... strictly speaking, nope.
Simply put, if you have information stored, and YOU can read it, send it, copy it, edit it,etc. it can leak, and it can be obtained by someone with enough knowledge without your password/passwords. simple as that. Again, nowadays there really isn't much to gain with trying to break passwords, (it is a waste of time) when you can exploit applications/process that willingly execute arbitrary code.

Compro

It CAN leak, but that is a CAN in the sense that in the next second the world CAN end, doesn't mean it is going to, and isn't backed by any current.

KeePass and LastPass when properly set up can withstand any known keylogger. A properly set up firewall and network will block any unapproved outgoing request.

So, barring you coughing up some evidence to support your claim of a multi-level vulnerability that can not only un-obfuscate KeePass's two-channel obfuscation, get pass Comodo with Defense+, AND escape a properly set up router, I am going to have to say you are realistically wrong. Technically it is true that it is impossible to completely seal up everything, but on the same token it isn't realistically feasible to get around all the layers of protection you can set up.

Strictly speaking, if all the stored information is encrypted, someone who doesn't know the cypher and the encryption key cannot obtain it. Simple as that.

... sure... hyperbole is always cool... but i don't think you are understanding what I am saying... you keep harping on passwords and keyloggers, but you don't need those to beach a system. There are plenty of hacks that use things like mp3s and wavs and pdfs and Flash Player and everyday protocols everyone uses which can execute arbitrary code in your computer as YOU. So, unless keePass or Comodo obfuscate YOU (and obviously i don't think that would be the case, otherwise you wouldn't be able to use your computer) they wouldn't be very effective. You may not think there are many of those, but check out http://nvd.nist.gov/ . Check out the CVEs, especially for protocols and file types....

Now, i am not saying protecting your passwds is a bad thing, but the reality is, other than script kiddies who download scripts from the net which are usually more a nuisance than anything else, the real hackers don't waste their time with people's personal computers, where there are oh so many sites that have your personal information together with 1000's of others, never mind the people who have all of these "security" features and think they are safe and do stupid things.

That actually is not correct.

It actually is correct.

Nice compilation of information. If people don't want to read all of it (understandable) I'd rank the section on ad/script blocking as the most important, as this addresses the attack vector that people will most commonly be hit with. The section on Facebook is also recommended for anyone who uses it.

Something I'd also like to comment on a bit is password security in relation to the kind of attacks that are actually carried out in the wild. Something that wasn't brought up was the difference between online and offline attacks, which is actually pretty important. Offline attacks are attacks carried out on encrypted or password protected information that the attacker has a local copy of (i.e. they have it on their own computer). Offline attacks are where you'll see the greatest potential for brute force attacks to be successful as the only limiting factor is how quickly the attacker's computer can throw passwords at the target, and simply a high-end desktop combined with algorithms that optimize the order in which a keyspace is searched results in most passwords being crackable in a matter of hours. It is against offline attacks that having particularly strong passwords will be a big help.

Online attacks, on the other hand, refer to attacks against a password protected account that must be accessed remotely (e.g. your webmail account or online banking account). Brute force attacks tend to be much, much less effective for online attacks due to a couple of factors. First, many online accounts either force a delay of a few seconds between password attempts, and/or temporarily block access attempts after a certain number of failed tries. These two factors dramatically increase the time required for a brute force attack, so much so that such an attack is basically an exercise in futility. However, even if a site doesn't implement such measures simply the time necessary to try out a single password remotely makes the time required for a brute force attack prohibitively long. Consider an example: let's use a very generous estimate that the time required to send a password, have a server process it and send a response of whether it's correct or incorrect, and receive that response is 20 ms. This means an attacker can try 50 passwords a second, or 180,000 passwords an hour. Now consider that just limiting ourselves to alphanumeric 8 character passwords we're looking at around 2.8 trillion possible passwords. Even if an algorithm is used to optimize the search order so that the correct password is hit fairly early (assuming the correct password is somewhat weak by containing a dictionary word), you'd still be looking at weeks, months, or possibly even years before this happens (and I'm sorry if I shatter any egos here, but chances are your data just isn't valuable enough that anyone would care to try to brute force your account for even a day or two). And keep in mind that this is basically a worst-case scenario, looking at a very low-end estimate on the time required.

Short version, online brute force attacks are not a serious concern in most real-world scenarios (provided you don't have a very weak password that can basically be guessed).

The main attack vector to worry about for online attacks against password protected accounts is that the server gets compromised and the file containing password information is lifted (as http://www.mediaite.com/online/gawker-medias-entire-commenter-database-appears-to-have-been-hacked/ when Gawker was hacked). The amount of additional effort the attackers need to go through after doing this depend on how security-minded the people managing the passwords were (e.g. were the passwords hashed with a salt, just hashed, or simply stored in plaintext). Unfortunately the quality of the security of the servers and password archives of various online services tends to be beyond our control. What each of you can do is minimize the damage if something like this happens by using different passwords for different accounts, so that if Bethesda screws up and your password on these forums is compromised that only means the attacker has access to your forum account, not your e-mail and bank accounts as well.

Something that should also be noted is that security is not about making it impossible for someone to compromise an account or a piece of data, but rather simply about making it difficult enough that doing so is no longer worthwhile. Again, sorry if I shatter any egos, but the various accounts you have (including your bank account) are not particularly high-value targets. Thus you aren't going to be seeing any serious attacks directed directly against your account in particular (although you may still see attacks targeted more generally, as compromising thousands of accounts at once, of which yours just happens to be one, is of much higher value).

The general takeaway I'd like to get across is to consider just what kind of attacks you're likely to be facing, and consider security measures in light of this. If you're storing password protected data locally and are worried it might get copied and cracked, then using a stronger password will provide better security. On the other hand, for an online account changing from a reasonably strong 10 character password to a super strong 30 character password doesn't actually provide any significant increase in security, while using a different 10 character password for each account you have vs the same 30 character password for every account you have provides a significant increase in security.

.... huh?

So. Let's expand this logic:
1. Malicious software takes over your computer.
2. Malicious doesn't know your KeePass password, so it can't access your passwords / decrypt the password database (and, as DEFRON noted, keyloggers won't work).
3. KeePass encrypts its memory, so you can't access the passwords that KeePass has in its database.
4. You also can't get the passwords from the clipboard, because KeePass encrypts that, too.

Oh, and did I mention Linux? Or (*gasp*) not running with Admin privileges?

Edit: The only way that a malicious program could get your password(s) would be to bypass KeePass - that is, to monitor when KeePass is run, minimize KeePass, and then run a program that looks like KeePass.

And none of that would do diddly to compromise your secured, encrypted files, and do little to successfully escape a properly locked down network. Sure your computer might be hosed, but nothing would be lost in the process.

I honestly don't think you understand what you are talking about. Being able to execute arbitrary code on your computer, which, yes, can lead to it being compromised, does not give it access to encrypted files/databases or necessarily cause a leak to computers out of your network.

To reiterate: malicious code being executed as an admin does diddly to your secured, locked-down files, but can easily mess with your computer. So they can't collect any data on you. So while you'd have to reinstall your OS, you'd not lose anything as your security will keep anything from leaking out. Unless, as I mentioned, it can bypass all the encryption you set up, both hardware and software firewalls, and a HIPS program, which is designed specifically to keep data from leaking out. You seem to think that running code on a computer will immediately undo all your security and encryption, which, quite frankly, is just utterly untrue.

Edit: I don't mean to downplay the dangers of malicious code being ran in the background without you being aware of it, but rather, it doesn't undo the safeguards on your data you can put in place. It's dangerous because of how it can wreck your system or seriously compromise your data/make you part of a botnet IF your safeguards are not up to the task.


I definitely agree with this. shorter passwords that are all different is multitudes better than a singular extremely complex password. Though I personally feel the 12 character mark is what to aim for, rather than 12. My passwords tend to float between it and a (oh, not gonna tell you that )

Again, you are just focusing on just passwords and keyloggers. Linux-based systems, or just unix in general, can be compromised as well. People think because the run "linux" (which by the way,no one really runs "linux", but linux-based OSs as "linux" is a kernel) they are not vulnerable. Sure they are not vulnerable to the types of attacks Windows is, but they can be breached by someone who knows what he/she is doing.

i think i made the mistake of posting on this thread. I am a unix engineer, I have been so for over 2 decades, and part of what I do for a living revolves around OS/network security. Maybe I should not have opened my mouth (or hit my keyboard in this case).

I'm sorry, but what you are saying makes no logical sense

You are acting like some uber-hacker who knows the ins-and-outs of the various security and preventative features and intricacies of both your protective software and hardware is going to be going after me (they'd have to know the exact configuration to know what would and wouldn't work even on a theoretical level). First, I doubt the existence of such a person. Second, the benefits to risks are just not in the black, so only a act of passion would cause it. Third, while vulnerabilities always exist, they are not always possibly exploitable in a manner that could lead to compromising your personal information.

I honestly can't believe you are saying all this while holding any level of realism in mind.

Ok. Let me put it to you this way... can YOU get to your encrypted files? can YOU read your encrypted files? Obviously, you can. If YOU couldn't read your encrypted files, then they'd be useless, correct? What I am saying to you, is simply that I do not need your password to become you in the eyes of your computer and read your files. I cannot express it in any simpler matter. You are so entrenched on the idea of these applications being able to protect your from the outside world, but you don't see that your own actions could lead you to a breach, even if you think it is secured.

But like I said to Reneer, I think I should not have replied to this thread. My bad.

And a quick edit to spell Reneer's name properly and to add: I am not a "uber-hacker". That gov't site I gave you a link to? A week doesn't go by that I hit not only that site, but multiple sites for unix security. It is part of my job.

But understand one thing about security software: it can only act on what it knows.

physical access to a system =! arbitrary code ran through exploits. I can access my files because I have physical access to them and know the password, without those two things I couldn't. The two can't even be compared. Seriously, show me a vulnerability that can break into my truecrypted volumes without knowing my password (or sit on my system undetected and access files unrelated to it without triggering my HIPS once I unencrypt the volume myself), as well as transmit said files past my firewalls to out of my network. When you do that I will consider what you are saying to hold heavy merit, but barring even a proof-of-concept method, what you are saying holds no weight and you are merely talking in hypotheticals that have no place in reality.


Surely you know about heuristics and network/host-based intrusion detection/prevention. Those by their nature work on things they don't outright know.

You know what? You are right. I cannot tell you

I guess you didn't get what I meant by software only acts on what it knows... but I am going to stop right here
Have a good night!

So basically you come in here, tell DEFRON something about how a hacker doesn't need a password to authenticate as a user (which, as far as I can tell, means gaining root access in some manner) and then when he replies about how encrypted volumes can't be decrypted without the password (and detailing a bit about his own setup) you... tell him you can't explain it / can't tell him and walk out.

What a piece of work.

Indeed, I am astonished.

edit: Double-post was not planned...



Yes, but only if I know my own password (and if I have encrypted my data, only if I know my encryption key).



Non sequitur.