Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Storing Passwords?

24 Oct 2014   #1
paulyjames

Windows 7 Home Premium 64 Bit
 
 
Storing Passwords?

I have many accounts in many different sites. Read to not use same password on same site for obvious reasons. I have all my username/passwords on my computer in a microsoft office sheet and also on my usb as well. Obviously if i lose it, thats very bad b/c it has the site and the password in it.


First off, how does one lock a document? I know when someone sent me an adobe document, i couldnt open it without entering a passport that they told me. So basically whenever i try to open the same document that is saved on computer, it requires the password. Can someone tell me how i would be able to do this for word documents? I have openoffice by the way and not microsoft word on this computer.


Also is there a place to store it online? I heard someone mention keepass. I downloaded it but not sure how it really works. So basically you only need to remember 1 password right? Then when you access it, you have all the password for each site you have on it? How does one even put the password in keepass? You suppose to type it manually or transfer a document to it such as an openoffice or microsoft word or wordpad or excel sheet on it because im not sure how that works. Also is keepass very safe? Thus if someone hacks your acct, then they would have all the passwords. So would it be good idea to just put passwords in it but dont put the actual site to it and just recall which password is which site when you see all the password if that makes sense?


My System SpecsSystem Spec
.
24 Oct 2014   #2
logicearth

Windows 10 Pro (x64)
 
 

Try Lastpass instead. It will not only store your passwords securely, it will store them in an ever accessible cloud for all your computers. But be warned if you forget your master password for Lastpass, you lose all your passwords. Lastpass cannot recover your data without your master password.

Oh and you can setup two-factor authentication with Lastpass making it even more secure.
My System SpecsSystem Spec
24 Oct 2014   #3
bigmck

Windows 7 Home Premium 32-Bit - Build 7600 SP1
 
 

If no one accesses your PC, there is not much to worry about. If they do, you can have the normal password to access your Profile. Even if someone breaks your Profile Password, you can store your list of Website Passwords under three layers of Folders and they will be pretty well hidden. That is what I do.
My System SpecsSystem Spec
.

24 Oct 2014   #4
Boozad

W7 Pro x64 SP1 | W10 Pro IP x64 | W8.1 Pro x64 VM | Linux Mint VM
 
 

Quote   Quote: Originally Posted by logicearth View Post
Try Lastpass instead. It will not only store your passwords securely, it will store them in an ever accessible cloud for all your computers. But be warned if you forget your master password for Lastpass, you lose all your passwords. Lastpass cannot recover your data without your master password.

Oh and you can setup two-factor authentication with Lastpass making it even more secure.
Can you edit passwords on a regular basis? I use an Excel file at the moment seeing as only I use my PC but that sounds decent.
My System SpecsSystem Spec
24 Oct 2014   #5
logicearth

Windows 10 Pro (x64)
 
 

Quote   Quote: Originally Posted by Boozad View Post
Can you edit passwords on a regular basis?
Of course. Edit and change as much as you want.
My System SpecsSystem Spec
25 Oct 2014   #6
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 
Password security

Well it's just my opinion but if software can recover your passwords from files then any user with access to your PC can recover them hidden or not - unless they're encrypted.

Storing Passwords?-password-sweeper.jpg

I guess the bottom line is that if you can view/ recover passwords using forensics tools then so can malware - potentially - if it manages to sneak onto your system undetected.


My System SpecsSystem Spec
25 Oct 2014   #7
cyberSAR

Windows 7 Pro 64-bit
 
 

Spend a little time playing with Keepass and I think you can pick it up. I use it with thousands of passwords (I have many clients I maintain) and it works great. It is easily searchable and you can create groups etc to set it up how you like.

You can get started by importing your current passwords in either csv or xml formats File Formats - KeePass
My System SpecsSystem Spec
25 Oct 2014   #8
UsernameIssues

W7 Pro SP1 64bit
 
 

Quote   Quote: Originally Posted by paulyjames View Post
~~~
First off, how does one lock a document?
~~~
I've never considered this a safe way to store important info, so I've not kept up on to lock a document. You could encrypt the document using the Operating System or a 3rd party tool, but you are better off using a tool (like KeePass) that was designed for the task at hand. KeePass is a mature product and it takes care of security issues that you and I don't understand.




Quote   Quote: Originally Posted by paulyjames View Post
~~~
Also is there a place to store it online?
~~~
Yes, but keeping it (your document or your KeePass database file) out of the hands of others is now back in your hands. You would need to stay educated on the issues related to cloud storage security.




Quote   Quote: Originally Posted by paulyjames View Post
~~~
...I heard someone mention keepass. I downloaded it but not sure how it really works. So basically you only need to remember 1 password right?
~~~
Correct. In its simplest mode of operation, you only need to remember one password.




Quote   Quote: Originally Posted by paulyjames View Post
~~~
...Then when you access it, you have all the password for each site you have on it?
~~~
Correct.




Quote   Quote: Originally Posted by paulyjames View Post
~~~
...How does one even put the password in keepass? You suppose to type it manually or transfer a document to it such as an openoffice or microsoft word or wordpad or excel sheet on it because im not sure how that works.
~~~
You can type it all in or import your existing info. cyberSAR provided info on importing... but I would consider typing it in and taking this opportunity to change the password for your important accounts. Humans are not very good at picking random passwords. KeePass can create better passwords for you.

I started using KeePass many years ago and I too found it hard to figure out the first steps to do to get started. For this post, I had a hard time finding a video that stuck with the simple steps of getting started. Most videos dealt with advanced features or using KeePass along with browser plugins.

See if this video helps you:

I'm not associated with or recommending the company mentioned in the video.

In the video she shows right clicking on an entry and selecting various actions from the context menu. You can also open a URL by double clicking on that URL area for the entry of interest. Double clicking does not show up well in a video - so maybe that is why she opted for the slower right-click method. You can also Double click on the password area for an entry and the password will be copied to the Windows clipboard. Then (as shown in the video) you paste it into the browser field of interest.

There is some risk involved in using the Windows clipboard, so KeePass (by default) clears the clipboard after a few seconds. There is an option to have KeePass clear the clipboard info after once paste operation has occurred, but if your computer is infected with an app that is recording your clipboard operations and your antivirus app has not detected that - then you have bigger problems than how long info stays in the OS clipboard.

I tend to copy/paste the password first, then copy/paste the user ID. The password is in the clipboard the least amount of time. There are 3rd party apps that pass info to browser fields without using the OS clipboard, but then you have to research and stay informed about any security related issues with those apps.




Quote   Quote: Originally Posted by paulyjames View Post
~~~
...Also is keepass very safe?
~~~
A perfectly good question ---- that is hard to answer. I could just say, "Yes, KeePass is safe". But I'm not sure how or why that would satisfy you. I could provide links to papers/blogs/videos about why it is safe, but the info gets deep into terms and concepts that most people would not understand. It is possible to break into a KeePass database and (according to this website) it is possible to do so in a reasonable amount of time using regular computers (not super computers). The info on that website does not disclose how to get into the KeePass database - so I hope that I'm still within the forum's rules.

I will still use KeePass and accept the slight risk that someone wants into the file.




Quote   Quote: Originally Posted by paulyjames View Post
~~~
...Thus if someone hacks your acct, then they would have all the passwords. So would it be good idea to just put passwords in it but dont put the actual site to it and just recall which password is which site when you see all the password if that makes sense?
~~~
That sounds like a good plan, but I have too many accounts/websites/things to remember.




logicearth mentioned Lastpass and even with its security flaws/weaknesses, Lastpass is still a good option - if you are careful. I've not used Lastpass, but I'm not sure that is would work for me. I use KeePass to track info that is not related to the internet. The note section for each KeePass entry is a good place to keep info like the date/name of the person that I spoke to when renewing contracts. I can record order confirmation codes, pricing offers or anything else that I need to.





Edit: I'll add a note from my experience using software to generate passwords. As shown in the video, you can let KeePass (or Lastpass) create passwords for you and they can be long passwords because you don't need to remember them. However, some websites (and applications) will accept the long passwords and silently only use some of the characters. In other words, let's say that you let the software create a password that is 15 characters long. You go to the website's interface for changing passwords and paste in your new 15 character password. Everything appears to have worked. There were not errors during the password change process and the website makes no mention of the number of password character allowed. But when you test logging on, it fails.

[I had run into this before with VNC password. The UltraVNC password change interface accepts "long" passwords but only uses the first 8 characters. But when it comes time to actually use the password, the UltraVNC interface accepts more than 8 characters - then fails to authenticate you. Once you know about the 8 character limit, you can simply use the first 8 characters of the password.]

I figured that the same sort of thing was happening with the website. If I could contact a human and find out the password character limit, I could just change my KeePass info to match that limit. I called, but the human would not tell me the character limit! They would only reset the password. Experimentation determined the limit to be 12 characters... then I closed the account.
My System SpecsSystem Spec
25 Oct 2014   #9
logicearth

Windows 10 Pro (x64)
 
 

Quote   Quote: Originally Posted by UsernameIssues View Post
logicearth mentioned Lastpass and even with its security flaws/weaknesses..
I'm curious what flaws and weaknesses are those? If syncing to the cloud is what you are referring to, then no that is not an issue. Even if the Lastpass servers are compromised your data is not. Everything is done locally on your machine all you send to Lastpass is an encrypted blob of data. Your password is never even transmitted to Lastpass. Thus if you forget your password for any reason, Lastpass CANNOT recover your data.

Now unless you know a way to break AES-256 encryption with PBKDF2 then please tell us. (Outside of brute forcing weak passwords, that is a given.)

Not to mention with Lastpass you can even setup two factor authentication improving security.
My System SpecsSystem Spec
26 Oct 2014   #10
UsernameIssues

W7 Pro SP1 64bit
 
 

Quote   Quote: Originally Posted by logicearth View Post
Quote   Quote: Originally Posted by UsernameIssues View Post
logicearth mentioned Lastpass and even with its security flaws/weaknesses..
I'm curious what flaws and weaknesses are those? If syncing to the cloud is what you are referring to, then no that is not an issue. Even if the Lastpass servers are compromised your data is not. Everything is done locally on your machine all you send to Lastpass is an encrypted blob of data. Your password is never even transmitted to Lastpass. Thus if you forget your password for any reason, Lastpass CANNOT recover your data.

Now unless you know a way to break AES-256 encryption with PBKDF2 then please tell us. (Outside of brute forcing weak passwords, that is a given.)

Not to mention with Lastpass you can even setup two factor authentication improving security.
Google seemed to find articles mentioning several flaws. I did not read about each one to see how likely the flaw is to be exploited (i.e. how many unlikely things must fall into place before an exploit can be successful).

Here are two old (and hopefully fixed) flaws that I came across:

Perhaps I'm reading page 8 of this PDF wrong...
http://devd.me/papers/pwdmgr-usenix14.pdf
...but it sounds like every set of credentials could be stolen.

Quote:
LastPass Bookmarklet Attack. Figure 4 illustrates
how a malicious web application evil.com can steal
Aliceís credential for dropbox.com. When Alice vis-
its the attackerís site evil.com and clicks her LastPass
bookmarklet, the attacker uses any of a number of hijack
techniques [1, 8] (e.g., Function.toSource) and ex-
tracts both h and _LASTPASS_RAND. Then, the attacker
imitates Step 6 from Figure 3 (as Step 2 here) by writ-
ing a <script> tag with src set to lastpass.com/
bml.php?u=dropbox.com and adding the parameters
rh (any string of length 64), r (any number), and h (from
the bookmarklet).
The downloaded script, which runs on the at-
tackerís page, includes all the information needed
to decrypt credential for dropbox.com (notably,
key_rand_encrypted). Again, the attacker uses the
JavaScript hijack technique to extract out the encrypted
credential and decrypts them with the _LASTPASS_RAND
value stolen earlier. The attacker can repeat the attack to
steal all of Aliceís credentials, violating the confidential-
ity of the credential database.
Page 9 goes on to talk about a second flaw.

Here is another take on the two flaws mentioned in that PDF:
http://blog.lastpass.com/2014/07/a-n...-lastpass.html
Quote:
In August 2013, a security researcher at UC Berkeley, Zhiwei Li, contacted us to responsibly disclose novel vulnerabilities with the LastPass bookmarklets (actively used by less than 1% of the user base) and One Time Passwords (OTPs).
The weakness in LastPass that I mentioned stems from using a web browser as part of password management. That seems like an dangerous app to try and keep so many accounts secure. I'm not the only person to hold that opinion - but I would still suggest that people use LastPass vs. using one weak password everywhere.

LastPass has to rely on many parts/apps to its security equation. That is harder to pull off than the simpler KeePass model. Here is a flaw that probably was not exploited:
http://blog.lastpass.com/2014/07/goo...rity-flaw.html



Can you tell me if LastPass lends itself to keeping passwords for say UltraVNC connections? Would I just create an entry that does not really link to a website? Can LastPass organize entries by folders? Thanks for your time.
My System SpecsSystem Spec
Reply

 Storing Passwords?




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Storing Sys Restore point on CD?
Just built a new system Around an Asus x79Deluxe and an Intel Core i7-4930K. Went with water cooling and learned the hard way that you can't just use your old PSU on a 4th gen CPU, but that it's gotta be Haswell compliant. Imagine my frustration when the system just blinked on and off. ...
Performance & Maintenance
C Drive getting used up with out storing anything ?
C drive is my default drive for windows installation. Until a week ago, C Drive used to show up free space from 46.x GB to 47.x GB, some times it may show free space up to 50 or 51GB too. But since a week or 2, the space has fallen back to 45.5 GB, now its in the range of 44.2GB - 46.6 GB...
Performance & Maintenance
storing scanned documents
Right now all of my scanned document are stored by the month i.e.. February, March, etc. I do not want them stored this way. I just want them accessible without regard to the month. Help!
Software
Storing a string of characters under one key?
I have a few tediously long character strings which I frequently need to type - can I store them under a single key so that they are available in any application?
General Discussion
Shortcuts storing software need to know?
Hi! Do you know good shortcuts storing software. Like game booster "Game box"
Software
Storing Bits of Memory
Storing bits of memory in nanotube switches. The world of computer memory has been approaching an interesting crossroads. Most people are aware that we are rapidly approaching fundamental limits with both magnetic storage mediums like the hard drive, and in the fabrication of transistors...
News


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 05:42.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App