Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 973
  • Last Modified:

Is it safer to copy and paste or type in passwords?

I use Roboform Everywhere for my passwords, on my own desktop computer at home, when I'm traveling with a laptop and occasionally when I'm on someone else's computer.
I have Windows 7, 8 and even an XP machine at home.  

Even when I'm on my own computer I try to use their virtual keyboard to put in my master password or copy and paste from an excrypted file. I've assumed this is safer than typing, because of the possibility of keyloggers.  Is this assumption correct?  
 
Is it safe to use Roboform Everywhere on public computers?

Thanks,
Al
0
alanlsilverman
Asked:
alanlsilverman
  • 4
  • 3
  • 3
  • +2
4 Solutions
 
John HurstBusiness Consultant (Owner)Commented:
I use a local password manager and only on my own computers. The data is encrypted and access is only by password.

I never know what might afflict someone's computer that is not mine. Also, Copy leaves tracks for as long as the user is logged on (copy tracks go away on restart, log off, or shutdown).

So I guess I would be concerned with either approach, but if the copy is encrypted as you say it is, then it is probably OK.

Yes, I would be concerned about key loggers in an unfamiliar environment.
0
 
RafaelCommented:
You can but it's not best practice as you may have a inadvertent character added or deleted.
0
 
McKnifeCommented:
Anything that is processed on an untrusted computer can be read out/ intercepted/ sniffed/ decrypted/whatever - with enough effort, everything is possible. Don't use untrusted computers of any kind in any way to process any "interesting" data.

There are keyloggers that may not be able to catch all keystrokes typed on all types of virtual keyboards, yes, but so what? the computer remains untrusted. It could do screen recordings and many more and you would not even know.
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
McKnifeCommented:
Ok, 2nd try :)
Of course will using methods that differ from standard use cases/setups defeat most possible attacks. You would however leave in uncertainty.
For using untrusted computers, you should carry some sort of live system with you (knoppix/windows 8 to go).
0
 
alanlsilvermanAuthor Commented:
John Hurst,
By "local password manager" you mean like the installed desktop version of Roboform or LastPass?  Do you type in your master password or use a virtual keyboard, or, like me, copy and paste?

 rcaballerojr, I'm not sure what you mean, 'have a character added or deleted'.  If that's in pasting in the master password, it would just mean the password would be rejected.
0
 
RafaelCommented:
As a follow up. I use Password Safe. It's exportable, 256 AES secure and you can even run it off a thumb drive.

http://passwordsafe.sourceforge.net/
0
 
John HurstBusiness Consultant (Owner)Commented:
By "local password manager"  yes, I mean an installed application on the desktop. There are many, but I use an old one called Password Corral that has bowfish encryption (and one other, I think). The passwords stored basically cannot be figured out so far as I know. Access to the manager is by strong password.

I can export the file (encrypted) and move it to my desktop computer so I have it in both places.

It is just one way, but I keep passwords, secure web addresses, software keys and so in this manager and it keeps all this in one place.

I have considered a newer application that would also work on my iPhone but sloth has prevented that so far.

Key point:  I keep the passwords local on a very secured computer (hard drive password).
0
 
QlemoC++ DeveloperCommented:
Unless the application is able to send the output directly to an application, circumventing any keyboard and clipboard hooks, it is not safe. As has been said, you can't ensure a secure path between your password application and the input receiver without having full control over what is installed on the machine you run them.
0
 
alanlsilvermanAuthor Commented:
Is there any way to manually clear the memory of what’s on the clipboard in a copy and paste?  My guess is that there are more computers infected with keyloggers than those with screen recordings but I’m sure there are no reliable statistics covering these probabilities, or none we might find.  I guess the issue then is trying to gauge relative safety, or a level of safety that is “safe enough, all things considered”.
0
 
John HurstBusiness Consultant (Owner)Commented:
Trying to erase the copy contents could be messy because there are so many applications.

For Windows Copy, you can look at the article below to erase contents.

http://windowsclipboard.com/clear-clipboard/

I have not used this (no need) but it appears that you can do it.
0
 
McKnifeCommented:
Alan,

let's sum it up: you are seeking advice on how to handle password entries on untrusted computers. While it is surely safer to use virtual keyboards and roboform, you have been made aware that these measures can be attacked, too. Given the fact that you don't know how good the attacker is, you cannot be sure. There is no "safe enough, all things considered” to be declarated here.

Had you asked: "what can I do to get the best possible safety while entering passwords", you would possibly hear "use virtual keyboard software xy, it claims to be non-interceptible by keyloggers" But who can tell? Who has the expertise to judge the capabilities of all keyloggers there are? No one.

Had you asked "is it safe to use roboform", then the answer is "no". As there are tool to monitor the clipboard, roboform cannot be seen as safe.

So if you cannot make sure it is a trusted system and if you are not able to use live systems (knoppix, win8 togo, ... - which you haven't commented on, yet), then for security's sake, you should not enter passwords/data that are/is important.
0
 
alanlsilvermanAuthor Commented:
You've been a great help.
Thanks to all.
Al
0
 
John HurstBusiness Consultant (Owner)Commented:
@alanlsilverman - Thank you, and I was happy to help.
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 4
  • 3
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now