Solved

Is it safer to copy and paste or type in passwords?

Posted on 2014-04-15
13
758 Views
Last Modified: 2014-04-18
I use Roboform Everywhere for my passwords, on my own desktop computer at home, when I'm traveling with a laptop and occasionally when I'm on someone else's computer.
I have Windows 7, 8 and even an XP machine at home.  

Even when I'm on my own computer I try to use their virtual keyboard to put in my master password or copy and paste from an excrypted file. I've assumed this is safer than typing, because of the possibility of keyloggers.  Is this assumption correct?  
 
Is it safe to use Roboform Everywhere on public computers?

Thanks,
Al
0
Comment
Question by:alanlsilverman
  • 4
  • 3
  • 3
  • +2
13 Comments
 
LVL 90

Accepted Solution

by:
John Hurst earned 200 total points
Comment Utility
I use a local password manager and only on my own computers. The data is encrypted and access is only by password.

I never know what might afflict someone's computer that is not mine. Also, Copy leaves tracks for as long as the user is logged on (copy tracks go away on restart, log off, or shutdown).

So I guess I would be concerned with either approach, but if the copy is encrypted as you say it is, then it is probably OK.

Yes, I would be concerned about key loggers in an unfamiliar environment.
0
 
LVL 10

Expert Comment

by:Rafael
Comment Utility
You can but it's not best practice as you may have a inadvertent character added or deleted.
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 200 total points
Comment Utility
Anything that is processed on an untrusted computer can be read out/ intercepted/ sniffed/ decrypted/whatever - with enough effort, everything is possible. Don't use untrusted computers of any kind in any way to process any "interesting" data.

There are keyloggers that may not be able to catch all keystrokes typed on all types of virtual keyboards, yes, but so what? the computer remains untrusted. It could do screen recordings and many more and you would not even know.
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
Ok, 2nd try :)
Of course will using methods that differ from standard use cases/setups defeat most possible attacks. You would however leave in uncertainty.
For using untrusted computers, you should carry some sort of live system with you (knoppix/windows 8 to go).
0
 

Author Comment

by:alanlsilverman
Comment Utility
John Hurst,
By "local password manager" you mean like the installed desktop version of Roboform or LastPass?  Do you type in your master password or use a virtual keyboard, or, like me, copy and paste?

 rcaballerojr, I'm not sure what you mean, 'have a character added or deleted'.  If that's in pasting in the master password, it would just mean the password would be rejected.
0
 
LVL 10

Assisted Solution

by:Rafael
Rafael earned 50 total points
Comment Utility
As a follow up. I use Password Safe. It's exportable, 256 AES secure and you can even run it off a thumb drive.

http://passwordsafe.sourceforge.net/
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
By "local password manager"  yes, I mean an installed application on the desktop. There are many, but I use an old one called Password Corral that has bowfish encryption (and one other, I think). The passwords stored basically cannot be figured out so far as I know. Access to the manager is by strong password.

I can export the file (encrypted) and move it to my desktop computer so I have it in both places.

It is just one way, but I keep passwords, secure web addresses, software keys and so in this manager and it keeps all this in one place.

I have considered a newer application that would also work on my iPhone but sloth has prevented that so far.

Key point:  I keep the passwords local on a very secured computer (hard drive password).
0
 
LVL 68

Assisted Solution

by:Qlemo
Qlemo earned 50 total points
Comment Utility
Unless the application is able to send the output directly to an application, circumventing any keyboard and clipboard hooks, it is not safe. As has been said, you can't ensure a secure path between your password application and the input receiver without having full control over what is installed on the machine you run them.
0
 

Author Comment

by:alanlsilverman
Comment Utility
Is there any way to manually clear the memory of what’s on the clipboard in a copy and paste?  My guess is that there are more computers infected with keyloggers than those with screen recordings but I’m sure there are no reliable statistics covering these probabilities, or none we might find.  I guess the issue then is trying to gauge relative safety, or a level of safety that is “safe enough, all things considered”.
0
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
Trying to erase the copy contents could be messy because there are so many applications.

For Windows Copy, you can look at the article below to erase contents.

http://windowsclipboard.com/clear-clipboard/

I have not used this (no need) but it appears that you can do it.
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
Alan,

let's sum it up: you are seeking advice on how to handle password entries on untrusted computers. While it is surely safer to use virtual keyboards and roboform, you have been made aware that these measures can be attacked, too. Given the fact that you don't know how good the attacker is, you cannot be sure. There is no "safe enough, all things considered” to be declarated here.

Had you asked: "what can I do to get the best possible safety while entering passwords", you would possibly hear "use virtual keyboard software xy, it claims to be non-interceptible by keyloggers" But who can tell? Who has the expertise to judge the capabilities of all keyloggers there are? No one.

Had you asked "is it safe to use roboform", then the answer is "no". As there are tool to monitor the clipboard, roboform cannot be seen as safe.

So if you cannot make sure it is a trusted system and if you are not able to use live systems (knoppix, win8 togo, ... - which you haven't commented on, yet), then for security's sake, you should not enter passwords/data that are/is important.
0
 

Author Comment

by:alanlsilverman
Comment Utility
You've been a great help.
Thanks to all.
Al
0
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
@alanlsilverman - Thank you, and I was happy to help.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This Micro Tutorial will teach you the basics of configuring your computer to improve its speed. It will also teach you how to disable programs that are running in the background simultaneously. This will be demonstrated using Windows 7 operating…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now