CHATPRIVACYDONATELOGINREGISTER
DMT-Nexus
FAQWIKIHEALTH & SAFETYARTATTITUDEACTIVE TOPICS
Suggestions on Digital Vault/password manager Options
 
brilliantlydim
#1 Posted : 6/13/2016 5:45:24 PM

DMT-Nexus member


Posts: 431
Joined: 13-Jun-2015
Last visit: 19-May-2019
Hello all, wondering if any of you fine people have a suggestion for a good digital vault for storing things like passwords, usernames, credit card numbers, files, etc. on my android device.

Thanks
 

Good quality Syrian rue (Peganum harmala) for an incredible price!
 
RAM
#2 Posted : 6/13/2016 6:57:05 PM

Hail the keys!


Posts: 553
Joined: 30-Aug-2014
Last visit: 07-Nov-2022
I use the paid version of Roboform on my computer. They also have a version for Android.

It is very simple and relies on a master password - I definitely recommend it!
"Think for yourself and question authority." - Leary

"To step out of ideology - it hurts. It's a painful experience. You must force yourself to do it." - Žižek
 
Ufostrahlen
#3 Posted : 6/13/2016 7:03:16 PM

xͭ͆͝͏̮͔̜t̟̬̦̣̟͉͈̞̝ͣͫ͞,̡̼̭̘̙̜ͧ̆̀̔ͮ́ͯͯt̢̘̬͓͕̬́ͪ̽́s̢̜̠̬̘͖̠͕ͫ͗̾͋͒̃͛̚͞ͅ


Posts: 1716
Joined: 23-Apr-2012
Last visit: 23-Jan-2017
KeePass is a popular & free OSS pw manager which comes in different flavors:

http://keepass.info/download.html
https://play.google.com/...2android.keepass2android
https://en.wikipedia.org/wiki/KeePass

also recommended by:

https://prism-break.org/...droid/#password-managers
Internet Security: PsilocybeChild's Internet Security Walk-Through(1)(2)(3)(4)(5)(6)(7)(8)
Search the Nexus with disconnect.me (anonymous Google search) by adding "site:dmt-nexus.me" (w/o the ") to your search.
 
PsilocybeChild
#4 Posted : 6/13/2016 8:21:32 PM

DMT-Nexus member


Posts: 574
Joined: 24-Jan-2009
Last visit: 25-Aug-2023
Location: somewhere in the sands of time
I prefer KeePassX and KeePassDroid for Android. They're open source and free.

It doesn't store your passwords on a server which is safer but also means you have to update any copies of your password database frequently, and you might need a File Manager installed on android to access your database once you transfer it onto your phone.
―λlτεrηιτγ→
Kambo.me Forum
​Internet Security Walk-Through
[url=https://kambo.me/smf/index.php?topic=395.0]Tobacco Disinformation

PM me about personal Herbalist consultations.
Can do it over PMs as to not reveal personal information.
 
brilliantlydim
#5 Posted : 6/13/2016 11:31:32 PM

DMT-Nexus member


Posts: 431
Joined: 13-Jun-2015
Last visit: 19-May-2019
Thanks for the suggestions. I ended up downloading the Keepass2Android offline version, which I believe is based on the same program as the KeePassDroid, both being ports of KeePass.

So for any of you that are digital security savvy, I have a couple questions if you don't mind.

From what I gather, how this program works is it encrypts my passwords and such in a file (.kdbx file) that can only be unlocked by my master password that I selected. I can move this file around, and store it anywhere, but as long as I am the only one with my password no one can access the info on that file?

Making it basically as secure as the ability to brute force my master password is?

Is this enough to keep my passwords safe to a reasonable extent, or is there any thing else I should be aware of or do in order to keep them secret and the file secure?
 
brilliantlydim
#6 Posted : 6/13/2016 11:32:16 PM

DMT-Nexus member


Posts: 431
Joined: 13-Jun-2015
Last visit: 19-May-2019
Thanks for the suggestions. I ended up downloading the Keepass2Android offline version, which I believe is based on the same program as the KeePassDroid, both being ports of KeePass.

So for any of you that are digital security savvy, I have a couple questions if you don't mind.

From what I gather, how this program works is it encrypts my passwords and such in a file (.kdbx file) that can only be unlocked by my master password that I selected. I can move this file around, and store it anywhere, but as long as I am the only one with my password no one can access the info on that file?

Making it basically as secure as the ability to brute force my master password is?

Is this enough to keep my passwords safe to a reasonable extent, or is there any thing else I should be aware of or do in order to keep them secret and the file secure?
 
Ufostrahlen
#7 Posted : 6/14/2016 5:42:02 AM

xͭ͆͝͏̮͔̜t̟̬̦̣̟͉͈̞̝ͣͫ͞,̡̼̭̘̙̜ͧ̆̀̔ͮ́ͯͯt̢̘̬͓͕̬́ͪ̽́s̢̜̠̬̘͖̠͕ͫ͗̾͋͒̃͛̚͞ͅ


Posts: 1716
Joined: 23-Apr-2012
Last visit: 23-Jan-2017
Quote:
I can move this file around, and store it anywhere, but as long as I am the only one with my password no one can access the info on that file?

Yes.


Quote:
Making it basically as secure as the ability to brute force my master password is?

Yes.

Quote:
Is this enough to keep my passwords safe to a reasonable extent...?

Yes.

Quote:

Access to the database is restricted by a master password or a key file. Both methods may be combined to create a "composite master key". If both methods are used, then both must be present to access the password database. KeePass version 2.x introduces a third option—dependency upon the current Windows user.[21] KeePass encrypts the database with the AES or Twofish symmetric ciphers. AES is the default option, and Twofish is available in 1.x, but is not available in version 2.x. However, a separate plugin provides Twofish as an encryption algorithm.

https://en.wikipedia.org/wiki/KeePass#Cryptography

Quote:

KeePass supports the Advanced Encryption Standard (AES, Rijndael) and the Twofish algorithm to encrypt its password databases. Both of these ciphers are regarded as being very secure. AES e.g. became effective as a U.S. Federal government standard and is approved by the National Security Agency (NSA) for top secret information.
The complete database is encrypted, not only the password fields. So, your user names, notes, etc. are encrypted, too.
SHA-256 is used as password hash. SHA-256 is a 256-bit cryptographically secure one-way hash function. Your master password is hashed using this algorithm and its output is used as key for the encryption algorithms.
In contrast to many other hashing algorithms, no attacks are known yet against SHA-256.
Protection against dictionary and guessing attacks: by transforming the final master key very often, dictionary and guessing attacks can be made harder.
In-Memory Passwords Protection: Your passwords are encrypted while KeePass is running, so even when the operating system caches the KeePass process to disk, this wouldn't reveal your passwords anyway.
[2.x] Protected In-Memory Streams: When loading the inner XML format, passwords are encrypted using a session key.
Security-Enhanced Password Edit Controls: KeePass is the first password manager that features security-enhanced password edit controls. None of the available password edit control spies work against these controls. The passwords entered in those controls aren't even visible in the process memory of KeePass.
The master key dialog can be shown on a secure desktop, on which almost no keylogger works. Auto-Type can be protected against keyloggers, too.

http://keepass.info/features.html
Internet Security: PsilocybeChild's Internet Security Walk-Through(1)(2)(3)(4)(5)(6)(7)(8)
Search the Nexus with disconnect.me (anonymous Google search) by adding "site:dmt-nexus.me" (w/o the ") to your search.
 
brilliantlydim
#8 Posted : 6/14/2016 10:56:08 PM

DMT-Nexus member


Posts: 431
Joined: 13-Jun-2015
Last visit: 19-May-2019
Ufostrahlen wrote:
Quote:
I can move this file around, and store it anywhere, but as long as I am the only one with my password no one can access the info on that file?

Yes.


Quote:
Making it basically as secure as the ability to brute force my master password is?

Yes.

Quote:
Is this enough to keep my passwords safe to a reasonable extent...?

Yes.

Quote:

Access to the database is restricted by a master password or a key file. Both methods may be combined to create a "composite master key". If both methods are used, then both must be present to access the password database. KeePass version 2.x introduces a third option—dependency upon the current Windows user.[21] KeePass encrypts the database with the AES or Twofish symmetric ciphers. AES is the default option, and Twofish is available in 1.x, but is not available in version 2.x. However, a separate plugin provides Twofish as an encryption algorithm.

https://en.wikipedia.org/wiki/KeePass#Cryptography

Quote:

KeePass supports the Advanced Encryption Standard (AES, Rijndael) and the Twofish algorithm to encrypt its password databases. Both of these ciphers are regarded as being very secure. AES e.g. became effective as a U.S. Federal government standard and is approved by the National Security Agency (NSA) for top secret information.
The complete database is encrypted, not only the password fields. So, your user names, notes, etc. are encrypted, too.
SHA-256 is used as password hash. SHA-256 is a 256-bit cryptographically secure one-way hash function. Your master password is hashed using this algorithm and its output is used as key for the encryption algorithms.
In contrast to many other hashing algorithms, no attacks are known yet against SHA-256.
Protection against dictionary and guessing attacks: by transforming the final master key very often, dictionary and guessing attacks can be made harder.
In-Memory Passwords Protection: Your passwords are encrypted while KeePass is running, so even when the operating system caches the KeePass process to disk, this wouldn't reveal your passwords anyway.
[2.x] Protected In-Memory Streams: When loading the inner XML format, passwords are encrypted using a session key.
Security-Enhanced Password Edit Controls: KeePass is the first password manager that features security-enhanced password edit controls. None of the available password edit control spies work against these controls. The passwords entered in those controls aren't even visible in the process memory of KeePass.
The master key dialog can be shown on a secure desktop, on which almost no keylogger works. Auto-Type can be protected against keyloggers, too.

http://keepass.info/features.html


Thank You Ufostrahlen
 
Ufostrahlen
#9 Posted : 6/16/2016 7:34:29 AM

xͭ͆͝͏̮͔̜t̟̬̦̣̟͉͈̞̝ͣͫ͞,̡̼̭̘̙̜ͧ̆̀̔ͮ́ͯͯt̢̘̬͓͕̬́ͪ̽́s̢̜̠̬̘͖̠͕ͫ͗̾͋͒̃͛̚͞ͅ


Posts: 1716
Joined: 23-Apr-2012
Last visit: 23-Jan-2017
Yw!
Internet Security: PsilocybeChild's Internet Security Walk-Through(1)(2)(3)(4)(5)(6)(7)(8)
Search the Nexus with disconnect.me (anonymous Google search) by adding "site:dmt-nexus.me" (w/o the ") to your search.
 
Tryptallmine
#10 Posted : 6/23/2016 9:11:45 AM

DMT-Nexus member


Posts: 287
Joined: 03-Jan-2014
Last visit: 01-Nov-2017
KeePass while not too bad, was actually compromised in 2015. Depending on who you're trying to keep passwords safe from or whether simply for convenience, may be a problem for you. Have a read up on KeeFarce - for those that are interested.
 
Ufostrahlen
#11 Posted : 6/23/2016 12:02:20 PM

xͭ͆͝͏̮͔̜t̟̬̦̣̟͉͈̞̝ͣͫ͞,̡̼̭̘̙̜ͧ̆̀̔ͮ́ͯͯt̢̘̬͓͕̬́ͪ̽́s̢̜̠̬̘͖̠͕ͫ͗̾͋͒̃͛̚͞ͅ


Posts: 1716
Joined: 23-Apr-2012
Last visit: 23-Jan-2017
Related:
Quote:

KeePass has a mode in which the database is locked after a period of time, effectively wiping the keys from memory once they’re not required. This is a great idea (akin to timing out web application sessions) and minimises the feasibility of this attack in particular. But it’s also a hassle, it interferes with usability, so most people leave it disabled. Our advice? Use 2FA on the password database. This requires the attacker to ensure that both elements were compromised simultaneously (keys and password) to be able to re-open the database.

KeyFarce isn’t really malware; you have to be an admin to get anywhere near using this properly and if you are a privileged user you don’t need these tricks: just use a sniffer, install a certificate, install a key logger etc. and you’re in. There’s definitely been a knee jerk reaction to this tool.

https://www.pentestpartn...ll-use-a-password-vault/

http://arstechnica.com/s...s-from-password-manager/
Internet Security: PsilocybeChild's Internet Security Walk-Through(1)(2)(3)(4)(5)(6)(7)(8)
Search the Nexus with disconnect.me (anonymous Google search) by adding "site:dmt-nexus.me" (w/o the ") to your search.
 
nexalizer
#12 Posted : 6/29/2016 9:52:00 PM

DMT-Nexus member


Posts: 788
Joined: 18-Nov-2011
Last visit: 24-Sep-2024
Tryptallmine wrote:
KeePass while not too bad, was actually compromised in 2015. Depending on who you're trying to keep passwords safe from or whether simply for convenience, may be a problem for you. Have a read up on KeeFarce - for those that are interested.


Not really compromised, the tool you mention needs privileged access to be able to do what it does.

KeePassX is good. Run it in a virtual machine if you can, one without a network connection (provided you can copy-paste to/from other virtual machines).

Ideally, run nothing but virtual machines, leave the actual computer with as little as you can, and disconnected from the network.

tldr: run QubesOS.
This is the time to really find out who you are and enjoy every moment you have. Take advantage of it.
 
Ufostrahlen
#13 Posted : 7/1/2016 8:41:31 PM

xͭ͆͝͏̮͔̜t̟̬̦̣̟͉͈̞̝ͣͫ͞,̡̼̭̘̙̜ͧ̆̀̔ͮ́ͯͯt̢̘̬͓͕̬́ͪ̽́s̢̜̠̬̘͖̠͕ͫ͗̾͋͒̃͛̚͞ͅ


Posts: 1716
Joined: 23-Apr-2012
Last visit: 23-Jan-2017
nexalizer wrote:
tldr: run QubesOS.

Crazy idea, but one day I might do!
Internet Security: PsilocybeChild's Internet Security Walk-Through(1)(2)(3)(4)(5)(6)(7)(8)
Search the Nexus with disconnect.me (anonymous Google search) by adding "site:dmt-nexus.me" (w/o the ") to your search.
 
brilliantlydim
#14 Posted : 7/6/2016 3:03:23 AM

DMT-Nexus member


Posts: 431
Joined: 13-Jun-2015
Last visit: 19-May-2019
nexalizer wrote:
Tryptallmine wrote:
KeePass while not too bad, was actually compromised in 2015. Depending on who you're trying to keep passwords safe from or whether simply for convenience, may be a problem for you. Have a read up on KeeFarce - for those that are interested.


Not really compromised, the tool you mention needs privileged access to be able to do what it does.



If your computer or OS was compromised in this way, even if you didn't use a password manager but only logged into secure sites from memory, wouldn't it still be possible for the attacker to use something in order would steal your passwords?
 
Tryptallmine
#15 Posted : 7/6/2016 10:57:53 AM

DMT-Nexus member


Posts: 287
Joined: 03-Jan-2014
Last visit: 01-Nov-2017
nexalizer wrote:
Tryptallmine wrote:
KeePass while not too bad, was actually compromised in 2015. Depending on who you're trying to keep passwords safe from or whether simply for convenience, may be a problem for you. Have a read up on KeeFarce - for those that are interested.


Not really compromised, the tool you mention needs privileged access to be able to do what it does.

KeePassX is good. Run it in a virtual machine if you can, one without a network connection (provided you can copy-paste to/from other virtual machines).

Ideally, run nothing but virtual machines, leave the actual computer with as little as you can, and disconnected from the network.

tldr: run QubesOS.


Qubes is actually quite good. I've been using it for the past 3 or so months with good results and the idea to sandbox KeePass is certainly the best way to go about it.
Priv escalation isn't exactly a mean feat if you're talking about windows...
 
 
Users browsing this forum
Guest (2)

DMT-Nexus theme created by The Traveler
This page was generated in 0.066 seconds.