Storing passwords and associated security questions - X-post

And/or to disable the ability to paste into a text field, requiring you to type the password in. Not so easy when it's 20 random characters ...

E.g., using a password manager.

In Firefox, you fix that by going to "about:config" & setting "dom.event.clipboardevents.enable" to "false".

Many thanks for that. Is there also a method of forcing the characters to be displayed as themselves instead of asterisks?

What happens if this USB keys breaks physically I;/ve seen and heard this happen in the lab. ? So I know it's possible.

My ageing Toshiba tablet has full size USB and SD card slots.

The Web Developer extension does this - and lots more.

Verbatim Memdiashare: A wireless USB stick equivalent. Accessible from PC or tablet.

Plus it will store your music and films. The larger version is more expensive but less likely to lose itself in your baggage.

If you are an unimportant single person I'm not convinced.

For an unimportant person it is unlikely anyone will invest any time cracking your home brew solution, as long as it is in some way non standard. It doesn't have to be particularly good just quirky.

On the other hand malicious third parties will invest considerable efforts trying to crack a standard widely used solution, even a well designed one is vulnerable. If one of these systems is cracked your account and details may be caught as one of millions exposed.

Yes, this is my main concern.

Something like LastPass is found to have a vulnerability and exploits will be all over the place on the web.

If you have an encrypted USB stick (with your own choice of encryption software) then you are mainly vulnerable to someone finding/stealing it and deciding to brute force it.

Security by obscurity isn't the greatest approach but it does have some advantages.

Cheers

Dave R

The thing is, it doesn't gain you very much.

Suppose you put your passwords in a password-protected Excel sheet. Excel has to decrypt it to show it to you. That means all your passwords are now in memory, in the clear.

All malware has to do is search through memory for strings like 'password' 'username' 'bank' 'NatWest' etc, and then exfiltrate any text nearby. It doesn't matter what format they're in, the malware doesn't care.

If you think this is implausible, this is exactly how disc forensics work - they don't care that the disc claims to be NTFS or FAT or whatever, they just search the raw bits. Memory forensics is similar.

Basically there is a high risk unless you keep up with the current threat models, and so it is better to pick an approach which has been carefully designed and scrutinised.

Theo