . I also keep duplicate copies on Password Safe v3.13 using both thumb drives and DVDs. The master password I use is fairly complex and burned into my memory (I also have it written on a piece of paper that I keep in a secure place that no one would think to look or have access to).
--
Life is like stepping onto a boat which is about to sail out to sea and sink. - Shunryu Suzuki-roshi
|
|
dave
Premium,MVM
join:2000-05-04
not in ohio
 ·Verizon Online DSL
 ·Verizon FIOS
| reply to mouse
You could, for example, write a paragraph in which the initial letter of every tenth word was a letter in your password. That would, I imagine, be perfectly secure. Even though it is 'security by obscurity', much derided by the semi-knowledgeable (which group includes me). The crux of the biscuit is that no-one's looking for your password in gmail.
But what's the point? Get a notebook, label it 'my poetry', fill it full of gibberish, and you can accomplish the same thing. The only thing you don't manage is accessible-from-anywhere. If you get your poetry actually published, you can solve that part 
I'd much rather trust in having the notebook accessible when I really need it than I would trust that I can get to Google mail forever. |
|
sivran
Long Live The Suite
Premium
join:2003-09-15
Arlington, TX
clubs:
·RoadRunner Cable
| reply to mouse
Convert your important passwords to SFSP style passwords.
I use SFSP for important stuff, and one of a list of "normal" passwords for more trivial stuff.
I also keep my passwords in PasswordSafe, and have SyncBack (free version) set up to back it up to other computers on my network regularly. I'm thinking of also adding in a job to upload it to my webhost, in a non-web-accessible place of course.
--
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon profitable cause... |
|
mouse
Premium
join:2007-03-29
australia
| reply to mouse
I am actually using Keepass (though was not aware that there is later version, so will update later). I also do backup on a USB - the reason for the gmail idea is a certain fear I might forget my masterpassword. Writing it down and keeping it in a poetry book is fine but what if the house burns down? I could give it to a friend but that's not as convenient as checking your inbox for the hidden word. I guess it's all rather hypothetical |
|
SAFFR0N
@anonymouse.org
| reply to mouse
said by mouse :I am toying with the idea of using Gmail (always accessible, not related to my hardware) to store some passwords. Obviously there are security implications. I wouldn't write anything on Gmail that I didn't want the whole world to see.
"Gmail" and "security" should never be used in the same sentence! |
|
