Solved

Is it safer to copy and paste or type in passwords?

Posted on 2014-04-15
13
811 Views
Last Modified: 2014-04-18
I use Roboform Everywhere for my passwords, on my own desktop computer at home, when I'm traveling with a laptop and occasionally when I'm on someone else's computer.
I have Windows 7, 8 and even an XP machine at home.  

Even when I'm on my own computer I try to use their virtual keyboard to put in my master password or copy and paste from an excrypted file. I've assumed this is safer than typing, because of the possibility of keyloggers.  Is this assumption correct?  
 
Is it safe to use Roboform Everywhere on public computers?

Thanks,
Al
0
Comment
Question by:alanlsilverman
  • 4
  • 3
  • 3
  • +2
13 Comments
 
LVL 93

Accepted Solution

by:
John Hurst earned 200 total points
ID: 40002782
I use a local password manager and only on my own computers. The data is encrypted and access is only by password.

I never know what might afflict someone's computer that is not mine. Also, Copy leaves tracks for as long as the user is logged on (copy tracks go away on restart, log off, or shutdown).

So I guess I would be concerned with either approach, but if the copy is encrypted as you say it is, then it is probably OK.

Yes, I would be concerned about key loggers in an unfamiliar environment.
0
 
LVL 10

Expert Comment

by:Rafael
ID: 40002783
You can but it's not best practice as you may have a inadvertent character added or deleted.
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 200 total points
ID: 40002829
Anything that is processed on an untrusted computer can be read out/ intercepted/ sniffed/ decrypted/whatever - with enough effort, everything is possible. Don't use untrusted computers of any kind in any way to process any "interesting" data.

There are keyloggers that may not be able to catch all keystrokes typed on all types of virtual keyboards, yes, but so what? the computer remains untrusted. It could do screen recordings and many more and you would not even know.
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 54

Expert Comment

by:McKnife
ID: 40002834
Ok, 2nd try :)
Of course will using methods that differ from standard use cases/setups defeat most possible attacks. You would however leave in uncertainty.
For using untrusted computers, you should carry some sort of live system with you (knoppix/windows 8 to go).
0
 

Author Comment

by:alanlsilverman
ID: 40002924
John Hurst,
By "local password manager" you mean like the installed desktop version of Roboform or LastPass?  Do you type in your master password or use a virtual keyboard, or, like me, copy and paste?

 rcaballerojr, I'm not sure what you mean, 'have a character added or deleted'.  If that's in pasting in the master password, it would just mean the password would be rejected.
0
 
LVL 10

Assisted Solution

by:Rafael
Rafael earned 50 total points
ID: 40002928
As a follow up. I use Password Safe. It's exportable, 256 AES secure and you can even run it off a thumb drive.

http://passwordsafe.sourceforge.net/
0
 
LVL 93

Expert Comment

by:John Hurst
ID: 40002933
By "local password manager"  yes, I mean an installed application on the desktop. There are many, but I use an old one called Password Corral that has bowfish encryption (and one other, I think). The passwords stored basically cannot be figured out so far as I know. Access to the manager is by strong password.

I can export the file (encrypted) and move it to my desktop computer so I have it in both places.

It is just one way, but I keep passwords, secure web addresses, software keys and so in this manager and it keeps all this in one place.

I have considered a newer application that would also work on my iPhone but sloth has prevented that so far.

Key point:  I keep the passwords local on a very secured computer (hard drive password).
0
 
LVL 69

Assisted Solution

by:Qlemo
Qlemo earned 50 total points
ID: 40004026
Unless the application is able to send the output directly to an application, circumventing any keyboard and clipboard hooks, it is not safe. As has been said, you can't ensure a secure path between your password application and the input receiver without having full control over what is installed on the machine you run them.
0
 

Author Comment

by:alanlsilverman
ID: 40005554
Is there any way to manually clear the memory of what’s on the clipboard in a copy and paste?  My guess is that there are more computers infected with keyloggers than those with screen recordings but I’m sure there are no reliable statistics covering these probabilities, or none we might find.  I guess the issue then is trying to gauge relative safety, or a level of safety that is “safe enough, all things considered”.
0
 
LVL 93

Expert Comment

by:John Hurst
ID: 40005567
Trying to erase the copy contents could be messy because there are so many applications.

For Windows Copy, you can look at the article below to erase contents.

http://windowsclipboard.com/clear-clipboard/

I have not used this (no need) but it appears that you can do it.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40006021
Alan,

let's sum it up: you are seeking advice on how to handle password entries on untrusted computers. While it is surely safer to use virtual keyboards and roboform, you have been made aware that these measures can be attacked, too. Given the fact that you don't know how good the attacker is, you cannot be sure. There is no "safe enough, all things considered” to be declarated here.

Had you asked: "what can I do to get the best possible safety while entering passwords", you would possibly hear "use virtual keyboard software xy, it claims to be non-interceptible by keyloggers" But who can tell? Who has the expertise to judge the capabilities of all keyloggers there are? No one.

Had you asked "is it safe to use roboform", then the answer is "no". As there are tool to monitor the clipboard, roboform cannot be seen as safe.

So if you cannot make sure it is a trusted system and if you are not able to use live systems (knoppix, win8 togo, ... - which you haven't commented on, yet), then for security's sake, you should not enter passwords/data that are/is important.
0
 

Author Comment

by:alanlsilverman
ID: 40008560
You've been a great help.
Thanks to all.
Al
0
 
LVL 93

Expert Comment

by:John Hurst
ID: 40008571
@alanlsilverman - Thank you, and I was happy to help.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Data breaches are on the rise, and companies are preparing by boosting their cybersecurity budgets. According to the Cybersecurity Market Report (http://www.cybersecurityventures.com/cybersecurity-market-report), worldwide spending on cybersecurity …
Most MSPs worth their salt are already offering cybersecurity to their customers. But cybersecurity as a service is wide encompassing and can mean many things.  So where are MSPs falling in this spectrum?
This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question