Storing passwords and associated security questions - X-post

At the moment I keep a folder (well, more than one) with details like online access passwords and security questions for various accounts. Passwords kept with all the other paper work for the account.
Recently I unexpectedly needed some details whilst away from home, so the system failed!
I am planning now to record the details on portable media for future proofing. This also allows random answers to obvious questions like mother's maiden name, first school etc.
I know you can get password managers which can sync between devices but this places a lot of trust in a remote service, and LastPass has had some bad press recently.
Assuming that I don't necessarily want automatic generation of long random passwords and then pasting of them into web browser fields is there any reason not to use a flat file (or simple spreadsheet) to record all the details then use a free encryption package to secure them?
Probably stored on a USB stick.
The main platform would be Windows < 10 but Android support would be a bonus.
The solution should work on the home desktops and the travelling laptops, so not tied to one PC.
This would also assist in a long overdue upgrade in general security.
Any recommendations most welcome.
Cheers
Dave R
--
AMD FX-6300 in GA-990X-Gaming SLI-CF running Windows 7 Pro x64

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Mon, 24 Apr 2017 12:37:19 +0000, David wrote:
<snip>

I think - despite the issues recently documented - having a password manager is more secure than not

How will you get your USB stick into an Android device ?

Which means the foreign PC needs to be able to run whatever you have encrypted the USB stick with.

There are some FOSS password managers that work with local files only - thus keeping you in control. However, when I looked for a replacement for Lastpass, they just didn't float my boat. The extra fiddling needed far outweighed any advantage of security.
Personally I would still suggest Lastpass on the basis that (a) no security is 100% and (b) using it will place you about the 80% of people who don't. And in general they are more the target of the hacks you read about. If I say that sometimes *I* find Lastpass insistence on security a PITA, then it must be doing a good job :) They claim your data is never transmitted or stored remotely unencrypted. And if you setup 2FA, it can't be used on any unknown devices.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Jethro_uk wrote:

memory sticks with microUSB OTG plugs instead of (or as well as) full size USB plugs have been available for some while, e.g.
<https://www.kingston.com/en/usb/otg
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Mon, 24 Apr 2017 14:27:22 +0100

These are handy too: www.ebay.co.uk/itm/282337834517
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 24/04/2017 14:35, Rob Morley wrote:

+1
"Don't leave home without it"
--
Robin
reply-to address is (intended to be) valid
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
wrote:

My ageing Toshiba tablet has full size USB and SD card slots.
--
AnthonyL

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Monday, April 24, 2017 at 2:27:27 PM UTC+1, Andy Burns wrote:

Verbatim Memdiashare: A wireless USB stick equivalent. Accessible from PC or tablet. (Amazon.com product link shortened)93217283&sr=8-3&keywords=verbatim+mediashare+wireless
Plus it will store your music and films. The larger version is more expensive but less likely to lose itself in your baggage.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Mon, 24 Apr 2017 12:37:19 +0000, David wrote:

Roboform https://www.roboform.com/
Works well for me. It can sync across multiple Windows PCs and there is a (limited but adequate) version that runs on Android mobile phones too.
--
Tony
'09 FJR1300, '07 Street Triple OMF#24
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

I've use Keypass for years, it has some complicated options, but you don't have to use them. Works off a USB stick as well, and there is a compatible app for Android that will open the encrypted data file(s). http://keepass.info/
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

There are many password managers that don't use a cloud service themselves, but will sync an encrypted keystore across devices using your own choice of cloud (Dropbox/Amazon Drive/Gdrive blah blah). Best of both worlds.
I use 1password and keepass for different things, with their keystores held on different cloud services. 1password because it is clever and has much browser/phone integration, keepass because it's very dumb and just has a 2fa keystore.
A folder of text files or even password-locked Excel sheet on a cloud drive or USB isn't quite the same thing, security wise...
    Cheers - Jaimie
--
None of this will matter in 20 billion years.

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Indeed. Keeping the passwords secure in memory is hard, and any homebrew solution is likely to do it wrong. Use something designed for the job by people who know what they're doing.
The other extreme is a paper passwords sheet, as used by German banks (iTAN): print out a few sheets of random passwords with an index number next to them. On your phone store the index numbers for each account, like this: ebay: 456 amazon: 178
Then use the number to look up a password on your paper sheet. You might need to think of a scheme to mangle them into memorable shoe sizes or whatever your bank wants (don't write anything on the sheet).
If someone steals your sheet, they have a few hundred passwords to try - they'll likely get locked out beforehand[1]. If someone hacks your phone they only get the indexes, not the passwords. If they steal both, well you did put a PIN lock and encryption on your phone, didn't you?
Theo
[1] Unless they have a botnet available
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 24/04/2017 16:18, Theo wrote:

If you are an unimportant single person I'm not convinced.
For an unimportant person it is unlikely anyone will invest any time cracking your home brew solution, as long as it is in some way non standard. It doesn't have to be particularly good just quirky.
On the other hand malicious third parties will invest considerable efforts trying to crack a standard widely used solution, even a well designed one is vulnerable. If one of these systems is cracked your account and details may be caught as one of millions exposed.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Thu, 27 Apr 2017 23:40:04 +0100, Nick wrote:

Yes, this is my main concern.
Something like LastPass is found to have a vulnerability and exploits will be all over the place on the web.
If you have an encrypted USB stick (with your own choice of encryption software) then you are mainly vulnerable to someone finding/stealing it and deciding to brute force it.
Security by obscurity isn't the greatest approach but it does have some advantages.
Cheers
Dave R
--
AMD FX-6300 in GA-990X-Gaming SLI-CF running Windows 7 Pro x64

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

The thing is, it doesn't gain you very much.
Suppose you put your passwords in a password-protected Excel sheet. Excel has to decrypt it to show it to you. That means all your passwords are now in memory, in the clear.
All malware has to do is search through memory for strings like 'password' 'username' 'bank' 'NatWest' etc, and then exfiltrate any text nearby. It doesn't matter what format they're in, the malware doesn't care.
If you think this is implausible, this is exactly how disc forensics work - they don't care that the disc claims to be NTFS or FAT or whatever, they just search the raw bits. Memory forensics is similar.
Basically there is a high risk unless you keep up with the current threat models, and so it is better to pick an approach which has been carefully designed and scrutinised.
Theo
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 24/04/17 13:37, David wrote:

Lastpass if you trust them, for the convenience.
KeepassX and 2 data copies, one on your phone and one on a USB stick if you don't trust anyone else.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

This posting is coming to you courtesy of someone else's computer with all necessary passwords etc from my Kingston DataTraveller Locker + G3 which has hardware encrypted storage which can only be accessed by password. 10 unsuccessful attempts at breaking that password and the drive automatically wipes itself clean.
Works for me.
Nick
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Monday, 24 April 2017 17:57:35 UTC+1, Nick Odell wrote:

What happens if this USB keys breaks physically I;/ve seen and heard this happen in the lab. ? So I know it's possible.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Nothing special, you just use the spare.

Yeah, I still give what I torrent for the neighbours kids who I let use my internet using USB sticks for the speed and they do die occasionally.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Wednesday, 26 April 2017 20:40:03 UTC+1, Rod Speed wrote:

fine if you carry a spare of everything do you carry a spare mobile, spare underwear etc... Most people should have a spare but NOT carried with them.

Unlike most HDs there's a good chance they'll get damaged manually long before they are electraclly, or of course lost we get one or two a week left in the lab but more come up to me asking have you been handed a USB stick ?
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Site Timeline

HomeOwnersHub.com is a website for homeowners and building and maintenance pros. It is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.