Solved

Is it safer to copy and paste or type in passwords?

Posted on 2014-04-15
13
846 Views
Last Modified: 2014-04-18
I use Roboform Everywhere for my passwords, on my own desktop computer at home, when I'm traveling with a laptop and occasionally when I'm on someone else's computer.
I have Windows 7, 8 and even an XP machine at home.  

Even when I'm on my own computer I try to use their virtual keyboard to put in my master password or copy and paste from an excrypted file. I've assumed this is safer than typing, because of the possibility of keyloggers.  Is this assumption correct?  
 
Is it safe to use Roboform Everywhere on public computers?

Thanks,
Al
0
Comment
Question by:alanlsilverman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +2
13 Comments
 
LVL 95

Accepted Solution

by:
John Hurst earned 200 total points
ID: 40002782
I use a local password manager and only on my own computers. The data is encrypted and access is only by password.

I never know what might afflict someone's computer that is not mine. Also, Copy leaves tracks for as long as the user is logged on (copy tracks go away on restart, log off, or shutdown).

So I guess I would be concerned with either approach, but if the copy is encrypted as you say it is, then it is probably OK.

Yes, I would be concerned about key loggers in an unfamiliar environment.
0
 
LVL 10

Expert Comment

by:Rafael
ID: 40002783
You can but it's not best practice as you may have a inadvertent character added or deleted.
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 200 total points
ID: 40002829
Anything that is processed on an untrusted computer can be read out/ intercepted/ sniffed/ decrypted/whatever - with enough effort, everything is possible. Don't use untrusted computers of any kind in any way to process any "interesting" data.

There are keyloggers that may not be able to catch all keystrokes typed on all types of virtual keyboards, yes, but so what? the computer remains untrusted. It could do screen recordings and many more and you would not even know.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 54

Expert Comment

by:McKnife
ID: 40002834
Ok, 2nd try :)
Of course will using methods that differ from standard use cases/setups defeat most possible attacks. You would however leave in uncertainty.
For using untrusted computers, you should carry some sort of live system with you (knoppix/windows 8 to go).
0
 

Author Comment

by:alanlsilverman
ID: 40002924
John Hurst,
By "local password manager" you mean like the installed desktop version of Roboform or LastPass?  Do you type in your master password or use a virtual keyboard, or, like me, copy and paste?

 rcaballerojr, I'm not sure what you mean, 'have a character added or deleted'.  If that's in pasting in the master password, it would just mean the password would be rejected.
0
 
LVL 10

Assisted Solution

by:Rafael
Rafael earned 50 total points
ID: 40002928
As a follow up. I use Password Safe. It's exportable, 256 AES secure and you can even run it off a thumb drive.

http://passwordsafe.sourceforge.net/
0
 
LVL 95

Expert Comment

by:John Hurst
ID: 40002933
By "local password manager"  yes, I mean an installed application on the desktop. There are many, but I use an old one called Password Corral that has bowfish encryption (and one other, I think). The passwords stored basically cannot be figured out so far as I know. Access to the manager is by strong password.

I can export the file (encrypted) and move it to my desktop computer so I have it in both places.

It is just one way, but I keep passwords, secure web addresses, software keys and so in this manager and it keeps all this in one place.

I have considered a newer application that would also work on my iPhone but sloth has prevented that so far.

Key point:  I keep the passwords local on a very secured computer (hard drive password).
0
 
LVL 70

Assisted Solution

by:Qlemo
Qlemo earned 50 total points
ID: 40004026
Unless the application is able to send the output directly to an application, circumventing any keyboard and clipboard hooks, it is not safe. As has been said, you can't ensure a secure path between your password application and the input receiver without having full control over what is installed on the machine you run them.
0
 

Author Comment

by:alanlsilverman
ID: 40005554
Is there any way to manually clear the memory of what’s on the clipboard in a copy and paste?  My guess is that there are more computers infected with keyloggers than those with screen recordings but I’m sure there are no reliable statistics covering these probabilities, or none we might find.  I guess the issue then is trying to gauge relative safety, or a level of safety that is “safe enough, all things considered”.
0
 
LVL 95

Expert Comment

by:John Hurst
ID: 40005567
Trying to erase the copy contents could be messy because there are so many applications.

For Windows Copy, you can look at the article below to erase contents.

http://windowsclipboard.com/clear-clipboard/

I have not used this (no need) but it appears that you can do it.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40006021
Alan,

let's sum it up: you are seeking advice on how to handle password entries on untrusted computers. While it is surely safer to use virtual keyboards and roboform, you have been made aware that these measures can be attacked, too. Given the fact that you don't know how good the attacker is, you cannot be sure. There is no "safe enough, all things considered” to be declarated here.

Had you asked: "what can I do to get the best possible safety while entering passwords", you would possibly hear "use virtual keyboard software xy, it claims to be non-interceptible by keyloggers" But who can tell? Who has the expertise to judge the capabilities of all keyloggers there are? No one.

Had you asked "is it safe to use roboform", then the answer is "no". As there are tool to monitor the clipboard, roboform cannot be seen as safe.

So if you cannot make sure it is a trusted system and if you are not able to use live systems (knoppix, win8 togo, ... - which you haven't commented on, yet), then for security's sake, you should not enter passwords/data that are/is important.
0
 

Author Comment

by:alanlsilverman
ID: 40008560
You've been a great help.
Thanks to all.
Al
0
 
LVL 95

Expert Comment

by:John Hurst
ID: 40008571
@alanlsilverman - Thank you, and I was happy to help.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
A hard and fast method for reducing Active Directory Administrators members.
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question