Hot Take Password Managers Auto-filled Credentials on Untrusted sites

[HarborFront]

afaik keepass can be synced between pc and android, check the keepass website for plugins and other 3rd party developed forks intended to accomplish what you desire
just be forewarned that none of those products have been pentested for security issues
let me relate from firsthand experience, when you have a situation it is more than frustrating when you cannot access or otherwise obtain resources you need to resolve that situation using a digital device, especially a phone
the phone device is always the most problematic, i tried the usb flash drivemethod but that requires a dongle and then not forgetting it and the usb, not to mention having to carrry it all the time
the usb method works ok for pc or laptop
for cross-platform ease-of-use, with reasonably high security, bitwarden cloud has performed well enough for me, even though using it on a phone can be clunky - i set a 25+ character dice generated password and set interations to 1,000,000 years ago to ensure sufficient entropy long before the latest drama about password managers
one advantage to cloud is failover and availability across regions - availablility when networks go down in one area or when traveling worldwide

1. can be done, not as difficult as you think, but then you are reliant upon 100% uptime of the hardware
2. sync is possible from what i have read
3. best all-around usability
4. a bit clunky when using a phone
5. same as 4

it is unfortunate, but we all have to make compromises
all i can suggest is for you to make a choice based upon your use-cases and your tolerance for inconvenience or complex usability
i am not advocating that you use cloud bitwarden, i am merely stating what has worked for me based upon my various experiences

lol, i have an aquaintance who wears a ring with a hidden compartment, in that compartment he stores a tiny piece of paper with critical passwords on it, and yes, he does use that when he is in a bind

There are pros and cons of ecah method. Like I said I'm looking for safe data storage, ease of use and transfer between different platforms like Windows and android.

FYI, flash drive don't require a dongle as long as the phone USB port supports OTG. In fact modern phones do support USB OTG. You just insert the flash drive and it'll read off straightaway

For 5) there's no software involved since it's OS independent. Example if you write down all the passwords on a Word doc and store on the drive you can open on the phone using Word and vice versa

 

[Andrezj]

FYI, flash drive don't require a dongle as long as the phone USB port supports OTG. In fact modern phones do support USB OTG. You just insert the flash drive and it'll read off straightaway

i understand, i guess i was not clear that i was not going to purchase a USB OTG form factor, i tried using standard usb using a dongle and i found it inconvenient mostly because i would forget to carry it with me all the time, to me it did not really matter even if i had to only carry a usb

technically, the most secure will be 5, but you will likely accomplish the same thing with a cheaper usb with a password encrypted vault on it

i have heard good things about tresorit, but it is expensive

Secure your digital life with a personal vault

Safeguard your most sensitive personal files and pictures with Tresorit’s end-to-end encrypted personal cloud storage.

tresorit.com

 

[HarborFront]

i understand, i guess i was not clear that i was not going to purchase a USB OTG form factor, i tried using standard usb using a dongle and i found it inconvenient mostly because i would forget to carry it with me all the time, to me it did not really matter even if i had to only carry a usb

technically, the most secure will be 5, but you will likely accomplish the same thing with a cheaper usb with a password encrypted vault on it

i have heard good things about tresorit, but it is expensive

Secure your digital life with a personal vault

Safeguard your most sensitive personal files and pictures with Tresorit’s end-to-end encrypted personal cloud storage.

tresorit.com

You can always secure the USB flash drive to your keychain. That's what I plan to do if I go the USB flash drive way

Most important is to have another flash drive as a backup in case you lose the one you use daily

 

[Andrezj]

You can always secure the USB flash drive to your keychain. That's what I plan to do if I go the USB flash drive way

Most important is to have another flash drive as a backup in case you lose the one you use daily

get a really robust metal usb, every plastic one i ever put onto a keychain broke
to be honest, after a lot of searching i have never found a usb flash drive with a strong loop hole

 

[HarborFront]

get a really robust metal usb, every plastic one i ever put onto a keychain broke
to be honest, after a lot of searching i have never found a usb flash drive with a strong loop hole

Have you try those hardware-encrypted USB flash drives by iStorage and Aegis?

Of course in the hands of 3-letter agencies they can be hacked. But for normal use they are really very good barring from defective drives in the long run like dead battery and unreliable keypad etc.

I've started a new Data Storage thread. We can further discuss there

Serious Discussion - Data Storage - Software-Encrypted vs Hardware-Encrypted USB Flash Drive vs Cloud Storage

This topic centers on storing data on software-encrypted vs hardware-encrypted USB flash drive vs cloud storage. External drive storage is chosen over storing on the PC/laptop itself to avoid malware infection or a dead PC/laptop. You can scan the files/folders for malware before storing on the...

malwaretips.com

Thanks

 

[piquiteco]

Also, setting clipboard history OFF in Windows further prevent capture by keyloggerAlso, setting clipboard history OFF in Windows further prevent capture by keylogger

Setting the clipboard history to off in Windows, will not prevent malicious programs from stealing your history stored on the Windows clipboard. A malicious software (Malware) that has the clipboard monitoring feature, it captures in real time and saves in TXT file without relying on Windows clipboard history, this is unlikely to happen to you, and if it does, it is because it has defeated your last line of defense which is your AV. Remembering that traditional keylogger are old and outdated nowadays, any AV will detect, yes it exists, but malware that has the keylogger feature embedded as infostealer that is malicious software (malware) that steals the collected information. @Andrezj mentions about this to me in the post #34

BTW I'm thinking of using KeePassXC instead. Do you know whether it has the same drag&drop feature as KeePass?

Not that I know of, KeePassXC just fills in the logins forms using a shortcut key known as Global that you set in the settings, similar to keepass or using the traditional copy & paste your login and password.

As for BW I think the minimum time is 10s instead of the 5s you mnetioned

This, minimum 10 seconds and maximum 5 minutes to Clear your BW clipboard.

No, I can be done with remote access according to @Andrezj :

NCSC warns of Vulnerability in Password Manager KeePass

Dutch article translated by DeepL: The Ministry of Justice and Security's National Cyber Security Center (NCSC) is warning of a vulnerability in password manager KeePass that would allow an attacker who already has access to a system to obtain data in the KeePass database, such as passwords...

malwaretips.com

Here it seems that it has become a fight of the Password Managers, literally of course, one pointing out the flaws of the other PMs, probably after the Lastpass episode late last year and recently about Bitwarden, that a security researcher discovered about the interactions. I think this was a trigger for discussions to take strength here in MT. But that's good, it's a sign that everyone here takes security seriously.

 

[Andrezj]

Have you try those hardware-encrypted USB flash drives by iStorage and Aegis?

i have used kingston ironkey s1000 aluminum cased encrypted flash drive
i picked it because the lanyard loop was a continuous part of the body - not the type of loop that can get pulled out of the case socket
it was nice, until i forgot to take it out of my pocket and washed the garmet
115 euros down the drain, literally

the istorage and aegis look the same
inspecting images of the usb drive cases they appear to be one continuous piece
i think you could trust them, there is no reason to doubt the quality of encryption

Here it seems that it has become a fight of the Password Managers, literally of course, one pointing out the flaws of the other PMs, probably after the Lastpass episode late last year and recently about Bitwarden, that a security researcher discovered about the interactions. I think this was a trigger for discussions to take strength here in MT. But that's good, it's a sign that everyone here takes security seriously.

"what users do not know will hurt them"
it is better to openly discuss the flaws of everything as opposed to picking and thinking "i am protected," being closed-minded about negative aspects while defending that choice to the bitter end

a big problem for password manager users is that there is virtually no pentesting or audit results that they can inspect
so the user is placed in a position of relying upon what the password manager says it does or else they select pm based upon popularity

two fundamental precepts of encryption is to set a strong password and set the iterations high enough - infos that i have yet to see any password manager educate users on

 

[HarborFront]

"what users do not know will hurt them"
it is better to openly discuss the flaws of everything as opposed to picking and thinking "i am protected," being closed-minded about negative aspects while defending that choice to the bitter end

a big problem for password manager users is that there is virtually no pentesting or audit results that they can inspect
so the user is placed in a position of relying upon what the password manager says it does or else they select pm based upon popularity

two fundamental precepts of encryption is to set a strong password and set the iterations high enough - infos that i have yet to see any password manager educate users on

I thought KeePass has been audited?

Trust - KeePass

keepass.info

Well, audits will not reveal 100% everything

 

[Andrezj]

Well, audits will not reveal 100% everything

audits are rarely thorough in the area of product functionality security risks
some audits are merely code reviews which will not find structural flaws
more or less the most effective and revealing method with software is ad-hoc testing where a pentester just happens to discover a functional problem by being methodical and thorough
hackers put in a lot of keyboard time always probing for ways to defeat stuff
audits never put forth that kind of effort, not unless somebody is willing to pay the auditor a whole lot of money
i mean it is good that software publishers submit their product for review by a third party, but one has to really take a close inspection of what and how things were audited and what the audit actually confirms

 

[piquiteco]

I thought KeePass has been audited?

I found this KeePass has been audited in the European Commission's Free and Open Source Software Auditing (EU-FOSSA 1) But @Andrezj formulated his answers well about the audits, and nothing for me to add, and he is correct in his statements, this one from Keepass was done in 2016, and is old ours, look how many years have passed, it's 2023.

 

[Andrezj]

I found this KeePass has been audited in the European Commission's Free and Open Source Software Auditing (EU-FOSSA 1) But @Andrezj formulated his answers well about the audits, and nothing for me to add, and he is correct in his statements, this one from Keepass was done in 2016, and is old ours, look how many years have passed, it's 2023.

this is reality, users have to figure all this stuff out for themselves - as with most things in the digital space
"having to figure it out" certainly does not help users to make fully informed decisions
at least there are places like MalwareTips for those with the inclination and initiative to get additional informations

 

[piquiteco]

this is reality, users have to figure all this stuff out for themselves - as with most things in the digital space
"having to figure it out" certainly does not help users to make fully informed decisions
at least there are places like MalwareTips for those with the inclination and initiative to get additional informations

Exactly! the @HarborFront has certain reason to go deep to research on auditing among others, after the Lastpass incident, even not using the LP and not being their customer, I confess that this time it was me who was paranoid about the management of passwords with synchronization in the cloud, @oldschool will laugh at me if you read my comment, but I'm being honest. I am still using it, not with eggs all in one basket, even so, it makes me scratch my head sometimes, I seem to have lost confidence in PMs specifically the ones that store the database in the cloud. Because of synchronization with other devices, to make it more convenient and practical, as it goes on we get thoughtful to continue using who knows if tomorrow there will be another incident with another password manager? I hope this doesn't happen, at least not at this moment.

 

[Andrezj]

Exactly! the @HarborFront has certain reason to go deep to research on auditing among others, after the Lastpass incident, even not using the LP and not being their customer, I confess that this time it was me who was paranoid about the management of passwords with synchronization in the cloud, @oldschool will laugh at me if you read my comment, but I'm being honest. I am still using it, not with eggs all in one basket, even so, it makes me scratch my head sometimes, I seem to have lost confidence in PMs specifically the ones that store the database in the cloud. Because of synchronization with other devices, to make it more convenient and practical, as it goes on we get thoughtful to continue using who knows if tomorrow there will be another incident with another password manager? I hope this doesn't happen, at least not at this moment.

when one considers that nation-states have been trying to hack cloud-based password managers since their inception, it is a surprise that the cloud pm hacks have not been a lot worse
that is assuming that 1) the pm service provider detected the hack and 2) they would report that it happened

 

[Andrezj]

Better rated anti-keyloggers than SpyShelter are here

Best Consumer Products

We’ve analysed millions of customer reviews, here are the products that ranked the best overall.

truely.com

not sure if you know, but truely.com rankings are based upon user reviews

"don't waste your time, difficult to understand"

it is not difficult for me to understand and it was more effective than qfx and opswat, which both failed in multiple areas
i only cared about protection because usability is no problem for me

 

[HarborFront]

not sure if you know, but truely.com rankings are based upon user reviews

"don't waste your time, difficult to understand"

it is not difficult for me to understand and it was more effective than qfx and opswat, which both failed in multiple areas
i only cared about protection because usability is no problem for me

Sorry, just deleted the post. My AV can detect keyloggers anyway

 

[piquiteco]

that is assuming that 1) the pm service provider detected the hack and 2) they would report that it happened

Yes, and to make matters worse the first LastPass hack they admitted, was breach that occurred in 2011 - Password Manager Last Pass Possibly Hacked 12 years ago they posted on their Lastpass Blog, plus page was deleted.

 

[piquiteco]

Sorry, just deleted the post. My AV can detect keyloggers anyway

I told you in another comment, that any AV will block keyloggers, even the simulators, if I were you, I wouldn't worry about it.

 

[Andrezj]

Sorry, just deleted the post. My AV can detect keyloggers anyway

you can try it against this

just copy-pasta the code into powershell console and select enter
then open notepad and type something
if not detected by av (or windows amsi), the keylogger will capture your keystrokes and output will be found in your c:\users\user\appdata\temp folder named "test_keylogger.txt"

How a keylogger works: a simple Powershell example

During the #malware #analysis process is useful to know how a #keylogger works, so I want to share a brief #example, written in #Powershell - #DFIR #cybersecurity

andreafortuna.org

just a fyi, i would not put absolute faith in amsi as there are ways around it and hackers gonna keep hacking until they find another way around it if it does block their attacks

 

[piquiteco]

just copy-pasta the code into powershell console and select enter
just a fyi, i would not put absolute faith in amsi as there are ways around it and hackers gonna keep hacking until they find another way around it if it does block their attacks

For me it wouldn't work, besides AV you would have to overcome the last of defenses.

Spoiler

 

[Andrezj]

here is even more simple single-keystroke keylogger (which can be expanded to capture all keystrokes)

PS C:\> $PressedKey = $Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")

type a single key, then

PS C:\> $PressedKey

it will output results of keystroke sent to $PressedKey variable

amsi will not detect this sort of thing