 |
AutoHotkey Community
Let's help each other out
|
| View previous topic :: View next topic |
| Author |
Message |
toralf
Joined: 31 Jan 2005
Posts: 3841
Location: Bremen, Germany
|
 Posted: Sun Apr 02, 2006 4:29 pm Post subject: Looking for Password Safe App |
 |
|
Hi,
I'm looking for an app that can store passwords and short text passages in a save format, kind of a password safe. Could someone please recomment one/two/three apps?
When I google for it, it gives too many hits. So I would like to use your experience to filter those hits.
Thanks a lot
_________________
Ciao
toralf  |
|
| Back to top |
|
 |
Titan
Joined: 11 Aug 2004
Posts: 5382
Location: /b/
|
| Posted: Sun Apr 02, 2006 4:53 pm Post subject: |
|
|
When you're looking for programs, seach for them on Download.com. There is a whole section dedicated to Security & Encryption so you should check it out.
_________________
 |
|
| Back to top |
|
|
Laszlo
Joined: 14 Feb 2005
Posts: 4078
Location: Pittsburgh
|
| Posted: Sun Apr 02, 2006 6:58 pm Post subject: |
|
|
| I use Google toolbar, but other explorer toolbars also have password safes. Why don't you use AHK? It can encrypt short files fast enough. If you are after really high security, PGP is the best, because it uses all kinds of tricks to prevent Windows to write secure data to the swap file or even to get out from the processor cash. |
|
| Back to top |
|
|
sosaited
Joined: 24 Feb 2005
Posts: 233
|
| Posted: Sun Apr 02, 2006 7:08 pm Post subject: |
|
|
I am using PINS for saving passwords of my E-mail addresses, etc.
- Open Source.
- Uses 448bit Blowfish Algorithm.
- Can be used even if you move its directory to somewhere else.
_________________
My small "thanks" to AHK in shape of these dedicated 3d images (Topic already in "General" Forum)  |
|
| Back to top |
|
|
evl
Joined: 24 Aug 2005
Posts: 1239
|
| Posted: Sun Apr 02, 2006 7:50 pm Post subject: |
|
|
I guess it depends on what you're using it for, but the idea of storing all my user details in one place scares the **** out of me  It's not unlike dangling my wallet out of my window on a piece of string (but replace string with network cable/modem cable  ) |
|
| Back to top |
|
|
PhiLho
Joined: 27 Dec 2005
Posts: 6721
Location: France (near Paris)
|
| Posted: Sun Apr 02, 2006 7:59 pm Post subject: |
|
|
I don't use one, but I know that KeePass is highly ranked in SourceForge projects.
| Quote: | | KeePass Password Safe is a free, open-source, light-weight and easy-to-use password manager for Windows. You can store your passwords in a highly-encrypted database, which is locked with one master key or key-disk. |
_________________
 vPhiLho := RegExReplace("Philippe Lhoste", "^(\w{3})\w*\s+\b(\w{3})\w*$", "$1$2") |
|
| Back to top |
|
|
Guest
|
| Posted: Sun Apr 02, 2006 8:27 pm Post subject: |
|
|
| That can be done in AHK, can't it? |
|
| Back to top |
|
|
Laszlo
Joined: 14 Feb 2005
Posts: 4078
Location: Pittsburgh
|
| Posted: Sun Apr 02, 2006 10:51 pm Post subject: |
|
|
There are pure AHK encryption solutions (RC4, Tea), others could use dll's. In case of a small file, 128-bit keys are enough, 500-bit keys are just wasting resources. The only thing AHK cannot do directly is to prevent secrets written from the processor cache to memory (when a bus analyzer can catch them on the way, and a kernel level program could read them from the RAM) or to swap to disk as part of the virtual memory (where a disk editor could access them long after its use). Especially bad is this later one: you never know if your secrets are in the clear on your disk.
In general open source is better for security, but without cache- and memory locks they are not secure against sophisticated attacks. I have not seen these locks in open source security software. Have you?
Windows can encrypt folders, files, too. Prior to XP this was not very secure, but I have not heard about serious weaknesses in the Windows XP encryption. Still, it is SW based encryption, which is vulnerable to root-kits, viruses, key loggers, etc.
The highest security is provided by hardware based encryption. Use encrypting disk drives. Seagate is shipping samples, soon you can buy them. Others offer poor solutions, like Excelstor. (Can you guess which company I work for?) |
|
| Back to top |
|
|
evl
Joined: 24 Aug 2005
Posts: 1239
|
| Posted: Sun Apr 02, 2006 11:17 pm Post subject: |
|
|
How long does it take to crack different levels of encrption these days? I know there are distributed projects that work on various challenges and that recently various weaknesses have been talked about, like in RC5.
Regarding unencrypted data at various stages, shouldn't it be possible to never store the full password somewhere in the first place? e.g. using an edit box for each character and then reading them in turn and over-writing the previous character in memory by using the same variable?
The thing I don't like about Windows' own encryption is, as I recall, that you need to make a recovery disk to backup the necessary credentials. If your operating system dies and you need to get the encrpted files off and you don't have such a disk, you're basically screwed - I've read plenty of similar stories online of people finding this out only too late and therefore I chose to stay well clear of this, or any other method of encryption that can't be recovered simply by details known by the user (e.g. username+password). The same goes for (proprietary) hardware based encryption in a way - what happens if the hardware to unlock the data gets damaged? |
|
| Back to top |
|
|
Laszlo
Joined: 14 Feb 2005
Posts: 4078
Location: Pittsburgh
|
| Posted: Mon Apr 03, 2006 1:11 am Post subject: |
|
|
| evl wrote: | | How long does it take to crack different levels of encryption these days? |
Brute force, that is, trying all keys for symmetric key encryption is still out of question. When using 1 million PC's, each capable of trying 1 million keys a second you need 2^128/10^6/10^6/60/60/24/365 = 10,790,283,070,806,014,189 years, significantly longer than the age of the universe. Public key cryptosystems can be attacked much faster than trying all keys. For example, 768-bit RSA keys can be found with distributed computing, so minimum 1024 bit long keys have to be used. Other ciphers have weaknesses, which reduce the length of an exhaustive key search. For example DES uses 56-bit keys, but with Mitsui's clever speedup, the search will likely succeed after 2^43 trials. Trying 1,000 keys a second in a fast PC it takes 2^43/1000/60/60/24/365 = 279 years, that is, 1000 PC's will find a key in 4 months. RC4/5 have other weaknesses, which also reduce the search space, but the actual number is changing, as cryptographers improve the attacks.
| evl wrote: | | shouldn't it be possible to never store the full password somewhere in the first place? |
Not really. You have to pass the password to the encryption module in full. You can try tricks, such that only partial passwords are transferred and processed (like multiple encryptions in series), but it makes the code complicated, and a key logger can still steel your password.
Also, at the end a whole block of secret data is decrypted, and it has to be kept somewhere. That piece of RAM could be swapped to disk. Again, you could play tricks, like several decrypted blocks at different offsets have to be XOR-ed to give the secret data. With the proper choice of offsets only the desired piece of information gets decrypted, and if it is short, the chance of being swapped to disk is smaller, but still non-zero.
| evl wrote: | | The thing I don't like about Windows' own encryption is, as I recall, that you need to make a recovery disk to backup the necessary credentials. |
It means, you don't enter the key, nor a password, from which the key can be derived, but the key is generated internally and only activated by your password, after Windows already booted up (assuming a key logger cannot yet be active at boot time). It has a huge advantage that all the keys a software key logger can record are still insufficient to decrypt the secrets from a stolen hard disk. Yes, you have to back up your credentials, but it is a little price for the added security.
| evl wrote: | | The same goes for (proprietary) hardware based encryption in a way - what happens if the hardware to unlock the data gets damaged? |
The same as when any other part of the disk breaks: you loose your data. Therefore, you have to make regular (encrypted) backups on other media. You do it anyway, don't you? The encryption chip is more reliable than the rotating electromechanical system, so a break down is not much more likely than before.
Encryption is a strong weapon. It hides the data even from sloppy users. They have to learn, not to take it lightly, otherwise, they could loose their data forever.
If username + password were enough to get to the data, weak passwords would also lead to weak protection. As Windows does it, the key search on a stolen disk is hard, even with stupid simple passwords and usernames. MS has done a pretty good job with that. |
|
| Back to top |
|
|
evl
Joined: 24 Aug 2005
Posts: 1239
|
| Posted: Mon Apr 03, 2006 1:33 am Post subject: |
|
|
Nice, detailed reply there.
| Quote: | | and a key logger can still steel your password |
I think, if you have a keylogger or other such software on your computer, your privacy, security and encryption are pretty much compromised no matter what (and as I understand it, keyloggers and other such tools are getting ever more sophisticated in what they record/do).
| Quote: | | Yes, you have to back up your credentials |
I may be wrong (as I haven't tried in a LONG time), but Windows doesn't try very hard to persuade you to back this up, if at all, does it? I mean, it reminds you of every other stupid little thing like cleaning up unused icons, but does it ever remind you to check the integrity of those credentials that may be the key to your most important data?
| Quote: | | backups on other media. You do it anyway, don't you |
Usually in triplicate 
| Quote: | | If username + password were enough to get to the data |
Which brings up the topic of biometric security and all those lovely sci-fi films where the bad-guy cuts off the user's body part required for authentication |
|
| Back to top |
|
|
Laszlo
Joined: 14 Feb 2005
Posts: 4078
Location: Pittsburgh
|
| Posted: Mon Apr 03, 2006 2:06 am Post subject: |
|
|
The point is that even after a key logger sniffed your Windows username and password, the data on a stolen disk is inaccessible. The whole computer has to be stolen, because each Windows installation is different, and depends on many parameters of your computer. This is the maximum we can do against a key logger.
Biometrics and tokens do enhance the security, even for stupid users, but they can be poorly implemented, too. For example, fingerprints remain on the scanner, and an intruder can copy it. Fingerprint readers should also check for vital signs, like regular blood flow (Doppler sonograph), temperature, micro movements, skin color spectrum, surface chemistry, etc. Without these, it just gives the illusion of security, but doing it right is very expensive.
It is true, Windows does not try it too hard to persuade you to back up your credentials. But, how many times did your HW broke, such that you cannot even repair the Windows installation. It did not happen to me for the last 10 years, and none of my colleagues lost data in this way. I have no exact data, but I assume less than 1% of the users are affected, and very few of them use the Windows encryption, so this does not seem to be a mass problem.
Although I could always salvage my data (SpinRite did a wonderful job), I experienced several disk crashes. (All were Fujitsu drives, of course.) To avoid the panic, I have now a small second disk in my laptop (Toshiba 5GB PC card disk). An automatic background backup program (AutoSave) keeps the last 20 versions of my work files (programs, documents, even the whole My Documents directory) on the small disk. After I set it up I don't have to worry about it. And occasionally I do make a partition image on an external disk, to save me the days of installation, configuration work, should a disaster strike. It has not. |
|
| Back to top |
|
|
evl
Joined: 24 Aug 2005
Posts: 1239
|
| Posted: Mon Apr 03, 2006 2:40 am Post subject: |
|
|
| Quote: | | The whole computer has to be stolen |
- like a laptop? Assuming a computer with a keylogger, etc had an internet connection (which is the most likely way of getting such a thing) then I'm pretty sure there must be ways for hackers to retrieve files off of the computer by one means or another (although it may require an elevation of priviledges - and that sort of security hole in Windows is only found every couple of months ). If the user can access the data themselves then there will always be a way to get at it for a hacker, it's just a question of how hard and if it's worth their time.
| Quote: | | For example, fingerprints |
- firstly I'd like to see a hygenic sensor and then they can worry about making it secure Did you remember to wash your hands?
| Quote: | | But, how many times did your HW broke, such that you cannot even repair the Windows installation |
- actually that's a very real problem for laptops where it can be a lot more complicated to replace a broken part than in a desktop, but that's slowly getting better.
I've only had one disk break on me luckily - an Hitachi one. Woke up one morning and the computer was off. Wouldn't even react to the power button until it was taken out  I backup my stuff to a combination of external hard drive (cheap and fast) and dvd-r (convenient for archiving). As for disk images, I used to, but since I rarely re-install I treat it as a good time to ditch all the junk that tends to accumulate over time. I was quite impressed that Windows XP managed to survive about 30 blue screens of death inside of a week (until i tracked down a bad stick of ram) and a couple of repairs, which lasted another 2 years until I upgraded. |
|
| Back to top |
|
|
toralf
Joined: 31 Jan 2005
Posts: 3841
Location: Bremen, Germany
|
| Posted: Mon Apr 03, 2006 7:26 am Post subject: |
|
|
Thanks to all of you and your suggestions.
| Laszlo wrote: | | If you are after really high security, PGP is the best, because it uses all kinds of tricks to prevent Windows to write secure data to the swap file or even to get out from the processor cash. |
I looked at PGP, but couldn't find a freeware version and it doesn't seam to have a "safe" but encrypt files on the disk, is that correct?
I looked at KeePass. It comes close to what I need (it concentrates on passwords, handling of text notes seem to be of less importance). I interested to know if it offers the security that Laszlo described. I found this on their homepage: | Quote: | In-memory passwords protection: your passwords are encrypted while KeePass is running, so even if Windows caches the KeePass process to disk, this wouldn't reveal your passwords anyway.
Security-enhanced password edit controls: KeePass is the first password safe that has security-enhanced password edit controls. None of the available password edit control spies work against the controls used in KeePass. The passwords entered in those controls aren't even visible in the process memory of KeePass. |
What I'm looking for is an app that stores passwords AND/OR text in an encrypted database.
I'm NOT looking for an app for disc encryption or encrypted file archives. Since then the decrypted files would again be edited in an "normal" app that might have or rise security issues itself. Or am I wrong in this place?
_________________
Ciao
toralf |
|
| Back to top |
|
|
Laszlo
Joined: 14 Feb 2005
Posts: 4078
Location: Pittsburgh
|
| Posted: Mon Apr 03, 2006 3:21 pm Post subject: |
|
|
Only old versions of PGP are free, you have to pay for the best security on the market.
Try to get independent reviews on KeePass. Even if it is true, what they say on their website, there could be other holes. But for personal use, it looks OK, free and open source. Password stores of Explorer toolbars are OK, too.
It is true that even if you log-in securely in a website or in an application, malware in your PC could still steel secrets. It is a good practice to log-off when you are finished with your work, automatically un-mount secure drives after a certain period of inactivity, etc. And also have the latest security patches, virus definitions, spyware updates, and use a PC with a TPM chip. |
|
| Back to top |
|
|
|
|
You can post new topics in this forum
You can reply to topics in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|
FAQ
Search
Memberlist
Register
Profile
Log in to check your private messages
Log in
