DMT-Nexus member
Posts: 431 Joined: 13-Jun-2015 Last visit: 19-May-2019
|
Hello all, wondering if any of you fine people have a suggestion for a good digital vault for storing things like passwords, usernames, credit card numbers, files, etc. on my android device.
Thanks
|
|
|
|
|
Hail the keys!
Posts: 553 Joined: 30-Aug-2014 Last visit: 07-Nov-2022
|
I use the paid version of Roboform on my computer. They also have a version for Android. It is very simple and relies on a master password - I definitely recommend it! "Think for yourself and question authority." - Leary
"To step out of ideology - it hurts. It's a painful experience. You must force yourself to do it." - Žižek
|
|
|
xͭ͆͝͏̮͔̜t̟̬̦̣̟͉͈̞̝ͣͫ͞,̡̼̭̘̙̜ͧ̆̀̔ͮ́ͯͯt̢̘̬͓͕̬́ͪ̽́s̢̜̠̬̘͖̠͕ͫ͗̾͋͒̃͛̚͞ͅ
Posts: 1716 Joined: 23-Apr-2012 Last visit: 23-Jan-2017
|
|
|
|
DMT-Nexus member
Posts: 574 Joined: 24-Jan-2009 Last visit: 25-Aug-2023 Location: somewhere in the sands of time
|
I prefer KeePassX and KeePassDroid for Android. They're open source and free. It doesn't store your passwords on a server which is safer but also means you have to update any copies of your password database frequently, and you might need a File Manager installed on android to access your database once you transfer it onto your phone.
|
|
|
DMT-Nexus member
Posts: 431 Joined: 13-Jun-2015 Last visit: 19-May-2019
|
Thanks for the suggestions. I ended up downloading the Keepass2Android offline version, which I believe is based on the same program as the KeePassDroid, both being ports of KeePass.
So for any of you that are digital security savvy, I have a couple questions if you don't mind.
From what I gather, how this program works is it encrypts my passwords and such in a file (.kdbx file) that can only be unlocked by my master password that I selected. I can move this file around, and store it anywhere, but as long as I am the only one with my password no one can access the info on that file?
Making it basically as secure as the ability to brute force my master password is?
Is this enough to keep my passwords safe to a reasonable extent, or is there any thing else I should be aware of or do in order to keep them secret and the file secure?
|
|
|
DMT-Nexus member
Posts: 431 Joined: 13-Jun-2015 Last visit: 19-May-2019
|
Thanks for the suggestions. I ended up downloading the Keepass2Android offline version, which I believe is based on the same program as the KeePassDroid, both being ports of KeePass.
So for any of you that are digital security savvy, I have a couple questions if you don't mind.
From what I gather, how this program works is it encrypts my passwords and such in a file (.kdbx file) that can only be unlocked by my master password that I selected. I can move this file around, and store it anywhere, but as long as I am the only one with my password no one can access the info on that file?
Making it basically as secure as the ability to brute force my master password is?
Is this enough to keep my passwords safe to a reasonable extent, or is there any thing else I should be aware of or do in order to keep them secret and the file secure?
|
|
|
xͭ͆͝͏̮͔̜t̟̬̦̣̟͉͈̞̝ͣͫ͞,̡̼̭̘̙̜ͧ̆̀̔ͮ́ͯͯt̢̘̬͓͕̬́ͪ̽́s̢̜̠̬̘͖̠͕ͫ͗̾͋͒̃͛̚͞ͅ
Posts: 1716 Joined: 23-Apr-2012 Last visit: 23-Jan-2017
|
Quote:I can move this file around, and store it anywhere, but as long as I am the only one with my password no one can access the info on that file? Yes. Quote:Making it basically as secure as the ability to brute force my master password is? Yes. Quote:Is this enough to keep my passwords safe to a reasonable extent...? Yes. Quote:Access to the database is restricted by a master password or a key file. Both methods may be combined to create a "composite master key". If both methods are used, then both must be present to access the password database. KeePass version 2.x introduces a third option—dependency upon the current Windows user.[21] KeePass encrypts the database with the AES or Twofish symmetric ciphers. AES is the default option, and Twofish is available in 1.x, but is not available in version 2.x. However, a separate plugin provides Twofish as an encryption algorithm. https://en.wikipedia.org/wiki/KeePass#Cryptography Quote:KeePass supports the Advanced Encryption Standard (AES, Rijndael) and the Twofish algorithm to encrypt its password databases. Both of these ciphers are regarded as being very secure. AES e.g. became effective as a U.S. Federal government standard and is approved by the National Security Agency (NSA) for top secret information. The complete database is encrypted, not only the password fields. So, your user names, notes, etc. are encrypted, too. SHA-256 is used as password hash. SHA-256 is a 256-bit cryptographically secure one-way hash function. Your master password is hashed using this algorithm and its output is used as key for the encryption algorithms. In contrast to many other hashing algorithms, no attacks are known yet against SHA-256. Protection against dictionary and guessing attacks: by transforming the final master key very often, dictionary and guessing attacks can be made harder. In-Memory Passwords Protection: Your passwords are encrypted while KeePass is running, so even when the operating system caches the KeePass process to disk, this wouldn't reveal your passwords anyway. [2.x] Protected In-Memory Streams: When loading the inner XML format, passwords are encrypted using a session key. Security-Enhanced Password Edit Controls: KeePass is the first password manager that features security-enhanced password edit controls. None of the available password edit control spies work against these controls. The passwords entered in those controls aren't even visible in the process memory of KeePass. The master key dialog can be shown on a secure desktop, on which almost no keylogger works. Auto-Type can be protected against keyloggers, too. http://keepass.info/features.html
|
|
|
DMT-Nexus member
Posts: 431 Joined: 13-Jun-2015 Last visit: 19-May-2019
|
Ufostrahlen wrote:Quote:I can move this file around, and store it anywhere, but as long as I am the only one with my password no one can access the info on that file? Yes. Quote:Making it basically as secure as the ability to brute force my master password is? Yes. Quote:Is this enough to keep my passwords safe to a reasonable extent...? Yes. Quote:Access to the database is restricted by a master password or a key file. Both methods may be combined to create a "composite master key". If both methods are used, then both must be present to access the password database. KeePass version 2.x introduces a third option—dependency upon the current Windows user.[21] KeePass encrypts the database with the AES or Twofish symmetric ciphers. AES is the default option, and Twofish is available in 1.x, but is not available in version 2.x. However, a separate plugin provides Twofish as an encryption algorithm. https://en.wikipedia.org/wiki/KeePass#Cryptography Quote:KeePass supports the Advanced Encryption Standard (AES, Rijndael) and the Twofish algorithm to encrypt its password databases. Both of these ciphers are regarded as being very secure. AES e.g. became effective as a U.S. Federal government standard and is approved by the National Security Agency (NSA) for top secret information. The complete database is encrypted, not only the password fields. So, your user names, notes, etc. are encrypted, too. SHA-256 is used as password hash. SHA-256 is a 256-bit cryptographically secure one-way hash function. Your master password is hashed using this algorithm and its output is used as key for the encryption algorithms. In contrast to many other hashing algorithms, no attacks are known yet against SHA-256. Protection against dictionary and guessing attacks: by transforming the final master key very often, dictionary and guessing attacks can be made harder. In-Memory Passwords Protection: Your passwords are encrypted while KeePass is running, so even when the operating system caches the KeePass process to disk, this wouldn't reveal your passwords anyway. [2.x] Protected In-Memory Streams: When loading the inner XML format, passwords are encrypted using a session key. Security-Enhanced Password Edit Controls: KeePass is the first password manager that features security-enhanced password edit controls. None of the available password edit control spies work against these controls. The passwords entered in those controls aren't even visible in the process memory of KeePass. The master key dialog can be shown on a secure desktop, on which almost no keylogger works. Auto-Type can be protected against keyloggers, too. http://keepass.info/features.html Thank You Ufostrahlen
|
|
|
xͭ͆͝͏̮͔̜t̟̬̦̣̟͉͈̞̝ͣͫ͞,̡̼̭̘̙̜ͧ̆̀̔ͮ́ͯͯt̢̘̬͓͕̬́ͪ̽́s̢̜̠̬̘͖̠͕ͫ͗̾͋͒̃͛̚͞ͅ
Posts: 1716 Joined: 23-Apr-2012 Last visit: 23-Jan-2017
|
|
|
|
DMT-Nexus member
Posts: 287 Joined: 03-Jan-2014 Last visit: 01-Nov-2017
|
KeePass while not too bad, was actually compromised in 2015. Depending on who you're trying to keep passwords safe from or whether simply for convenience, may be a problem for you. Have a read up on KeeFarce - for those that are interested.
|
|
|
xͭ͆͝͏̮͔̜t̟̬̦̣̟͉͈̞̝ͣͫ͞,̡̼̭̘̙̜ͧ̆̀̔ͮ́ͯͯt̢̘̬͓͕̬́ͪ̽́s̢̜̠̬̘͖̠͕ͫ͗̾͋͒̃͛̚͞ͅ
Posts: 1716 Joined: 23-Apr-2012 Last visit: 23-Jan-2017
|
Related: Quote:KeePass has a mode in which the database is locked after a period of time, effectively wiping the keys from memory once they’re not required. This is a great idea (akin to timing out web application sessions) and minimises the feasibility of this attack in particular. But it’s also a hassle, it interferes with usability, so most people leave it disabled. Our advice? Use 2FA on the password database. This requires the attacker to ensure that both elements were compromised simultaneously (keys and password) to be able to re-open the database. KeyFarce isn’t really malware; you have to be an admin to get anywhere near using this properly and if you are a privileged user you don’t need these tricks: just use a sniffer, install a certificate, install a key logger etc. and you’re in. There’s definitely been a knee jerk reaction to this tool. https://www.pentestpartn...ll-use-a-password-vault/ http://arstechnica.com/s...s-from-password-manager/
|
|
|
DMT-Nexus member
Posts: 788 Joined: 18-Nov-2011 Last visit: 25-Oct-2023
|
Tryptallmine wrote:KeePass while not too bad, was actually compromised in 2015. Depending on who you're trying to keep passwords safe from or whether simply for convenience, may be a problem for you. Have a read up on KeeFarce - for those that are interested.
Not really compromised, the tool you mention needs privileged access to be able to do what it does. KeePassX is good. Run it in a virtual machine if you can, one without a network connection (provided you can copy-paste to/from other virtual machines). Ideally, run nothing but virtual machines, leave the actual computer with as little as you can, and disconnected from the network. tldr: run QubesOS. This is the time to really find out who you are and enjoy every moment you have. Take advantage of it.
|
|
|
xͭ͆͝͏̮͔̜t̟̬̦̣̟͉͈̞̝ͣͫ͞,̡̼̭̘̙̜ͧ̆̀̔ͮ́ͯͯt̢̘̬͓͕̬́ͪ̽́s̢̜̠̬̘͖̠͕ͫ͗̾͋͒̃͛̚͞ͅ
Posts: 1716 Joined: 23-Apr-2012 Last visit: 23-Jan-2017
|
nexalizer wrote:tldr: run QubesOS. Crazy idea, but one day I might do!
|
|
|
DMT-Nexus member
Posts: 431 Joined: 13-Jun-2015 Last visit: 19-May-2019
|
nexalizer wrote:Tryptallmine wrote:KeePass while not too bad, was actually compromised in 2015. Depending on who you're trying to keep passwords safe from or whether simply for convenience, may be a problem for you. Have a read up on KeeFarce - for those that are interested.
Not really compromised, the tool you mention needs privileged access to be able to do what it does. If your computer or OS was compromised in this way, even if you didn't use a password manager but only logged into secure sites from memory, wouldn't it still be possible for the attacker to use something in order would steal your passwords?
|
|
|
DMT-Nexus member
Posts: 287 Joined: 03-Jan-2014 Last visit: 01-Nov-2017
|
nexalizer wrote:Tryptallmine wrote:KeePass while not too bad, was actually compromised in 2015. Depending on who you're trying to keep passwords safe from or whether simply for convenience, may be a problem for you. Have a read up on KeeFarce - for those that are interested.
Not really compromised, the tool you mention needs privileged access to be able to do what it does. KeePassX is good. Run it in a virtual machine if you can, one without a network connection (provided you can copy-paste to/from other virtual machines). Ideally, run nothing but virtual machines, leave the actual computer with as little as you can, and disconnected from the network. tldr: run QubesOS. Qubes is actually quite good. I've been using it for the past 3 or so months with good results and the idea to sandbox KeePass is certainly the best way to go about it. Priv escalation isn't exactly a mean feat if you're talking about windows...
|