Loading...

What's the best, safest and simplest way to electronically store and manage passwords?

Windows 7

Asked
Asked by: Userland User

I know there are many highly-rated password management programs and services on the market for Windows home users, but I have hesitated using any of them because I don't know how safe they really are - it seems as though a devious programmer could easily include a hidden back door hack that would allow them to steal everything without the user's knowledge. Sadly, these days, incessant data breaches in corporations and in government sites, have demonstrated pretty conclusively that no data is truly safe, anymore.

Keeping a written password list is quite inconvenient; it requires every password to be manually written down, then looked up and re-typed into the computer, and if you lose the paper list, you are RUINED. Keeping an electronic password list in a document is easy and simple.  But the document surely needs to be kept offline, not on the computer's hard drive.

For lack of a better idea,  I currently have a USB thumb drive where I keep a document containing all my passwords for website accounts and in a few cases, for applications.  I plug it in briefly when I need a password: with Explorer's preview pane turned on, the password text contents of the file are visible in the preview pane for a quick lookup and copy/paste. Then, I immediately dismount and unplug the thumb drive.

Somehow this makes me feel a little safer, but it's probably a foolish illusion: after all, any time it's plugged in and mounted, it's probably subject to being hacked. And, even after I dismount and remove the thumb drive, I wonder...do the file contents that were displayed in the preview panel, persist as a latent image in my paging file or in Microsoft Office or somewhere else on my computer, where a potential hacker might access it?

Also, I realize that the password itself, which I copied to the clipboard, remains potentially at risk there, as well.

And, of course, there's the question of whether/how the thumb drive itself should be encrypted and password protected...as well as securely backed up to someplace else, since, eventually any USB drive can, and probably will, fail.

Is there any truly safe way, not involving third party software, websites or 'cloud services', to keep an electronically accessible password list, that's absolutely  free from security breach, password protected or encrypted, and safely backed up, and always stored where I personally have in my immediate, secure possession?  What am I missing?

Answered
Answered by: Try*3

Userland,

I don't think you are missing anything.  I do not think it is possible to get a definitive answer to your question.  The best policy is impossible to establish when it comes to password protection as hackers are as unpredictable as burglars.  I offer the results of my investigation into the subject merely as food for thought.

I do the same as you do except that I disconnect* from the internet before connecting the USB to open the password file [just in case I am on a webpage that has been booby-trapped to allow a flyby capture of open documents].  That USB never leaves me and its backup copy lives behind the radiator. 

* As I am connected across WiFi I just turn it off without leaving the webpage I want, connect the USB, copy the password to the clipboard, disconnect the USB, turn WiFi back on, paste the password in then copy some boring text into the clipboard to replace the password there. 

I investigated the effectiveness of MS Office 2007 passwords a couple of years ago because I used a password-protected Office file to store all my passwords.  I reached decisions for password-protected Excel & Word files I but stopped using Access as I could find nothing to refute online claims that small Access databases could be cracked by attacks other than brute-force attacks

password length 18 non-dictionary-strings with letters [both upper & lower case], numbers, common punctuation, at least 2 symbols

password length 19 non-dictionary-strings with letters [both upper & lower case], numbers, common punctuation, without any symbols

password length 21 non-dictionary-strings with letters [both upper & lower case], numbers, without any punctuation, without any symbols

 

These password types-lengths would have less than a 1/1,000,00 chance of being brute-force cracked [combined with dictionary attack] in thirty years' time by sophisticated schemes such as those described in the online password-cracking services & security guidance documents I discovered.

The assumptions in my analysis were -

1  They do not deem me worth more than the 100 hours of dedicated effort that some of the password-cracking services offer as standard service.

2  Current hacker boasts of their capabilities are accurate

3  They have control of 1,000,000 - 2,000,000 PC-equivalent computing power [a very large botnet, a network of datacentres,  ...]

My analysis assumes use of MS Office 2007 but improvements to password security mechanisms in Office 2013 mean that my analysis is looking on the bleak side of security if I ever upgrade.  Frustratingly, I was not able to quantify the degree of improvement.

5  Computing speed will continue to double every year for the next thirty years - 

Moore's "law" is the observation that, over the history of computing hardware, the number of transistors on integrated circuits doubles approximately every two years.  Intel executive David House subsequently predicted 18 months for a doubling in chip performance (being a combination of the effect of more transistors and their being faster). I assumed a doubling every 1 year purely for simplicity of calculation so my results actually apply to a period of greater than 30 years given a Moore's "law" assumption.

Try*3 - a user
Dell Inspiron 1545, Windows 7 Home Premium 64, Office 2007
HTC Desire X, Android 4.1
Answered
Security, privacy & accounts 16/09/2015 0 Comment 73 views
Loading...

Comments ( 0 )

Notice!
No comments yet. Be first to comment!

Leave a reply