Kilroy MVM join:2002-11-21 Saint Paul, MN
1 recommendation |
Kilroy
MVM
2014-Nov-19 1:55 pm
Malware attacks Password ManagersCitadel attackers aim to steal victims master passwordssaid by Ars Technica : The research found that a configuration file, which attackers use to tailor the Citadel trojan for specific campaigns, had been modified to start up a keylogger when the user opened either Password Safe or KeePass, two open-source password managers.
|
|
BuddelIf it ain't broke, don't fix it. Premium Member join:2004-03-06 EU
3 recommendations |
Buddel
Premium Member
2014-Nov-19 2:00 pm
This the reason why my password manager is a sheet of paper. |
|
Kilroy MVM join:2002-11-21 Saint Paul, MN |
Kilroy
MVM
2014-Nov-19 3:03 pm
This is the reason I have two factor authentication for LastPass. I don't even use my password for security on machines I log into normally. That's the easy part to get. |
|
seaman Premium Member join:2000-12-08 Seattle, WA |
to Kilroy
Incredibly disappointed to read this but grateful that you posted it. |
|
Kilroy MVM join:2002-11-21 Saint Paul, MN |
Kilroy
MVM
2014-Nov-19 3:07 pm
I know a lot of people here use either Password Safe or KeePass. LastPass is free for computer use and inexpensive, a dollar a month, for portable devices and two factor authentication. |
|
|
|
to Buddel
said by Buddel:This the reason why my password manager is a sheet of paper. I use a little card-file case. |
|
Dustyn Premium Member join:2003-02-26 Ontario, CAN |
to Buddel
Simple sheets of paper are not protected. |
|
NOYBSt. John 3.16 Premium Member join:2005-12-15 Forest Grove, OR |
NOYB
Premium Member
2014-Nov-19 6:34 pm
said by Dustyn:Simple sheets of paper are not protected. That is a very broad statement that is not completely accurate. And in some cases very far from accurate. Protected against/from what? |
|
Dustyn Premium Member join:2003-02-26 Ontario, CAN ·Carry Telecom ·TekSavvy Cable Asus GT-AX11000 Technicolor TC4400
|
Dustyn
Premium Member
2014-Nov-19 6:42 pm
Well it was a reply to a rather broad statement in the sense that a piece of paper in itself offers little to no security. Writing down passwords on a piece of paper is not the best idea as it's plainly visible and not encrypted. Plus, do you have a backups of your paper? A single sheet of paper can be easily destroyed or misplaced thus not protected by default. |
|
NOYBSt. John 3.16 Premium Member join:2005-12-15 Forest Grove, OR |
NOYB
Premium Member
2014-Nov-19 7:00 pm
Visible to who?
How do you know whether or not it is encrypted?
Paper can be backed up, and stored safely.
|
|
Dustyn Premium Member join:2003-02-26 Ontario, CAN |
Dustyn
Premium Member
2014-Nov-19 7:02 pm
That's the point... at the moment we don't know. It was a very broad statement that I addressed in the form of a very broad reply. |
|
DrStrangeTechnically feasible Premium Member join:2001-07-23 Bristol, CT 1 edit
1 recommendation |
to NOYB
I've been known to encrypt things I write down. |
|
NOYBSt. John 3.16 Premium Member join:2005-12-15 Forest Grove, OR |
to Dustyn
said by Buddel:This the reason why my password manager is a sheet of paper. That is the original statement. Without any details you leaped to the assumptions that it is not protected (not backed up, not stored securely, is plainly visible, and not encrypted). For which there is no basis from the original statement. |
|
NOYB |
to DrStrange
said by DrStrange:I've been know to encrypt things I write down. Don't know that I can say I've been known for it, but certainly can say I have at the very least obscured things I've written down to the extent it would do no possessor of it any good. |
|
Dustyn Premium Member join:2003-02-26 Ontario, CAN
1 recommendation |
to NOYB
Unless otherwise stated, it is an accurate assessment. A sheet of paper in itself offers no protection unless otherwise noted. Unable to break it down to you in any simpler terms. |
|
NOYBSt. John 3.16 Premium Member join:2005-12-15 Forest Grove, OR |
to Kilroy
Interesting that this follows shortly after we had a discussion here in this forum about exactly this issue of password managers vulnerability to malware.
This is why I do not include the username nor correct password for financial or sensitive accounts in my password manager.
Some sites, such as Fidelity, have an implementation of remember me feature that keeps the username secure. So for those sites I use that feature for the username.
|
|
NOYB |
to Dustyn
said by Dustyn:Unless otherwise stated, it is an accurate assessment. No. It is an assumption. said by Dustyn:A sheet of paper in itself offers no protection unless otherwise noted. Neither does a database. Not even a password manager database. It is not inherently in itself secure, encrypted, backed and inaccessible to unauthorized access. It has to be made so. Same as with paper documents. said by Dustyn:Unable to break it down to you in any simpler terms. No need. You've already over simplified it with your claim that simply being on a piece of paper leaves the information (contents) unprotected. |
|
BlackbirdBuilt for Speed Premium Member join:2005-01-14 Fort Wayne, IN
2 recommendations |
to Kilroy
Passwords are data. Paper is a storage medium. As with any storage medium, data security is derived only by a process of encryption before the data is applied to the medium or by fully securing the medium after the data is applied. In that regard, data on paper is essentially equivalent to data stored in a computer that is unconnected in any way to a network... that is, it physically limits the universe of unauthorized access attempts. Regarding passwords, if it matters, I keep in only on paper; if it really matters, I encrypt it on paper; if it really, really matters, I lock up or hide the encrypted paper. |
|
applerule Premium Member join:2012-12-23 Northeast TN |
to Kilroy
I use KeePass with the secure desktop option on...wonder if that would help "mitigate" this threat, at least against the master key?
I would assume the logger could grab the data from auto-type anyway though... |
|
NOYBSt. John 3.16 Premium Member join:2005-12-15 Forest Grove, OR 1 edit |
to Blackbird
said by Blackbird:Passwords are data. Paper is a storage medium. As with any storage medium, data security is derived only by a process of encryption before the data is applied to the medium or by fully securing the medium after the data is applied. In that regard, data on paper is essentially equivalent to data stored in a computer that is unconnected in any way to a network... that is, it physically limits the universe of unauthorized access attempts. Exactly. You stated it very well. It's not the storage medium. It's how the contents (data) is stored on the medium (encryption) and how the medium is processed, stored, backed up, etc. Thanks for chiming in. |
|
Ian1 Premium Member join:2002-06-18 ON
1 recommendation |
Ian1 to Kilroy
Premium Member
2014-Nov-19 11:13 pm
to Kilroy
This is about Malware that uses a key-logger. Technically keying it in is the risk point, whether that's into a password manager from memory or a slip of paper into your banking site directly. 2-Factor if you're worried, but up-to-date A/V and not clicking dubious links and phishing e-mails would still seem to be the way to go. No system is perfect. |
|
NOYBSt. John 3.16 Premium Member join:2005-12-15 Forest Grove, OR 4 edits |
NOYB
Premium Member
2014-Nov-19 11:56 pm
said by Ian1:This is about Malware that uses a key-logger. Yes that is the subject of this thread. But we took a little tangent detour to argue about a paper based password manager not being protected. Presumably simply because it is paper based. said by Ian1:Technically keying it in is the risk point, whether that's into a password manager from memory or a slip of paper into your banking site directly. Malware obtaining the password manager master password could be a more significant issue though due to gaining access to all the users accounts at once in one fell swoop. Of course 2FA for the password manager should be able to prevent this though. Which then still leaves the individual accounts susceptible to the key logger. But at least it is less exposure. One account at a time. In such a case hopefully the malware is found quickly to limit the extent of the breach. And then there are sites like Fidelity that I believe has a secure remember me feature implementation in which the username is not exposed at the client. So a key logger should only be able to get the password and not the username. So if the username is not in the password manager and the remember me feature is enabled the username should remain unknown to the attacker. |
|
David Premium Member join:2002-05-30 Granite City, IL |
to Kilroy
I use a old windows 3.1 program for mine. most I will do with it is put it inside say dropbox if I need it put to my laptop, or most times I remote into the machine (teamviewer) and view it on the machine at the house. So I never keep the passwords on me. |
|
vaxvmsferroequine fan Premium Member join:2005-03-01 Polar Park
1 recommendation |
to NOYB
said by NOYB: Protected against/from what?
The dog ate my password. |
|
sivranVive Vivaldi Premium Member join:2003-09-15 Irving, TX
1 recommendation |
to Ian1
said by Ian1:2-Factor if you're worried, but up-to-date A/V and not clicking dubious links and phishing e-mails would still seem to be the way to go. No system is perfect. Exactly. Every system has a weakness, and that's why security is practiced in layers. |
|
MaynardKrebsWe did it. We heaved Steve. Yipee. Premium Member join:2009-06-17 |
to Blackbird
And if it really, really, really, really matters your locked-up, encrypted piece of paper is edible rice paper just in case the black helicopters arrive. |
|
|
to applerule
said by applerule:I use KeePass with the secure desktop option on...wonder if that would help "mitigate" this threat, at least against the master key?
I would assume the logger could grab the data from auto-type anyway though... Yes, enabling/using a secure desktop option to enter the master password would tend to protect against these types of exploits. However it is not a guarantee. The use of a multi-factor authentication also would help protect against these types of attacks since they would make the password on its own useless. |
|
Dustyn Premium Member join:2003-02-26 Ontario, CAN ·Carry Telecom ·TekSavvy Cable Asus GT-AX11000 Technicolor TC4400
1 edit |
to NOYB
said by NOYB:said by Dustyn:Unless otherwise stated, it is an accurate assessment. No. It is an assumption. said by Dustyn:A sheet of paper in itself offers no protection unless otherwise noted. Neither does a database. Not even a password manager database. It is not inherently in itself secure, encrypted, backed and inaccessible to unauthorized access. It has to be made so. Same as with paper documents. said by Dustyn:Unable to break it down to you in any simpler terms. No need. You've already over simplified it with your claim that simply being on a piece of paper leaves the information (contents) unprotected. Nope, it is an accurate assessment based on the information provided in the posting. said by Buddel:This the reason why my password manager is a sheet of paper. My oversimplified claim was an observation based on the "information provided". A sheet of paper in itself offers no security. This is a fact in itself. Whether you agree with it or not is irrelevant. Information on a sheet of paper is unprotected by default. If it's protected by some means, then it should be stated as such. |
|
vaxvmsferroequine fan Premium Member join:2005-03-01 Polar Park |
vaxvms
Premium Member
2014-Nov-20 6:52 pm
said by Dustyn:A sheet of paper in itself offers no security. This is a fact in itself. Whether you agree with it or not is irrelevant. Information on a sheet of paper is unprotected by default. If it's protected by some means, then it should be stated as such. Kinda, but no. You can't make the broad all encompassing statement that a sheet of paper is unprotected. You can't assume that the location of that sheet is in a location that offers no security or lots of security. If I keep a list on a piece of paper in my home or work it could or could not be in a "secure" location. A computer or pad or phone without a password is more insecure than a sheet of paper. ASSUME NOTHING. |
|
MajestikWorld Traveler Premium Member join:2001-05-11 Tulsa, OK |
to Dustyn
said by Dustyn:Simple sheets of paper are not protected. Mine are protected. It's with my important papers I have in a small sealed strong box I've insulated myself with heat resistant material used on jet engines. And this box is bolted in my 600lb Fire proof safe. And that is bolted to floor and inside my walkin closet which is a tornado shelter. But I can remember my 30 plus character passwords I use daily or weekly. |
|