Hot Take Password Managers Auto-filled Credentials on Untrusted sites

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
5,993
afaik keepass can be synced between pc and android, check the keepass website for plugins and other 3rd party developed forks intended to accomplish what you desire
just be forewarned that none of those products have been pentested for security issues
let me relate from firsthand experience, when you have a situation it is more than frustrating when you cannot access or otherwise obtain resources you need to resolve that situation using a digital device, especially a phone
the phone device is always the most problematic, i tried the usb flash drivemethod but that requires a dongle and then not forgetting it and the usb, not to mention having to carrry it all the time
the usb method works ok for pc or laptop
for cross-platform ease-of-use, with reasonably high security, bitwarden cloud has performed well enough for me, even though using it on a phone can be clunky - i set a 25+ character dice generated password and set interations to 1,000,000 years ago to ensure sufficient entropy long before the latest drama about password managers
one advantage to cloud is failover and availability across regions - availablility when networks go down in one area or when traveling worldwide

1. can be done, not as difficult as you think, but then you are reliant upon 100% uptime of the hardware
2. sync is possible from what i have read
3. best all-around usability
4. a bit clunky when using a phone
5. same as 4

it is unfortunate, but we all have to make compromises
all i can suggest is for you to make a choice based upon your use-cases and your tolerance for inconvenience or complex usability
i am not advocating that you use cloud bitwarden, i am merely stating what has worked for me based upon my various experiences

lol, i have an aquaintance who wears a ring with a hidden compartment, in that compartment he stores a tiny piece of paper with critical passwords on it, and yes, he does use that when he is in a bind
There are pros and cons of ecah method. Like I said I'm looking for safe data storage, ease of use and transfer between different platforms like Windows and android.

FYI, flash drive don't require a dongle as long as the phone USB port supports OTG. In fact modern phones do support USB OTG. You just insert the flash drive and it'll read off straightaway

For 5) there's no software involved since it's OS independent. Example if you write down all the passwords on a Word doc and store on the drive you can open on the phone using Word and vice versa
 
Last edited:

Andrezj

Level 6
Nov 21, 2022
248
FYI, flash drive don't require a dongle as long as the phone USB port supports OTG. In fact modern phones do support USB OTG. You just insert the flash drive and it'll read off straightaway
i understand, i guess i was not clear that i was not going to purchase a USB OTG form factor, i tried using standard usb using a dongle and i found it inconvenient mostly because i would forget to carry it with me all the time, to me it did not really matter even if i had to only carry a usb

technically, the most secure will be 5, but you will likely accomplish the same thing with a cheaper usb with a password encrypted vault on it

i have heard good things about tresorit, but it is expensive
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
5,993
i understand, i guess i was not clear that i was not going to purchase a USB OTG form factor, i tried using standard usb using a dongle and i found it inconvenient mostly because i would forget to carry it with me all the time, to me it did not really matter even if i had to only carry a usb

technically, the most secure will be 5, but you will likely accomplish the same thing with a cheaper usb with a password encrypted vault on it

i have heard good things about tresorit, but it is expensive
You can always secure the USB flash drive to your keychain. That's what I plan to do if I go the USB flash drive way

Most important is to have another flash drive as a backup in case you lose the one you use daily
 
  • Like
Reactions: LDogg

Andrezj

Level 6
Nov 21, 2022
248
You can always secure the USB flash drive to your keychain. That's what I plan to do if I go the USB flash drive way

Most important is to have another flash drive as a backup in case you lose the one you use daily
get a really robust metal usb, every plastic one i ever put onto a keychain broke
to be honest, after a lot of searching i have never found a usb flash drive with a strong loop hole
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
5,993
get a really robust metal usb, every plastic one i ever put onto a keychain broke
to be honest, after a lot of searching i have never found a usb flash drive with a strong loop hole

Have you try those hardware-encrypted USB flash drives by iStorage and Aegis?

Of course in the hands of 3-letter agencies they can be hacked. But for normal use they are really very good barring from defective drives in the long run like dead battery and unreliable keypad etc.

I've started a new Data Storage thread. We can further discuss there


Thanks
 
Last edited:

piquiteco

Level 14
Oct 16, 2022
634
Also, setting clipboard history OFF in Windows further prevent capture by keyloggerAlso, setting clipboard history OFF in Windows further prevent capture by keylogger
Setting the clipboard history to off in Windows, will not prevent malicious programs from stealing your history stored on the Windows clipboard. A malicious software (Malware) that has the clipboard monitoring feature, it captures in real time and saves in TXT file without relying on Windows clipboard history, this is unlikely to happen to you, and if it does, it is because it has defeated your last line of defense which is your AV. Remembering that traditional keylogger are old and outdated nowadays, any AV will detect, yes it exists, but malware that has the keylogger feature embedded as infostealer that is malicious software (malware) that steals the collected information. @Andrezj mentions about this to me in the post #34 ;)
BTW I'm thinking of using KeePassXC instead. Do you know whether it has the same drag&drop feature as KeePass?
Not that I know of, KeePassXC just fills in the logins forms using a shortcut key known as Global that you set in the settings, similar to keepass or using the traditional copy & paste your login and password. (y)
As for BW I think the minimum time is 10s instead of the 5s you mnetioned
This, minimum 10 seconds and maximum 5 minutes to Clear your BW clipboard. (y)

No, I can be done with remote access according to @Andrezj :

Here it seems that it has become a fight of the Password Managers, literally of course, one pointing out the flaws of the other PMs, probably after the Lastpass episode late last year and recently about Bitwarden, that a security researcher discovered about the interactions. I think this was a trigger for discussions to take strength here in MT. But that's good, it's a sign that everyone here takes security seriously. (y)
 

Andrezj

Level 6
Nov 21, 2022
248
Have you try those hardware-encrypted USB flash drives by iStorage and Aegis?
i have used kingston ironkey s1000 aluminum cased encrypted flash drive
i picked it because the lanyard loop was a continuous part of the body - not the type of loop that can get pulled out of the case socket
it was nice, until i forgot to take it out of my pocket and washed the garmet
115 euros down the drain, literally

the istorage and aegis look the same
inspecting images of the usb drive cases they appear to be one continuous piece
i think you could trust them, there is no reason to doubt the quality of encryption

Here it seems that it has become a fight of the Password Managers, literally of course, one pointing out the flaws of the other PMs, probably after the Lastpass episode late last year and recently about Bitwarden, that a security researcher discovered about the interactions. I think this was a trigger for discussions to take strength here in MT. But that's good, it's a sign that everyone here takes security seriously. (y)
"what users do not know will hurt them"
it is better to openly discuss the flaws of everything as opposed to picking and thinking "i am protected," being closed-minded about negative aspects while defending that choice to the bitter end

a big problem for password manager users is that there is virtually no pentesting or audit results that they can inspect
so the user is placed in a position of relying upon what the password manager says it does or else they select pm based upon popularity

two fundamental precepts of encryption is to set a strong password and set the iterations high enough - infos that i have yet to see any password manager educate users on
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
5,993
"what users do not know will hurt them"
it is better to openly discuss the flaws of everything as opposed to picking and thinking "i am protected," being closed-minded about negative aspects while defending that choice to the bitter end

a big problem for password manager users is that there is virtually no pentesting or audit results that they can inspect
so the user is placed in a position of relying upon what the password manager says it does or else they select pm based upon popularity

two fundamental precepts of encryption is to set a strong password and set the iterations high enough - infos that i have yet to see any password manager educate users on

I thought KeePass has been audited?


Well, audits will not reveal 100% everything
 

Andrezj

Level 6
Nov 21, 2022
248
Well, audits will not reveal 100% everything
audits are rarely thorough in the area of product functionality security risks
some audits are merely code reviews which will not find structural flaws
more or less the most effective and revealing method with software is ad-hoc testing where a pentester just happens to discover a functional problem by being methodical and thorough
hackers put in a lot of keyboard time always probing for ways to defeat stuff
audits never put forth that kind of effort, not unless somebody is willing to pay the auditor a whole lot of money
i mean it is good that software publishers submit their product for review by a third party, but one has to really take a close inspection of what and how things were audited and what the audit actually confirms
 

piquiteco

Level 14
Oct 16, 2022
634
  • Like
Reactions: Gandalf_The_Grey

Andrezj

Level 6
Nov 21, 2022
248
I found this KeePass has been audited in the European Commission's Free and Open Source Software Auditing (EU-FOSSA 1) But @Andrezj formulated his answers well about the audits, and nothing for me to add, and he is correct in his statements, this one from Keepass was done in 2016, and is old ours, look how many years have passed, it's 2023.
this is reality, users have to figure all this stuff out for themselves - as with most things in the digital space
"having to figure it out" certainly does not help users to make fully informed decisions
at least there are places like MalwareTips (y) for those with the inclination and initiative to get additional informations
 

piquiteco

Level 14
Oct 16, 2022
634
this is reality, users have to figure all this stuff out for themselves - as with most things in the digital space
"having to figure it out" certainly does not help users to make fully informed decisions
at least there are places like MalwareTips for those with the inclination and initiative to get additional informations(y)
Exactly! the @HarborFront has certain reason to go deep to research on auditing among others, after the Lastpass incident, even not using the LP and not being their customer, I confess that this time it was me who was paranoid about the management of passwords with synchronization in the cloud, @oldschool will laugh at me if you read my comment, but I'm being honest. I am still using it, not with eggs all in one basket, even so, it makes me scratch my head sometimes, I seem to have lost confidence in PMs specifically the ones that store the database in the cloud. Because of synchronization with other devices, to make it more convenient and practical, as it goes on we get thoughtful to continue using who knows if tomorrow there will be another incident with another password manager? I hope this doesn't happen, at least not at this moment.😔
 
Last edited:

Andrezj

Level 6
Nov 21, 2022
248
Exactly! the @HarborFront has certain reason to go deep to research on auditing among others, after the Lastpass incident, even not using the LP and not being their customer, I confess that this time it was me who was paranoid about the management of passwords with synchronization in the cloud, @oldschool will laugh at me if you read my comment, but I'm being honest. I am still using it, not with eggs all in one basket, even so, it makes me scratch my head sometimes, I seem to have lost confidence in PMs specifically the ones that store the database in the cloud. Because of synchronization with other devices, to make it more convenient and practical, as it goes on we get thoughtful to continue using who knows if tomorrow there will be another incident with another password manager? I hope this doesn't happen, at least not at this moment.😔
when one considers that nation-states have been trying to hack cloud-based password managers since their inception, it is a surprise that the cloud pm hacks have not been a lot worse
that is assuming that 1) the pm service provider detected the hack and 2) they would report that it happened
 
  • Like
Reactions: piquiteco

Andrezj

Level 6
Nov 21, 2022
248
Better rated anti-keyloggers than SpyShelter are here

not sure if you know, but truely.com rankings are based upon user reviews

"don't waste your time, difficult to understand"

it is not difficult for me to understand and it was more effective than qfx and opswat, which both failed in multiple areas
i only cared about protection because usability is no problem for me
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
5,993
not sure if you know, but truely.com rankings are based upon user reviews

"don't waste your time, difficult to understand"

it is not difficult for me to understand and it was more effective than qfx and opswat, which both failed in multiple areas
i only cared about protection because usability is no problem for me

Sorry, just deleted the post. My AV can detect keyloggers anyway
 

Andrezj

Level 6
Nov 21, 2022
248
Sorry, just deleted the post. My AV can detect keyloggers anyway
you can try it against this

just copy-pasta the code into powershell console and select enter
then open notepad and type something
if not detected by av (or windows amsi), the keylogger will capture your keystrokes and output will be found in your c:\users\user\appdata\temp folder named "test_keylogger.txt"


1675063751761.png


just a fyi, i would not put absolute faith in amsi as there are ways around it and hackers gonna keep hacking until they find another way around it if it does block their attacks
 

piquiteco

Level 14
Oct 16, 2022
634
just copy-pasta the code into powershell console and select enter
just a fyi, i would not put absolute faith in amsi as there are ways around it and hackers gonna keep hacking until they find another way around it if it does block their attacks
For me it wouldn't work, besides AV you would have to overcome the last of defenses.(y)
1675064582515.png
 

Andrezj

Level 6
Nov 21, 2022
248
here is even more simple single-keystroke keylogger (which can be expanded to capture all keystrokes)

PS C:\> $PressedKey = $Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")

type a single key, then

PS C:\> $PressedKey

it will output results of keystroke sent to $PressedKey variable

amsi will not detect this sort of thing
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top