brilliantlydim
Rising Star
Hello all, wondering if any of you fine people have a suggestion for a good digital vault for storing things like passwords, usernames, credit card numbers, files, etc. on my android device.
Thanks
Thanks
-
Members of the previous forum can retrieve their temporary password here, (login and check your PM).
Suggestions on Digital Vault/password manager
- Thread starter brilliantlydim
- Start date
KeePass is a popular & free OSS pw manager which comes in different flavors:
keepass.info
play.google.com
en.wikipedia.org
also recommended by:
prism-break.org
Downloads - KeePass
Keepass2Android Password Safe - Apps on Google Play
Keepass2Android is a password manager compatible with KeePass
KeePass - Wikipedia
also recommended by:
Android - Platforms - PRISM Break
Opt out of global data surveillance programs like PRISM, XKeyscore and Tempora. Help make mass surveillance of entire populations uneconomical! We all have a right to privacy, which you can exercise today by encrypting your communications and ending your reliance on proprietary services.
prism-break.org
PsilocybeChild
Rising Star
I prefer KeePassX and KeePassDroid for Android. They're open source and free.
It doesn't store your passwords on a server which is safer but also means you have to update any copies of your password database frequently, and you might need a File Manager installed on android to access your database once you transfer it onto your phone.
It doesn't store your passwords on a server which is safer but also means you have to update any copies of your password database frequently, and you might need a File Manager installed on android to access your database once you transfer it onto your phone.
brilliantlydim
Rising Star
Thanks for the suggestions. I ended up downloading the Keepass2Android offline version, which I believe is based on the same program as the KeePassDroid, both being ports of KeePass.
So for any of you that are digital security savvy, I have a couple questions if you don't mind.
From what I gather, how this program works is it encrypts my passwords and such in a file (.kdbx file) that can only be unlocked by my master password that I selected. I can move this file around, and store it anywhere, but as long as I am the only one with my password no one can access the info on that file?
Making it basically as secure as the ability to brute force my master password is?
Is this enough to keep my passwords safe to a reasonable extent, or is there any thing else I should be aware of or do in order to keep them secret and the file secure?
So for any of you that are digital security savvy, I have a couple questions if you don't mind.
From what I gather, how this program works is it encrypts my passwords and such in a file (.kdbx file) that can only be unlocked by my master password that I selected. I can move this file around, and store it anywhere, but as long as I am the only one with my password no one can access the info on that file?
Making it basically as secure as the ability to brute force my master password is?
Is this enough to keep my passwords safe to a reasonable extent, or is there any thing else I should be aware of or do in order to keep them secret and the file secure?
brilliantlydim
Rising Star
Thanks for the suggestions. I ended up downloading the Keepass2Android offline version, which I believe is based on the same program as the KeePassDroid, both being ports of KeePass.
So for any of you that are digital security savvy, I have a couple questions if you don't mind.
From what I gather, how this program works is it encrypts my passwords and such in a file (.kdbx file) that can only be unlocked by my master password that I selected. I can move this file around, and store it anywhere, but as long as I am the only one with my password no one can access the info on that file?
Making it basically as secure as the ability to brute force my master password is?
Is this enough to keep my passwords safe to a reasonable extent, or is there any thing else I should be aware of or do in order to keep them secret and the file secure?
So for any of you that are digital security savvy, I have a couple questions if you don't mind.
From what I gather, how this program works is it encrypts my passwords and such in a file (.kdbx file) that can only be unlocked by my master password that I selected. I can move this file around, and store it anywhere, but as long as I am the only one with my password no one can access the info on that file?
Making it basically as secure as the ability to brute force my master password is?
Is this enough to keep my passwords safe to a reasonable extent, or is there any thing else I should be aware of or do in order to keep them secret and the file secure?
Yes.
Yes.
Yes.
Access to the database is restricted by a master password or a key file. Both methods may be combined to create a "composite master key". If both methods are used, then both must be present to access the password database. KeePass version 2.x introduces a third option—dependency upon the current Windows user.[21] KeePass encrypts the database with the AES or Twofish symmetric ciphers. AES is the default option, and Twofish is available in 1.x, but is not available in version 2.x. However, a separate plugin provides Twofish as an encryption algorithm.
KeePass - Wikipedia
KeePass supports the Advanced Encryption Standard (AES, Rijndael) and the Twofish algorithm to encrypt its password databases. Both of these ciphers are regarded as being very secure. AES e.g. became effective as a U.S. Federal government standard and is approved by the National Security Agency (NSA) for top secret information.
The complete database is encrypted, not only the password fields. So, your user names, notes, etc. are encrypted, too.
SHA-256 is used as password hash. SHA-256 is a 256-bit cryptographically secure one-way hash function. Your master password is hashed using this algorithm and its output is used as key for the encryption algorithms.
In contrast to many other hashing algorithms, no attacks are known yet against SHA-256.
Protection against dictionary and guessing attacks: by transforming the final master key very often, dictionary and guessing attacks can be made harder.
In-Memory Passwords Protection: Your passwords are encrypted while KeePass is running, so even when the operating system caches the KeePass process to disk, this wouldn't reveal your passwords anyway.
[2.x] Protected In-Memory Streams: When loading the inner XML format, passwords are encrypted using a session key.
Security-Enhanced Password Edit Controls: KeePass is the first password manager that features security-enhanced password edit controls. None of the available password edit control spies work against these controls. The passwords entered in those controls aren't even visible in the process memory of KeePass.
The master key dialog can be shown on a secure desktop, on which almost no keylogger works. Auto-Type can be protected against keyloggers, too.
Features - KeePass
keepass.info
brilliantlydim
Rising Star
Ufostrahlen said:Yes.
Yes.
Yes.
Access to the database is restricted by a master password or a key file. Both methods may be combined to create a "composite master key". If both methods are used, then both must be present to access the password database. KeePass version 2.x introduces a third option—dependency upon the current Windows user.[21] KeePass encrypts the database with the AES or Twofish symmetric ciphers. AES is the default option, and Twofish is available in 1.x, but is not available in version 2.x. However, a separate plugin provides Twofish as an encryption algorithm.
KeePass - Wikipedia
KeePass supports the Advanced Encryption Standard (AES, Rijndael) and the Twofish algorithm to encrypt its password databases. Both of these ciphers are regarded as being very secure. AES e.g. became effective as a U.S. Federal government standard and is approved by the National Security Agency (NSA) for top secret information.
The complete database is encrypted, not only the password fields. So, your user names, notes, etc. are encrypted, too.
SHA-256 is used as password hash. SHA-256 is a 256-bit cryptographically secure one-way hash function. Your master password is hashed using this algorithm and its output is used as key for the encryption algorithms.
In contrast to many other hashing algorithms, no attacks are known yet against SHA-256.
Protection against dictionary and guessing attacks: by transforming the final master key very often, dictionary and guessing attacks can be made harder.
In-Memory Passwords Protection: Your passwords are encrypted while KeePass is running, so even when the operating system caches the KeePass process to disk, this wouldn't reveal your passwords anyway.
[2.x] Protected In-Memory Streams: When loading the inner XML format, passwords are encrypted using a session key.
Security-Enhanced Password Edit Controls: KeePass is the first password manager that features security-enhanced password edit controls. None of the available password edit control spies work against these controls. The passwords entered in those controls aren't even visible in the process memory of KeePass.
The master key dialog can be shown on a secure desktop, on which almost no keylogger works. Auto-Type can be protected against keyloggers, too.
Features - KeePass
Thank You Ufostrahlen
Yw!
Tryptallmine
Rising Star
KeePass while not too bad, was actually compromised in 2015. Depending on who you're trying to keep passwords safe from or whether simply for convenience, may be a problem for you. Have a read up on KeeFarce - for those that are interested.
Related:
arstechnica.com
KeePass has a mode in which the database is locked after a period of time, effectively wiping the keys from memory once they’re not required. This is a great idea (akin to timing out web application sessions) and minimises the feasibility of this attack in particular. But it’s also a hassle, it interferes with usability, so most people leave it disabled. Our advice? Use 2FA on the password database. This requires the attacker to ensure that both elements were compromised simultaneously (keys and password) to be able to re-open the database.
KeyFarce isn’t really malware; you have to be an admin to get anywhere near using this properly and if you are a privileged user you don’t need these tricks: just use a sniffer, install a certificate, install a key logger etc. and you’re in. There’s definitely been a knee jerk reaction to this tool.
Concerned about KeeFarce? Don’t be. Why you should still use a password vault | Pen Test Partners
How safe are password vaults/managers? The recent sharing of KeeFarce, a hacking tool for KeePass, saw widespread alarm over whether we should be entrusting these services with our passwords. But let’s not throw the baby out with the bath water. Password vaults are more safe than the alternative...www.pentestpartners.com
Hacking tool swipes encrypted credentials from password manager
"KeeFarce" targets KeePass, but virtually all password managers are vulnerable.
nexalizer
Rising Star
Tryptallmine said:
Not really compromised, the tool you mention needs privileged access to be able to do what it does.
KeePassX is good. Run it in a virtual machine if you can, one without a network connection (provided you can copy-paste to/from other virtual machines).
Ideally, run nothing but virtual machines, leave the actual computer with as little as you can, and disconnected from the network.
tldr: run QubesOS.
Crazy idea, but one day I might do!nexalizer said:
brilliantlydim
Rising Star
nexalizer said:
If your computer or OS was compromised in this way, even if you didn't use a password manager but only logged into secure sites from memory, wouldn't it still be possible for the attacker to use something in order would steal your passwords?
Tryptallmine
Rising Star
nexalizer said:
Qubes is actually quite good. I've been using it for the past 3 or so months with good results and the idea to sandbox KeePass is certainly the best way to go about it.
Priv escalation isn't exactly a mean feat if you're talking about windows...