Snip of Password Manager in a Word Document - Is it at All Secure?

baumgrenze

New member
Member
VIP
Local time
12:29 PM
Messages
300
Location
Charlottesville, VA
I know I should not store text passwords in an easily found Word document. That makes them too easy to find and use.

Is it equally inappropriate to open the PW manager which is part of my Mozilla browser (SeaMonkey) and find a given password/url combination and SNIP a copy and paste that into a Word document?

From a practical point of view, would anyone looking for passwords have the patience to hack into a personal computer and then hunt through thousands of documents hoping to find such an image?

thanks
baumgrenze
 

My Computer My Computer

At a glance

Win 7 Pro 64Intel Core 2 Quad Q6600 (2.4 GHz) Quad Core2 x Crucial 4GB Kit (2GBx2) DDR2 CT2KIT25664A...Sapphire Radeon HD 3870 PCIe 512 Mb
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Custom built by GamePC/Solid Electric - Palo Alto - on 03/10/08
OS
Win 7 Pro 64
CPU
Intel Core 2 Quad Q6600 (2.4 GHz) Quad Core
Motherboard
Gigabyte GA-P35-DS3P Intel P35 ATX (rev. 2.1)
Memory
2 x Crucial 4GB Kit (2GBx2) DDR2 CT2KIT25664AA800
Graphics Card(s)
Sapphire Radeon HD 3870 PCIe 512 Mb
Sound Card
RealTek audio on MOBO + EDIROL UA-1EX
Monitor(s) Displays
Samsung S24A450BW 24" LED monitor
Screen Resolution
1600 x 1200 at 75 Hz
Hard Drives
2 Crucial 128 Gb SSD (CT128M550SSD1)
one mounted and running Win7/Pro x64
one disconnected containing only Win10/Pro upgrade - in process
1 1TB WD Caviar Black (WD1003FZEX-00MK2A0) (Data drive)
1 2TB Seagate 2TB (PN/ 9JB1N3-576 - ST2000DM001-1ER
PSU
Seasonic S12-HT 650W 80% Efficiency Power Supply
Case
Lian Li PC-B25B
Cooling
Gigabyte Silent-Pipe
Keyboard
Dell MS Comfort
Mouse
HP x4000 wireless
Internet Speed
Sonic FTTN @ 23 Mbps
Antivirus
Avast
Browser
SeaMonkey
Other Info
BIOS: Award Software International, Inc. F6 06/18/2009

System Specs - Updated on 09//16/19
There are many levels of security passwords.
Bank and related pw are the highest level. They aren't written anywhere.
For the others, like Tenforums etc I normally have a standard pw.
I store them under a Outlook (mail) message that is stored on a huge pst file, that is compressed and encrypted. Hacker should pass trough may firewall, upload a 3GB pst file and search all my emails.

If the pw is on a text or Word file, he just need to search (as on explorer) for some key words.
 

My Computers My Computers

  • At a glance

    Windows 7 HP 64i5 6600K - 800MHz to 4200MHz4+4G GSkill DDR4 3000IG - Intel 530
    Computer type
    PC/Desktop
    Computer Manufacturer/Model Number
    custom build
    OS
    Windows 7 HP 64
    CPU
    i5 6600K - 800MHz to 4200MHz
    Motherboard
    GA-Z170-HD3P
    Memory
    4+4G GSkill DDR4 3000
    Graphics Card(s)
    IG - Intel 530
    Monitor(s) Displays
    Samsung 226BW
    Screen Resolution
    1680x1050
    Hard Drives
    (1) -1 SM951 – 128GB M.2 AHCI PCIe SSD drive for Windows 7 and Lubuntu
    (2) -1 WD SATA 3 - 1T for Data
    (3) -1 WD SATA 3 - 1T for backup
    PSU
    Thermaltake 450W TR2 gold
    Keyboard
    Old and good Chicony mechanical keyboard
    Mouse
    Logitech mX performance - 9 buttons (had to disable some)
    Internet Speed
    500Mb/s
    Browser
    Firefox 64
    Other Info
    TinyWall firewall
  • At a glance

    Windows 7 Proi7-4500U 800MHz to 3.0GHz(4+4)G DDR3 1600IG intel 4400 + NVIDIA GeForce GT 745M
    Computer type
    Laptop
    System Manufacturer/Model Number
    Asus Q550LF
    OS
    Windows 7 Pro
    CPU
    i7-4500U 800MHz to 3.0GHz
    Motherboard
    Asus Q550LF
    Memory
    (4+4)G DDR3 1600
    Graphics Card(s)
    IG intel 4400 + NVIDIA GeForce GT 745M
    Sound Card
    Realtek
    Monitor(s) Displays
    LG Display LP156WF4-SPH1
    Screen Resolution
    1920 x 1080
    Hard Drives
    BX500 120G SSD for Windows and programs +
    1T HDD for data
    Internet Speed
    500 Mb/s
    Browser
    Firefox
    Other Info
    TinyWall firewall
I know this is a dated thread, but found the topic interesting and my comment here as well as the question still relevant 1 year later, so here I am :p

This is still insecure, and I guess about as insecure as storing your passwords in a plain text file or as text in a word document. From a practical point of view, I don't find it to be better or worse, and bad in both cases.

As always in security, the very first thing to consider is who is your attacker? What are trying to defend against? Without that clearly defined, "secure" and "insecure" are meaningless.

Let's suppose that someone is looking for passwords in your computer. If he has enough time to borrow your keyboard and snop in the machine, seeing a file called "passwords.txt" or "passwords.bmp" is the same thing, he already won no matter is it's an image or plain text. You could make his life harder by using more difficult names, but again, the file format doesn't matters, it's still a double-click away from leaking.
Will someone really have the patience to search for such a file? It depends how determined your attacker is, a casual shoulder-surfer won't care that much, but someone who really wants to harm or spy on you certainly will.

Against online threats? Only matters if you upload the file to some server and the server happens to be malicous to snop for passwords specifically. Automated attacks often don't even look for password files, and if a bad guy gets the file (a human bad guy I mean), he'll understand an image the very same way as a text file.

If a malware gets installed on your system and it leaks some of your files, most likely some automated server scrubbing files. It's more likely that they'll be looking for patterns of access for deliver "personalized ads" rather than looking for passwords (this is exacly what big corporations like Microsoft or Google do). for really malicious spyware, keyloggers are more frequent than stealing files. Or if they really are looking for passwords (unfortunately, insecure storage is common) they'll look by filename first, rather than searching contents for the word "passwords". And if an human being ends up looking at the file, the difference is gone.
BTW, in any case, if a malware hits you must reformat immediately.

The real security comes from using safe password stores. Instead of a text file or an image, use a password manager (and I mean a REAL password manager, not the "remember my password" choice from browsers). Those not only keep your keys encrypted on disk, but also minimize their exposure in memory, creates strong random passwords for you and helps fill out login forms. Notepad can't do anything from those, much less Paint.


Bank and related pw are the highest level. They aren't written anywhere.

This is exaclty the opposite of what you should be doing. By not writing your most important passwords it means that you must memorize them, which in turn means they must be weak for you to remember them (people have a really hard time remembering strong passwords). Your most important passwords must be generated by a good password manager and filled by it when required, with you don't even knowing your own password.


For the others, like Tenforums etc I normally have a standard pw.

Password reuse is another great mistake. Just because you don't care about an account don't mean a hacker won't. Having unique passwords prevents a leak in one site to affect another, this protects against malicious site owners and against a hacked site leaking credentials.
Again the solution is the same, just use a password manager like other important accounts. It takes virtually no effort to have a unique, strong password for each and every site.


I store them under a Outlook (mail) message that is stored on a huge pst file, that is compressed and encrypted. Hacker should pass trough may firewall, upload a 3GB pst file and search all my emails.

More often than not, those "hidden" passwords will leak though someone borrowing your keyboard rather than a security leak. Hackers simply don't "pass though firewalls and upload files", it doesn't works like that. Keylogging and clipboard snooping are much more frequent, and no program protects against those.
 

My Computer My Computer

At a glance

Windows 7 Ultimate x64Intel Core i7-740QM8 GB DDR3NVIDIA GeForce 330GT
Computer type
Laptop
Computer Manufacturer/Model Number
Toshiba Sattelite A665-S6092
OS
Windows 7 Ultimate x64
CPU
Intel Core i7-740QM
Memory
8 GB DDR3
Graphics Card(s)
NVIDIA GeForce 330GT
Screen Resolution
1366x768
Hard Drives
Samsung 840 SSD 500GB
1TB USB3 external HD
Cooling
Coolermaster Notepal U3 notebook cooling pad
Internet Speed
3mbps ASDL
Antivirus
ClamWin 0.98.7
Browser
Opera 12.17 x86 (main), Firefox 38 (sec), IE11 (last resort)
Back
Top