Solved

Is it safer to copy and paste or type in passwords?

Posted on 2014-04-15
13
875 Views
Last Modified: 2014-04-18
I use Roboform Everywhere for my passwords, on my own desktop computer at home, when I'm traveling with a laptop and occasionally when I'm on someone else's computer.
I have Windows 7, 8 and even an XP machine at home.  

Even when I'm on my own computer I try to use their virtual keyboard to put in my master password or copy and paste from an excrypted file. I've assumed this is safer than typing, because of the possibility of keyloggers.  Is this assumption correct?  
 
Is it safe to use Roboform Everywhere on public computers?

Thanks,
Al
0
Comment
Question by:alanlsilverman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +2
13 Comments
 
LVL 96

Accepted Solution

by:
Experienced Member earned 200 total points
ID: 40002782
I use a local password manager and only on my own computers. The data is encrypted and access is only by password.

I never know what might afflict someone's computer that is not mine. Also, Copy leaves tracks for as long as the user is logged on (copy tracks go away on restart, log off, or shutdown).

So I guess I would be concerned with either approach, but if the copy is encrypted as you say it is, then it is probably OK.

Yes, I would be concerned about key loggers in an unfamiliar environment.
0
 
LVL 10

Expert Comment

by:Rafael
ID: 40002783
You can but it's not best practice as you may have a inadvertent character added or deleted.
0
 
LVL 55

Assisted Solution

by:McKnife
McKnife earned 200 total points
ID: 40002829
Anything that is processed on an untrusted computer can be read out/ intercepted/ sniffed/ decrypted/whatever - with enough effort, everything is possible. Don't use untrusted computers of any kind in any way to process any "interesting" data.

There are keyloggers that may not be able to catch all keystrokes typed on all types of virtual keyboards, yes, but so what? the computer remains untrusted. It could do screen recordings and many more and you would not even know.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 55

Expert Comment

by:McKnife
ID: 40002834
Ok, 2nd try :)
Of course will using methods that differ from standard use cases/setups defeat most possible attacks. You would however leave in uncertainty.
For using untrusted computers, you should carry some sort of live system with you (knoppix/windows 8 to go).
0
 

Author Comment

by:alanlsilverman
ID: 40002924
John Hurst,
By "local password manager" you mean like the installed desktop version of Roboform or LastPass?  Do you type in your master password or use a virtual keyboard, or, like me, copy and paste?

 rcaballerojr, I'm not sure what you mean, 'have a character added or deleted'.  If that's in pasting in the master password, it would just mean the password would be rejected.
0
 
LVL 10

Assisted Solution

by:Rafael
Rafael earned 50 total points
ID: 40002928
As a follow up. I use Password Safe. It's exportable, 256 AES secure and you can even run it off a thumb drive.

http://passwordsafe.sourceforge.net/
0
 
LVL 96

Expert Comment

by:Experienced Member
ID: 40002933
By "local password manager"  yes, I mean an installed application on the desktop. There are many, but I use an old one called Password Corral that has bowfish encryption (and one other, I think). The passwords stored basically cannot be figured out so far as I know. Access to the manager is by strong password.

I can export the file (encrypted) and move it to my desktop computer so I have it in both places.

It is just one way, but I keep passwords, secure web addresses, software keys and so in this manager and it keeps all this in one place.

I have considered a newer application that would also work on my iPhone but sloth has prevented that so far.

Key point:  I keep the passwords local on a very secured computer (hard drive password).
0
 
LVL 70

Assisted Solution

by:Qlemo
Qlemo earned 50 total points
ID: 40004026
Unless the application is able to send the output directly to an application, circumventing any keyboard and clipboard hooks, it is not safe. As has been said, you can't ensure a secure path between your password application and the input receiver without having full control over what is installed on the machine you run them.
0
 

Author Comment

by:alanlsilverman
ID: 40005554
Is there any way to manually clear the memory of what’s on the clipboard in a copy and paste?  My guess is that there are more computers infected with keyloggers than those with screen recordings but I’m sure there are no reliable statistics covering these probabilities, or none we might find.  I guess the issue then is trying to gauge relative safety, or a level of safety that is “safe enough, all things considered”.
0
 
LVL 96

Expert Comment

by:Experienced Member
ID: 40005567
Trying to erase the copy contents could be messy because there are so many applications.

For Windows Copy, you can look at the article below to erase contents.

http://windowsclipboard.com/clear-clipboard/

I have not used this (no need) but it appears that you can do it.
0
 
LVL 55

Expert Comment

by:McKnife
ID: 40006021
Alan,

let's sum it up: you are seeking advice on how to handle password entries on untrusted computers. While it is surely safer to use virtual keyboards and roboform, you have been made aware that these measures can be attacked, too. Given the fact that you don't know how good the attacker is, you cannot be sure. There is no "safe enough, all things considered” to be declarated here.

Had you asked: "what can I do to get the best possible safety while entering passwords", you would possibly hear "use virtual keyboard software xy, it claims to be non-interceptible by keyloggers" But who can tell? Who has the expertise to judge the capabilities of all keyloggers there are? No one.

Had you asked "is it safe to use roboform", then the answer is "no". As there are tool to monitor the clipboard, roboform cannot be seen as safe.

So if you cannot make sure it is a trusted system and if you are not able to use live systems (knoppix, win8 togo, ... - which you haven't commented on, yet), then for security's sake, you should not enter passwords/data that are/is important.
0
 

Author Comment

by:alanlsilverman
ID: 40008560
You've been a great help.
Thanks to all.
Al
0
 
LVL 96

Expert Comment

by:Experienced Member
ID: 40008571
@alanlsilverman - Thank you, and I was happy to help.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Liquid Web and Plesk discuss how to simplify server management with a single tool  in their webinar.
Recovering from what the press called "the largest-ever cyber-attack", IT departments worldwide are discussing ways to defend against this in the future. In this process, many people are looking for immediate actions while, instead, they need to tho…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Suggested Courses
Course of the Month6 days, 19 hours left to enroll

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question