Storing passwords and associated security questions - X-post

At the moment I keep a folder (well, more than one) with details like online access passwords and security questions for various accounts. Passwords kept with all the other paper work for the account.

Recently I unexpectedly needed some details whilst away from home, so the system failed!

I am planning now to record the details on portable media for future proofing. This also allows random answers to obvious questions like mother's maiden name, first school etc.

I know you can get password managers which can sync between devices but this places a lot of trust in a remote service, and LastPass has had some bad press recently.

Assuming that I don't necessarily want automatic generation of long random passwords and then pasting of them into web browser fields is there any reason not to use a flat file (or simple spreadsheet) to record all the details then use a free encryption package to secure them?

Probably stored on a USB stick.

The main platform would be Windows < 10 but Android support would be a bonus.

The solution should work on the home desktops and the travelling laptops, so not tied to one PC.

This would also assist in a long overdue upgrade in general security.

Any recommendations most welcome.

Cheers

Dave R

Reply to
David
Loading thread data ...

I think - despite the issues recently documented - having a password manager is more secure than not

How will you get your USB stick into an Android device ?

Which means the foreign PC needs to be able to run whatever you have encrypted the USB stick with.

There are some FOSS password managers that work with local files only - thus keeping you in control. However, when I looked for a replacement for Lastpass, they just didn't float my boat. The extra fiddling needed far outweighed any advantage of security.

Personally I would still suggest Lastpass on the basis that (a) no security is 100% and (b) using it will place you about the 80% of people who don't. And in general they are more the target of the hacks you read about. If I say that sometimes *I* find Lastpass insistence on security a PITA, then it must be doing a good job :) They claim your data is never transmitted or stored remotely unencrypted. And if you setup 2FA, it can't be used on any unknown devices.

Reply to
Jethro_uk

Roboform

formatting link

Works well for me. It can sync across multiple Windows PCs and there is a (limited but adequate) version that runs on Android mobile phones too.

Reply to
TMack

memory sticks with microUSB OTG plugs instead of (or as well as) full size USB plugs have been available for some while, e.g.

Reply to
Andy Burns

I've use Keypass for years, it has some complicated options, but you don't have to use them. Works off a USB stick as well, and there is a compatible app for Android that will open the encrypted data file(s).

formatting link

Reply to
Davidm

These are handy too:

formatting link

Reply to
Rob Morley

There are many password managers that don't use a cloud service themselves, but will sync an encrypted keystore across devices using your own choice of cloud (Dropbox/Amazon Drive/Gdrive blah blah). Best of both worlds.

I use 1password and keepass for different things, with their keystores held on different cloud services. 1password because it is clever and has much browser/phone integration, keepass because it's very dumb and just has a 2fa keystore.

A folder of text files or even password-locked Excel sheet on a cloud drive or USB isn't quite the same thing, security wise...

Cheers - Jaimie

Reply to
Jaimie Vandenbergh

+1

"Don't leave home without it"

Reply to
Robin

Indeed. Keeping the passwords secure in memory is hard, and any homebrew solution is likely to do it wrong. Use something designed for the job by people who know what they're doing.

The other extreme is a paper passwords sheet, as used by German banks (iTAN): print out a few sheets of random passwords with an index number next to them. On your phone store the index numbers for each account, like this: ebay: 456 amazon: 178

Then use the number to look up a password on your paper sheet. You might need to think of a scheme to mangle them into memorable shoe sizes or whatever your bank wants (don't write anything on the sheet).

If someone steals your sheet, they have a few hundred passwords to try - they'll likely get locked out beforehand[1]. If someone hacks your phone they only get the indexes, not the passwords. If they steal both, well you did put a PIN lock and encryption on your phone, didn't you?

Theo

[1] Unless they have a botnet available
Reply to
Theo

Lastpass if you trust them, for the convenience.

KeepassX and 2 data copies, one on your phone and one on a USB stick if you don't trust anyone else.

Reply to
Tim Watts

This posting is coming to you courtesy of someone else's computer with all necessary passwords etc from my Kingston DataTraveller Locker + G3 which has hardware encrypted storage which can only be accessed by password. 10 unsuccessful attempts at breaking that password and the drive automatically wipes itself clean.

Works for me.

Nick

Reply to
Nick Odell

Consider an encrypted folder on a PC/USB stick etc. to store all of your other password

I use the free version found at

formatting link

The encrypted folder needs a strong password to gain access but with this method this password is the only one you have to remember. I use a easily memorable (to me) longish sentence as a password.

I also keep a paper copy of the folder contents in a very safe place as a backup

Reply to
alan_m

Something like

formatting link

Reply to
dennis

Excel protected spreadsheets can be compromised, however one can make it more difficult to view the information. Just some suggestions.

column A list account column B list password colums A reverse the list column B reverse the passwords. Space everything with a blank row in between In the blank row put false information Using conditional formatting linked to the `real` info have a cell that requires the correct code to hide/reveal the correct info. Hide the code cell behind an image

And various other things can be done to frustrate an illegal intruder.

Reply to
ss

If you want to take the file out of your property, I would suggest encrypting it.

You can store and decode encrypted files on a mobile phone, or us an SD card.

For bank a/cs, I suggest using password reminders which no one but you would understand.

I can establish a VPN connection to my NAS, so I can get retrieve data from anywhere that offers a reasonable internet connection.

Reply to
Michael Chare

David posted

I use freeware software

formatting link
to encrypt a flat text file containing account details. Not GCHQ-proof, but probably good enough for most practical purposes. I also keep a paper print-out in a safe place.

In principle, you could FTP the encrypted file to a hidden page on your website so you can download it from anywhere, without using a USB stick. (I don't because I rarely travel.)

Reply to
Handsome Jack

It would also need to take account of the rice ntly very annoying tendency for web sites and services to impose password changes on you after a certaintime. Yahoo seemed to want this. My answer was to close Yahoo email and use something else. To be honest its only machine access and financial services that really need super security, the email suppliers are far more likely to compromise your data than anyone hacking it at your end if frequent history is anything to go by. This should all really be a thing of the past by now. we should find some biometric way to do it instead. Brian

Reply to
Brian Gaff

I have solved most of the password problems by not having them. Writing down a couple is easy and means nothing to anyone who reads a scrap of paper.

Reply to
Capitol

You're kidding, aren't you? I have upwards of 150 in my password vault. OK, some of them are probably irrelevant (services I don't use any more, suppliers I don't deal with) but it's a long way from the "couple" that you write down.

Reply to
Henry Law

I use Dashlane for computer access of passwords On my mobile I generally only want access to my banks accounts. These are n umeric only. Based on tha fact that I can remembr car registration details with ease i keep a file on the phone with the bank ref and just the letters of that password. Easy to refresh my memory and the letters details are a ll I require. Incidentally I can remember car reg details going back over 60 years. (fath ers and mothers car reg details from when I was a lad, in a different count ry)

Reply to
fred

HomeOwnersHub website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.