Keepass is a good solution, and there are portable versions available for usb. But I would not recommend this, any untrusted machine you connect it to can copy the password file(it is encrypted) and then get your password when you type it to open the file to use.
There are also a number of ports for java mobile phones, iphone, android.
I would recommend getting mykeepass for the iphone. Your passwords will be stored in an encrypted file, so when you sync with iTunes the synced file will be the encrypted one.
The keepass file that stores the passwords and usernames (data really) can usually be shared. You can have keepass on your home pc, and have it sync the file to.... dropbox. Then your mykeepass on your iphone can sync from that on the move. Or you can always sync the file using iTunes.
So a combination of MyKeepass on iPhone and keepass on the desktop, keeping the password file synced. That should solve your password issue.
I want an iPhone.
Topic: Seeking some online security advice. (Read 994 times)
LastPass supports one-time passwords, which is the best solution for untrusted locations such as work computers. You print off a page filled with passwords, and use one of those whenever you need to log in. There's also an app for the iPhone.
LastPass uses client-side encryption, so it's pretty safe, even though there's a central server.
You're broadcasting everything unencrypted over a radio frequency. Not a good idea.
LastPass uses client-side encryption, so it's pretty safe, even though there's a central server.
The big problem is it is not password protected.
You're broadcasting everything unencrypted over a radio frequency. Not a good idea.
Lastly is a question about my home internet connection. I have a wireless router, which I'm actually plugged into via cable as I need the reliability, but it's still sitting there broadcasting. The big problem is it is not password protected. The bigger problem is that it's firmware is in Korean (I live in Korea so that makes sense) which I don't read so I can't set the password. After a lengthy e-mail exchange with the manufacturer it's been determined there is no way to change the language to English. Apparently a special manufacturing run for Korea only so no way to make the change. How big a concern is that? Yes the neighbours can use my internet but how much at risk am I of someone accessing my PC? From a technical standpoint I should say, my risk of someone actually bothering because I have something they want is pretty low, but random hacker neighbour might be a concern.
High risk if somebody could be bothered probably. Why not just get your korean friend or workmate to set the password for you, or better yet, show you what to do?
I've decided it's time to ramp up my online security and I know there are a lot of very competent people on this forum, so I figure this is the best place I know of to ask some questions. I was also thinking it might be an interesting exercise to see what people consider my vulnerabilities to be and what approaches can be taken to plug the leaks. This is a bit long so sorry for that but I wanted to make sure I covered everything.
So, the situation is thus:
I have 3 main internet access points. My home PC, my work PC, and my iPhone. I have a bajillion different websites and online accounts with passwords. There are very few sites where I use auto password features as I figure I'm better off forcing myself to remember passwords so I can still access things if I'm not using one of my main computers. I do use different passwords for almost everything, but they're not that different. I have a few basic templates with some variation based off of something about each website so I can generally always figure out what my password is even when I can't remember. Different types of accounts have different levels of complexity, ie: forum passwords are a lot less robust than financial sites. That being said all my passwords are basically shit, as I semi-knew, but finally really accepted when I started running them through this: http://www.passwordmeter.com/
At this point you're all thinking "Use KeePass dummy", which I've been considering but I'm unclear on a few points and their FAQ didn't really help. It sounds great when I'm sitting at my home PC and have my password DB all set up and good to go. However I'm not sure what happens when I'm not there. My work PC isn't really all that important, my work isn't very sensitive, but I do need to be able to access a range of different e-mail accounts while I'm there. That's easy now because I know the passwords, but if I use Keepass to make super safe passwords what do I do then? Can I have a shared DB on the two computers or put it on my USB stick or what?
And what about my phone? I have a bunch of email addresses I need to be able to access from my phone. I have my accounts set to auto login on it so I don't have to enter all the passwords every time I refresh my inboxes. I also have my GPG private key on my phone so I can decrypt any emails I get using encryption without needing to be at home. I have the phone PIN protected and it's set to erase all the data after 10 failed entries. I figure that's pretty good protection in the event my phone is lost or stolen so I don't worry about the email passwords being discovered, and I don't have to worry about my GPG key being compromised. I can make robust passwords and set them up on the phone but how is that info secured within the iTunes software that backs my phone up? Is it possible for someone to get my passwords via that channel? Of course at that point someone is already in my home sitting at my PC so I've maybe got bigger problems if it's gotten that far lol.
I also have an online poker account that I run a certain amount of business through. The poker client itself is pretty secure with a password level and an RSA token level so I'm not too worried about the client itself. Most poker account hacks happen when someone's email is compromised and the attacker uses the e-mail address to have the client password reset. I combat that by having a unique e-mail account that is used solely for the purpose of communicating with the poker site. No one knows that address but me and the site so that should be pretty safe, you can't attack an e-mail account that you don't know exists to the best of my knowledge. That e-mail address is linked to my phone, and needs to be as I need to know when I get fund transfer confirmation emails and stuff like that, but I think I'm ok there due to the PIN protection I mentioned in the last paragraph.
Lastly is a question about my home internet connection. I have a wireless router, which I'm actually plugged into via cable as I need the reliability, but it's still sitting there broadcasting. The big problem is it is not password protected. The bigger problem is that it's firmware is in Korean (I live in Korea so that makes sense) which I don't read so I can't set the password. After a lengthy e-mail exchange with the manufacturer it's been determined there is no way to change the language to English. Apparently a special manufacturing run for Korea only so no way to make the change. How big a concern is that? Yes the neighbours can use my internet but how much at risk am I of someone accessing my PC? From a technical standpoint I should say, my risk of someone actually bothering because I have something they want is pretty low, but random hacker neighbour might be a concern.
Now, all that being said, and thank you if you bothered to read it all, what can I do to improve my situation? Are there any factors I'm not considering, things I'm worried about that I don't need to be, or places I think I'm safe but really just aren't.
So, the situation is thus:
I have 3 main internet access points. My home PC, my work PC, and my iPhone. I have a bajillion different websites and online accounts with passwords. There are very few sites where I use auto password features as I figure I'm better off forcing myself to remember passwords so I can still access things if I'm not using one of my main computers. I do use different passwords for almost everything, but they're not that different. I have a few basic templates with some variation based off of something about each website so I can generally always figure out what my password is even when I can't remember. Different types of accounts have different levels of complexity, ie: forum passwords are a lot less robust than financial sites. That being said all my passwords are basically shit, as I semi-knew, but finally really accepted when I started running them through this: http://www.passwordmeter.com/
At this point you're all thinking "Use KeePass dummy", which I've been considering but I'm unclear on a few points and their FAQ didn't really help. It sounds great when I'm sitting at my home PC and have my password DB all set up and good to go. However I'm not sure what happens when I'm not there. My work PC isn't really all that important, my work isn't very sensitive, but I do need to be able to access a range of different e-mail accounts while I'm there. That's easy now because I know the passwords, but if I use Keepass to make super safe passwords what do I do then? Can I have a shared DB on the two computers or put it on my USB stick or what?
And what about my phone? I have a bunch of email addresses I need to be able to access from my phone. I have my accounts set to auto login on it so I don't have to enter all the passwords every time I refresh my inboxes. I also have my GPG private key on my phone so I can decrypt any emails I get using encryption without needing to be at home. I have the phone PIN protected and it's set to erase all the data after 10 failed entries. I figure that's pretty good protection in the event my phone is lost or stolen so I don't worry about the email passwords being discovered, and I don't have to worry about my GPG key being compromised. I can make robust passwords and set them up on the phone but how is that info secured within the iTunes software that backs my phone up? Is it possible for someone to get my passwords via that channel? Of course at that point someone is already in my home sitting at my PC so I've maybe got bigger problems if it's gotten that far lol.
I also have an online poker account that I run a certain amount of business through. The poker client itself is pretty secure with a password level and an RSA token level so I'm not too worried about the client itself. Most poker account hacks happen when someone's email is compromised and the attacker uses the e-mail address to have the client password reset. I combat that by having a unique e-mail account that is used solely for the purpose of communicating with the poker site. No one knows that address but me and the site so that should be pretty safe, you can't attack an e-mail account that you don't know exists to the best of my knowledge. That e-mail address is linked to my phone, and needs to be as I need to know when I get fund transfer confirmation emails and stuff like that, but I think I'm ok there due to the PIN protection I mentioned in the last paragraph.
Lastly is a question about my home internet connection. I have a wireless router, which I'm actually plugged into via cable as I need the reliability, but it's still sitting there broadcasting. The big problem is it is not password protected. The bigger problem is that it's firmware is in Korean (I live in Korea so that makes sense) which I don't read so I can't set the password. After a lengthy e-mail exchange with the manufacturer it's been determined there is no way to change the language to English. Apparently a special manufacturing run for Korea only so no way to make the change. How big a concern is that? Yes the neighbours can use my internet but how much at risk am I of someone accessing my PC? From a technical standpoint I should say, my risk of someone actually bothering because I have something they want is pretty low, but random hacker neighbour might be a concern.
Now, all that being said, and thank you if you bothered to read it all, what can I do to improve my situation? Are there any factors I'm not considering, things I'm worried about that I don't need to be, or places I think I'm safe but really just aren't.
Jump to: