Web lists-archives.com

Chaniging focus: security ouitside a password manager (was: Re: Password Manager opinions and recommendations)




Just continuing to think (or maybe not think ;-) about password managers /  
password security, changing the focus slightly (I think) but keeping the same 
thread.

I'm now thinking about the security (or vulnurability) of passwords during 
"normal" usage--I mean, I'm thinking about the times when a password, even 
though stored in a very secure manner (in a password manager or encrypted 
file(s) of some sort), the password is viewable in plain text, and thus, to a 
greater or lesser degree, vulnurable.

The first two situations that come to mind include:

   * during copy and paste operations, the plaintext password could remain on 
the C&P "stack". thus making it vulnurable:  Some notes:

      (1) I've read about at least one password manager that, somehow, deletes 
the plaintext password from the copy and paste "stack" after a time delay--I 
didn't make a note of which one that was.  

      (2) another approach could be that a password manager provides a 
facility to write the password to a designated textbox without using the copy 
and paste facility, thus, presumably, never putting the plaintext password on 
the copy and paste "stack").

   * during hibernation (or maybe suspend and resume): (I use neither at the 
present time, but, one stores the machine's state (including RAM) to disk, the 
other stores the (CPU) state to RAM while preserving the other contents of 
RAM.)  Hibernation could result in the plaintext of passwords being stored on 
disk while the power is off, making the plaintext passwords vulnurable if the 
machine is stolen.

My current approach to passwords includes storing them in an encrypted file 
which is only ever decrypted to a RAMdisk, with the idea / intention that, if 
power is lost, or the machine is shutdown, the plaintext passwords would 
disappear from RAM (except to the extent that (iiuc) there are (NSA) ways to 
recover the contents of RAM if power is restored to the machine fairly 
quickly).  My assumption, without considering hibernation. was that the only 
remaining copy of the passwords would be in the encrypted files. 

Maybe my concern about these situations is unrealistic, but I want to consider 
it, so all comments are welcome.

BTW, I can see that the Master Password approach might be the solution for 
most of the problem, unless I (or it) uses copy and paste to put passwords in 
a textbox.





On Friday, March 30, 2018 09:44:18 PM Andrew McGlashan wrote: