3

I feel like I have a very common problem. I have too many passwords to remember, as well as PINs for credit/debit cards, access codes for doors at my workplace or combination locks. I don't seem to be able to remember all of them no matter how hard I try, and not remembering any of those at the time that I need to can be inconvenient.

I am looking for a way to securely store passwords and PINs. The method should be

  1. secure against compromised websites, i.e. if someone breaks the database of site A and manages to obtain my password for A in plaintext, he should not get any information about my password for site B
  2. secure against a compromised local machine, i.e. if someone installs malware on my laptop he should still be unable to get my PIN codes and other passwords that are not used on the compromised machine
  3. secure against theft, i.e. the method should not involve a physical token that, if it gets stolen, will allow a thief to empty all my accounts.
  4. portable, i.e. it should work without me sitting in front of my computer, for example at an ATM or when paying in a shop.
  5. secure against data loss, i.e. I want to be able to make backups in case of device failure, theft, etc.

That rules out a few approaches that I am aware of and that have been previously discussed:

  • reusing passwords is against (1)
  • writing down passwords on a sheet of paper is against (3) and (5)
  • password manager in my computer (online or offline) is against (4) and (2)
  • generate passwords in my head is against (1) and (2) unless the method itself is secure. Otherwise this is essentially security through obscurity and can only work as long as not too many use the same method.
  • a physical token that contains lots of characters to "generate" passwords by choosing a different starting point or pattern to pick letters from that token. There is a problem with rule (3) if the method is known or too simple, or (1) and (2) if the method is simple and the token happens to be a book or something else widely known. Again, it smells like security through obscurity. In addition, it is hard to backup securely (5).
  • encrypting data on a sheet of paper and decrypt it manually is either using an insecure method, or sounds like something that I can't do in my head (I am happy if somebody corrects me on this one). Note that even doing it on paper is not a good idea in a supermarket if that means that I have to securely destroy the paper on which I worked out my PIN after each use.

My question is therefore: Is there any way to store/memorize passwords that satisfies the above requirements? One possibility that comes to my mind is a dedicated device that can perform AES decryption, so I could store passwords that were encrypted with a master password on my smartphone, and then use that dedicated device to obtain a plaintext password by entering the encrypted password and the master password. I would be particularly interested in a method that I can use without any tools, or using portable devices that I can buy easily/cheaply on the open market, as long as I can be reasonably sure that the device does not reveal my passwords. Of course it would be great if the method was easy and quick to use.

I don't consider myself a high profile target, so I am willing to assume that I could buy something like a pocket calculator on Amazon without somebody fitting a hidden GSM module in it. I am however not willing to assume that a given smartphone or computer does not have a trojan horse installed.

user3657600
  • 33
  • 1
  • 3
  • 1
    Would you trust an old phone that doesn't have network connectivity and has WiFi turned off? – Neil Smithline Jan 23 '16 at 17:51
  • A safe and a paper notebook will do. – Deer Hunter Jan 23 '16 at 17:51
  • @DeerHunter Paper notebook can be stolen if not in a safe, and a safe is not very portable. – user3657600 Jan 23 '16 at 18:22
  • @NeilSmithline No, if there is no way to physically prevent it from communicating I wouldn't like to trust it. – user3657600 Jan 23 '16 at 18:24
  • Even if you keep said notebook on you at all times? Chained to your hand in a steelcase with an antitampering device? Remember: when in doubt, C4. – Deer Hunter Jan 23 '16 at 18:51
  • @NeilSmithline You say that the scenario seems unreasonable and the comment by DeerHunter suggests the same. Can you help me understand why? I don't think that I am the only person who has trouble remembering PINs, especially of cards that I rarely use. Banks are unhappy if I write them down anywhere, and there is a lot of malware around to steal passwords. Sure, if I am the only one to use a particular trick (as suggested by the answer) this is an option, but it will fail as a guideline for the average user if too many do it and the method is not secure or too complicated. – user3657600 Jan 24 '16 at 15:01
  • I think that requiring a network incapable device is atypical. I believe most people would feel secure with a phone without network service and WiFi disabled. In that case, it is less of a phone and more of a pocket computer. BTW, I said "somewhat unreasonable", that was intended to be softer than simply "unreasonable". – Neil Smithline Jan 24 '16 at 15:07
  • @NeilSmithline wouldn't this become insecure if too many are using it? If the common advice e.g. by a big bank was that old phones should be used as pocket computers to store PINs, then as a malware programmer I would try to harvest passwords from such phones e.g. by infecting them while they are still used as primary phones. Granted, this may never happen as the return for this investment would be delayed by months or even years, or because there is more time to detect such malware before it becomes active. Do you think I should lift this requirement to get better answers? – user3657600 Jan 24 '16 at 15:25
  • If you are worried that much, switch to Windows Phone and use a reputable password manager & only have reputable apps. WP10 is currently far and away the most secure of the current platforms with no known current external exploits. You are FAR more likely to fall prey to shoulder surfing or in-shop card fraud or remote fraud that you would a compromise of a decent password mgr. As in my other comments, banks will be delighted that you are taking sensible measures to protect yourself, you don't need to go mad. – Julian Knight Jan 24 '16 at 18:06
  • @JulianKnight I think this comment is a great piece of information, together with the information in your other comment that banks will usually be happy if you manage things reasonably. I will accept your answer, even though your comments actually helped me more. – user3657600 Jan 24 '16 at 23:01
  • I think "password manager in my computer" while you're right it will definitely not help with point (2), it *can* work with point (4) since most password managers have a mobile option or port to work on smartphones. – Ben Apr 26 '17 at 16:28

3 Answers3

1

I think that you are over-thinking things! Also, you are not being realistic about the risks.

Also remember that any password is "security through obscurity" so it isn't always the "bad boy" it is made out to be.

So, a sensible approach might be a hybrid.

  • Low sensitivity logins - use a password manager. Most have various protections to help reduce the risk of malware hijacking data. Many also have 2-factor authentication capabilities which mitigate many issues. Examples: forums.
  • Medium sensitivity logins - use the password manager for convenience but add 2-factor authentication for security. Typically using your phone or some other hardware device such as a token. Soft tokens like Google Authenticator can be good as they are not totally dependent on one piece of hardware. Examples: social media.
  • High sensitivity logins - Store part of the password in your password manager and use a pattern to keep the rest in your head but still make it unique for each site! Also use 2-factor auth if available. Example: banking and finance

There are certainly many more ways to cut this. The main thing is to think about the risks sensibly and don't make life hell just to try and deal with a risk that is tiny or indeed an impact that would be tiny.

Julian Knight
  • 7,102
  • 18
  • 23
  • 5
    Security through obscurity refers to an algorithm being hidden to make something secure, not a secret such as a password. – Neil Smithline Jan 24 '16 at 03:17
  • BTW, I don't think that you really answered the question. Not really your fault as the OP is presenting a somewhat unreasonable scenario. – Neil Smithline Jan 24 '16 at 03:19
  • @JulianKnight why do you think I am not realistic about the risks? I agree with you that less security is needed e.g. for my StackExchange password, but what about PIN numbers? My password manager won't be helpful here, and if I write them down in any way I might be liable for the full damage if my wallet gets stolen and the bank finds out about this. Or should I not be worried because a thief will only have three attempts, so even a very simple ad-hoc encryption will do? – user3657600 Jan 24 '16 at 15:10
  • From the Q it seemed so. By PIN's do you mean credit/bank cards? Mine are all in a secondary PW mgr that is not cloud based but has clients for mobile as well as desktop should I not remember one. Use a STRONG master code you remember. A reputable bank will give you credit for managing things safely - I know, I used to work for one :) In most countries you will NOT be liable if you demonstrate reasonable care. Certainly not in the UK/EU/US. – Julian Knight Jan 24 '16 at 18:02
  • The scenario is completely unreasonable. Password vaults on the market almost meet all of @user3657600's requirements, but not entirely. This is really surprising. Using a mobile phone is always going to be less secure and less practical, it's definitely not a solution. That's why security devices exist. The solution would be a device that can act as a keyboard (Mooltipass, OnlyKey) for easy and interoperable use on computers. It needs a display to show the password in case you't can use the device as a keyboard, e.g. ATM. It needs to be encrypted and/or tamper resistant (Mooltipass). – Mat May 05 '18 at 10:58
  • Almost all of existing security devices are PIN-protected and supposed to be tamper resistant. However, they always fail for one of the requirements. Mooltipass has a display but never displays the password directly I believe. OnlyKey does not have a display. Nitrokey can leak all your passwords if the host computer is compromised, does not have a display and requires additional software. The solution would be to use a Mooltipass. To see the password for ATM, use your phone and Mooltipass. It's still not secure as it does not protect against compromised phones. – Mat May 05 '18 at 11:02
  • I meant reasonable* – Mat May 05 '18 at 16:17
  • My response was based on the comment "I don't consider myself a high profile target". The request **is** over-thought and the OP hasn't evaluated the risk sensibly. The majority of people are far better off using a good software solution that is easy to use rather than trying to go for "perfect". – Julian Knight May 06 '18 at 15:33
  • It is good that there are not hardware security devices with screens and keyboards but it is another thing to be lost and more complexity in the lives of people with better things to do. Keep it simple and reasonably secure, rely on the bank to sort out anything else - unless you are a high-risk individual or live/work in a high-risk area. – Julian Knight May 06 '18 at 15:35
1

Interesting question.

Your points:

  • secure against compromised websites, i.e. if someone breaks the database of site A and manages to obtain my password for A in plaintext, he should not get any information about my password for site B

  • secure against a compromised local machine, i.e. if someone installs malware on my laptop he should still be unable to get my PIN codes and other passwords that are not used on the compromised machine

  • secure against theft, i.e. the method should not involve a physical token that, if it gets stolen, will allow a thief to empty all my accounts.

  • portable, i.e. it should work without me sitting in front of my computer, for example at an ATM or when paying in a shop.

  • secure against data loss, i.e. I want to be able to make backups in case of device failure, theft, etc.

  • would be particularly interested in a method that I can use without any tools, or using portable devices that I can buy easily/cheaply on the open market, as long as I can be reasonably sure that the device does not reveal my passwords.

Well, it's not going to be pretty, but this can meet the "not networked" part, and the easily/cheaply part.

Buy a Raspberry Pi - preferably a Pi 2 B for speed and RAM, or a Pi A plus a USB hub if you don't want the Ethernet port. No Pi comes with Wifi, so you're safe there, at least.

Buy a touchscreen for it. Set that up. And maybe a portable keyboard/touchpad combination.

Set it up with Raspbian without any swap space at all, and install KeePassX on it.

Buy a USB power bank like an Anker Powercore so you can run the Pi remotely.

Alternately, get any kind of laptop or notebook and remove the networking hardware completely - Wifi on most of the larger ones is a mini-PCIe card, trivial to remove. Ethernet, well, fill the port with superglue. Again, install KeePassX (or KeePass).

Ideally, install LUKS (Linux) or Veracrypt (if you insist on Windows) full disk encryption as well.

Buy a few FIPS 140-2 Validated USB storage devices, like the cheaper Apricorn AEGIS Secure Key USB2.0 (they also have much larger USB3.0 drives, at a somewhat higher price).

Put your KeePassX database on your Apricorn drive; back up from one Apricorn to another.

Use this device, and insert your Apricorn only when actively getting passwords. Always remove the Apricorn as soon as you're done.

Now you have cheap hardware and no vendor lock-in at all.

The malicious websites and compromised machines can only get what you type into them; they never have access to the database.

If it's all stolen while powered off, the attacker primarily needs to get past the Apricorn password (where ten incorrect tries in a row wipes the drive, and it's validated to be tamper-resistant in the first place), and then past the KeePass password as well.

It's portable - more portable than old bagphones, even with the Raspberry Pi + battery + keyboard example.

It's secure against data loss - copy from Apricorn A to Apricorn B kept at home, Apricorn C kept in a safe deposit box, etc.

Anti-weakpasswords
  • 9,850
  • 2
  • 24
  • 52
1

You could use the new PI zero to do just that. The low form factor makes it ideal as a peripheral for precisely this reason. Also remember, you don't need all your passwords with you.

m2kin2
  • 89
  • 2