Store passwords online.

techguy

Hi,

I already have a program for storing my usernames and passwords locally. it works pretty well and i'm happy with it.

The problem with this is that I can't access this db when i'm out and about on my laptop.

I wonder is there anything out there for storing passwords in a MySQL database? I have a similar solution for storing code snippets etc in MySQL using Code Warehouse. This works pretty well and would be nice to get something like this for passwords.

I am aware of the security issues here so I will be slow to implement any solutions unless they come highly recommended from a variety of sources..

What kind of encryption schemes would be suitable?

Thanks.

mid

techguy wrote: »

Hi,

I already have a program for storing my usernames and passwords locally. it works pretty well and i'm happy with it.

The problem with this is that I can't access this db when i'm out and about on my laptop.

I wonder is there anything out there for storing passwords in a MySQL database? I have a similar solution for storing code snippets etc in MySQL using Code Warehouse. This works pretty well and would be nice to get something like this for passwords.

I am aware of the security issues here so I will be slow to implement any solutions unless they come highly recommended from a variety of sources..

What kind of encryption schemes would be suitable?

Thanks.

This link is to a transcript of a 'security now' podcast

http://www.grc.com/sn/sn-188.pdf

I know its not exactly what you asked, but if you look at page 7 or 8 onwards it may give you some ideas for online password storage.

mickoneill30

Have a look at dropbox
https://www.dropbox.com/ This gives you 2Gb of space free.


It replicates any files in your dropbox folder up to their server.
Then if you install the dropbox client on multiple machines your dropbox folder will synchronise among them all.
So if you store your password file in the dropbox folder it'll be available on all machines.
I have it installed on 4 machines so when I go to any of the machines I can open or access the same files. If you make a change to the file it pushes it up to the Dropbox server. Then when any of the other clients refresh they pull down the file.

Issues
If you're storing passwords in this folder then encrypt them. Your files get pushed to the Dropbox server. I'd never trust any third party with an unencrypted password file. You can create a Truecrypt file and store that in your dropbox and store your password file in there. When you open your Truecrypt file you're opening the file on your local machine. When you close it the file will replicate up to Dropbox.

If you open the same file on multiple machines and save it multiple times Dropbox won't know which is the main file and will create multiple copies. So only open the file one machine at a time. You can normally set the password programs to close themselves after 30 mins or so, so if you forget to close your password file on a turned on machine it'll close anyway itself. Then for your Truecrypt file you can set that to dismount your volume after 30 mins (or whatever) of inactivity.
So if you open it on another machine (once they've closed on all other machines) and make changes you won't get multiple files.

liamo

I use KeepassX (available for both Windows and Linux)

Passwords are stored in an encrypted (AES or TwoFish) database on your PC.

I also use DropBox which synchronises files across multiple computers. You also have web access to your files; files are encrypted on their system; individual folders can be shared (very handy); and you can undelete and roll back to previous versions.

I keep my KeepassX database in a DropBox synchronised folder which means that any changes to the database get pushed to all PCs on which I have installed Dropbox.

I have used various storage schemes over the years and the combination of KeepassX and Dropbox is the best solution I've found.

Hope this helps.

Liam


Edit: I see that mickoneill30 beat me to it on the Dropbox recommendation. KeepassX would seem to address his point about encryption.

uncleoswald

Not sure if its exactly what you are looking for (i'm not v tech and have no idea what a MySQL database is) but I've been using Lastpass without much trouble.

https://lastpass.com/

Review:

http://www.techsupportalert.com/free-roboform-replacement.htm

You create an account online and you can also download an application, alla Roboform.

mickoneill30

liamo wrote: »

Edit: I see that mickoneill30 beat me to it on the Dropbox recommendation. KeepassX would seem to address his point about encryption.

I use KeePass (seems similar to KeepassX). That's encrypted too but I'm paranoid.

techguy

Lot's of interesting advice guys, thanks.

It seems that most of the solutions here are for synchronising the DB file of an offline program to a webserver. This is not really what I had in mind.

I was hopng to go down the development route and get advice on strong encryption methods while storing passwords online. I would like to develop my own app for this.

I should probably have started this thread in the Development forum.

MODS: Could you please be so kind and move this to the "Development forum" to save me from starting a new thread there.

Thanks.

EDIT: Here's an idea. I could store my usernames and passwords in a MySQL DB, encrypted of course. I would then have a few extra characters that are common to all passwords and keep them in my head. When I access my password I could just add this secret string to the password returned from the DB. For extra security it could be things lik + - € etc... This way if somebody hacked into my DB none of the stored passwords would work.

Thoughts?

Explosive_Cornflake

mickoneill30 wrote: »

I use KeePass (seems similar to KeepassX). That's encrypted too but I'm paranoid.

KeepassX is a port of Keepass, I believe keepassx uses the same core as keepass.
Keepass 2 can be run under mono also.

Personally I've being using Keepass/Keepassx for about 5 years I'd say. Scp the database to a webserver when I change it, but I'm looking at drop.io now.

Leave you datbase as AES if you want to open it on a mobile devices, the symbian/java/android versions of keepass won't open a Twofish DB.

The_Thing

There is another way of doing this which does not require you to store any passwords, anywhere, at all. Allow me to explain:

A few years ago I began to run into difficulty in managing my passwords for all the websites \ forums I was a member of. I realised that storing them in any format, either physical or digital was not really a good idea for various reasons including theft or loss.

The solution I came up with was to create a set of rules (of my own choosing) comprising a number of distinct steps which I would apply to the urls of all the websites. Basically speaking all I do is look at the url of a site, apply my rules to it and the password is generated from that. I never wrote down my rules, nor stored any passwords since. As long as you remember the rules that you create you should be fine.

About six months after implementing the above I was listening to one of Steve Gibson's 'Security Now' podcasts and the subject of managing multiple passwords came up. I was very pleasantly suprised when Gibson suggested exactly what I had been doing.

As time goes on and you get used to working this way you can add to your rules to make your passwords more complex.

techguy

The_Thing wrote: »

There is another way of doing this which does not require you to store any passwords, anywhere, at all. Allow me to explain:

A few years ago I began to run into difficulty in managing my passwords for all the websites \ forums I was a member of. I realised that storing them in any format, either physical or digital was not really a good idea for various reasons including theft or loss.

The solution I came up with was to create a set of rules (of my own choosing) comprising a number of distinct steps which I would apply to the urls of all the websites. Basically speaking all I do is look at the url of a site, apply my rules to it and the password is generated from that. I never wrote down my rules, nor stored any passwords since. As long as you remember the rules that you create you should be fine.

About six months after implementing the above I was listening to one of Steve Gibson's 'Security Now' podcasts and the subject of managing multiple passwords came up. I was very pleasantly suprised when Gibson suggested exactly what I had been doing.

As time goes on and you get used to working this way you can add to your rules to make your passwords more complex.

This is a very interesting idea.. Would you care to elaborate on these "rules" you speak of? Obviously not your own rules but maybe a few simple rules that I could use a basis for more complex rules..

Thanks..

The_Thing

OK, techguy, no problem.

Firstly, when I speak of rules and steps you should understand that they are one and the same.

http://www.myexample.com

Step 1: Reverse the order of the first two letters - my becomes ym

Step 2: Capitalise the second letter - yM

Step 3: Count the number of characters in the second level of the domain name - myexample has nine letters.

Step 4: Combine the digit 9 with the word nine - 9nine - now we have 5 characters so add the digit 5 twice to 9nine between the n and the e - 9nin55e

Step 5: Add some personal data to the mix - the colour of your eyes - brown

Step 6: Capitalise the last two letters and place the digit 2 between them - broW2N

Step 7: Combine the output of step 4 with that of step 6 above - 9nin55ebroW2N

Step 8; Add the output of step 2 to the start of the output from step 7 - yM9nin55ebroW2N

Step 9: Add the value of the digits - 9 + 5 + 5 + 2 = 21

Step 10: Add the output of step 9 to the start of the output from step 8 - 21yM9nin55ebroW2N

Using the above steps purely as an example the password for your account on http://www.myexample.com is 21yM9nin55ebroW2N

You can also add in some special characters to the mix as well to make it even stronger.

When you first start to use this method you will find it a bit awkward, but as time goes on it will become second nature to you.

The above is probably a little bit too complex starting off , but you get the idea.