Storing Passwords on a USB

Elite Woad Raider

Hi



I'm currently using a password manager on my laptop. I haven't linked the password manager to an online account for security reasons and I use it only on my laptop. I'm thinking that I may need a backup if my laptop is damaged or goes missing.


I was thinking of backing my passwords up on a usb stick. I have found keepass portable which is free. It sounds secure but I'm not sure.


Are there any security risks holding passwords on a usb? I've tried writing down passwords but it takes too long.

Ten Pin

Are you using Keepass on the laptop?

Keepass saves the encrypted password database to a file that can be saved/backed up anywhere including USB. If you save it to cloud storage just make sure that you can remember the login details to the cloud storage just in case you lose all other backups. The database password would also need to be remembered.

There's also an android version of keepass that can read the password database.

The portable version is useful but not an absolute necessity as you would be able to download it as needed. The encrypted database file and knowing where it's stored is the main thing to focus on.

Elite Woad Raider

No I have kaspersky password manager installed on my laptop.

BailMeOut

Elite Woad Raider wrote: »

No I have kaspersky password manager installed on my laptop.

Import everything into free LastPass account so you have everything backed up online. LastPass can nativly import Kaspersky format.

biko

OP has already said they don't want to store the passwords in a cloud.

It's fine to keep the passwords on a stick, as long you don't lose the stick.

Probably best is simply to use your phone as a stick. That way you won't lose it, and it has plenty storage.
Or simply use a phone password manager that uses the phone storage and not cloud storage.

BailMeOut

biko wrote: »

OP has already said they don't want to store the passwords in a cloud.

It's fine to keep the passwords on a stick, as long you don't lose the stick.

Probably best is simply to use your phone as a stick. That way you won't lose it, and it has plenty storage.
Or simply use a phone password manager that uses the phone storage and not cloud storage.

He said he did not want to use the Kaspersky online option. LastPass setup correctly is very secure and trusted buy 1000's of enterprises. Way more secure than some USB stick!

73bc61lyohr0mu

I use Bitwarden. It's great IMO..

xckjoo

Elite Woad Raider wrote: »

Hi



I'm currently using a password manager on my laptop. I haven't linked the password manager to an online account for security reasons and I use it only on my laptop. I'm thinking that I may need a backup if my laptop is damaged or goes missing.


I was thinking of backing my passwords up on a usb stick. I have found keepass portable which is free. It sounds secure but I'm not sure.


Are there any security risks holding passwords on a usb? I've tried writing down passwords but it takes too long.

The only security risk is someone finding it, figuring out your master password and decrypting your password file. Realistically that's unlikely to happen unless you've fallen out with some very shady groups.
Keepass encrypts files with high end encryption so as long as 1) no flaws are found in these encryption methods and 2) you use a good long password, the odds of it being cracked are almost zero, even if someone gets hold of the fine. IMO the bigger risk is losing it. If your hard drive dies will you be able to find the USB backup and will it be up to date?

BailMeOut

xckjoo wrote: »

OMO the bigger risk is losing it. If your hard drive dies will you be able to find the USB backup and will it be up to date?

+1

No point of backing up if you cannot find the key stick when needed and these USB sticks do not last forever. I'd never depend on one for a backup.

the_syco

If using a USB, consider putting pictures of celebs on it, and renaming the password.zip to kardashian.jpg so if it is found, the casual finder will think that the jpg is corrupt, but you'll know it's really a zip file.

biko

Or just encrypt the USB stick with a really lengthy and strong pass-phrase


Do what you think is most convenient for you OP, while still having some security.
If you overdo the security you will just tire of it and go back to paper.

Laviski

I would rethink the strategy, you are creating a single point of failure with no redundancy.

Keeping in line with your desires - to store on at least 2 USB's and keep in separate locations. ie not in same building.
USB can fail like any other device, can also be damaged beyond repair. You will run in problems of keeping it up to date as others mentioned.

If hesitant against last pass, look at some of the cloud providers that provide encryption as standard part of their package. Look at some of the Swiss company's. Would not incline to support us based companies like spiderone.

Would store keepass key on there so they would need login of your encrypted cloud storage as well as the pass for the key.

Capt'n Midnight

biko wrote: »

Or just encrypt the USB stick with a really lengthy and strong pass-phrase


Do what you think is most convenient for you OP, while still having some security.
If you overdo the security you will just tire of it and go back to paper.

speaking of paper https://www.passwordcard.org/en

Capt'n Midnight

You could always build you own USB password holder

https://github.com/snopf/snopf

Whenever snopf is plugged into the computer you can make a password request and then the red LED will light up. If you press the button within 10 seconds snopf will imitate a keyboard and type the password for the requested service.

JustAThought

do you ise an iphone with fingerprint ID?
If so take a photo of your passwords written down and store the pics in an album with a boring name.
if you lose your phone they will beed your hand to get into the photoalbum & you tend to have your phone around handy should you need the passwords in a hurry.

I’ve had a few usb’s dissappear in the laundry and down the side of the cardoor into the kerbside slush - they are far too portable - unless you are keeping them in a disused teapot (winkwink) and pive Lone I’d say usb is a bad idea. They are alos most readily nicked as they are handy and seen as luxury disposble office supplies. Not usb.

Keepass DB
stored on multiple devices shared via Syncthing. https://syncthing.net/

Dravokivich

I just use Last Pass, and it's mainly so I don't have to remember all the passwords for everything.

stevek93

Don't use a removeable media for anything important if it fails and it will eventually you will be in trouble. Lastpass is best option second that a Google account with multi factor authentication and save your passwords as you enter them only way for someone getting into your Google account is with multi factor authentication enabled is to have access to your phone and password, or if you really don't want them online buy a safe write them down and lock them away. All the other options here putting them in the phone USB stick etc you will eventually loose them. I am working in IT the past 10 years

Elite Woad Raider

It seems like Kaspersky has a back up option. I exported a copy of the passwords to a sandisk flashdrive which I hold on a keychain. No need to write down 48 character passwords anymore.

JustAThought wrote: »

do you ise an iphone with fingerprint ID?

I have an android with fingerprint technology. From my experience security on those isn't too good.

stevek93

Elite Woad Raider wrote: »

It seems like Kaspersky has a back up option. I exported a copy of the passwords to a sandisk flashdrive which I hold on a keychain. No need to write down 48 character passwords anymore.



I have an android with fingerprint technology. From my experience security on those isn't too good.

Make sure you have at least two USB's storing your passwords.

xckjoo

stevek93 wrote: »

Don't use a removeable media for anything important if it fails and it will eventually you will be in trouble. Lastpass is best option second that a Google account with multi factor authentication and save your passwords as you enter them only way for someone getting into your Google account is with multi factor authentication enabled is to have access to your phone and password, or if you really don't want them online buy a safe write them down and lock them away. All the other options here putting them in the phone USB stick etc you will eventually loose them. I am working in IT the past 10 years

I stopped using Lastpass due to the paranoia that if it's compromised then you're totally goosed. It might be a long shot but there's plenty of examples of "completely secure" systems having fundamental flaws over the years.
I use an offline manager now with some backups across devices and some online storage. The online storage might sound hypocritical but someone would have to hack that service, find the file and hack that encryption. Lastpass is too much of a single point of failure for me :pac:

Bitwarden and a Yubi Key.

Laviski

xckjoo wrote: »

I stopped using Lastpass due to the paranoia that if it's compromised then you're totally goosed. It might be a long shot but there's plenty of examples of "completely secure" systems having fundamental flaws over the years.
I use an offline manager now with some backups across devices and some online storage. The online storage might sound hypocritical but someone would have to hack that service, find the file and hack that encryption. Lastpass is too much of a single point of failure for me :pac:

you don't need to hack in many cases most often someone leaves a door unwittingly open.
I will say lastpass is a better solution than storing on cloud where it isn't encrypted, ie google dropbox or like that. Use Tresorit or spikeroak. It also reminds to change passwords and updates you on known security breaches.
In saying that some critical passwords i don't allow to be stored there. But For the many sites i frequent the ease of the fill in option is a quality of life i'm not going to ignore not having.

Put in your email here and check your exposure.
https://spycloud.com/

Fogmatic

I now store passwords in a secured USB, but in a notebook as well.

As biko pointed out, security needs to be convenient enough to keep up. The right balance varies wildly according to location, whose data etc; in my case for instance, we have only ourselves to consider, and we don't work outside home or in/ for any organisation. The only device that leaves home these days is my smartphone, and I think the house would be awkward to burgle (and know it would confuse any thief once inside!).

I've always had most list documents, including passwords, laid out to suit folding into a small shape handy for travelling, and discreet storage at home. Confidential lists were removed from my computer when USB drives came along, and I got the encrypted one a few years ago for passwords. A very busy period including several paperwork reshuffles had left an out-of-date, largely redundant list, and passwords scattered all over the place, and it was easiest to start again from scratch.

The easiest way to do that was first to gather them in an alphabetical notebook that could move anywhere (and be 'always on'!). As well as being another backup, it would be sturdier than a folded list when on the move. So it was full circle back to the old-school address book (except with a more compact, very thin notebook that slips in easily alongside passport etc). Other backups here include the original scribbles in the general notebooks I use all the time, waiting for me to extract info and bin them (only I have the 'keys', to those, e.g. approximate dates!). No passwords are stored where others would think to look, and I don't feel a need to store them in the cloud.

With secured USBs there are quite a few permutations of features to choose from. Mine for instance has all the security needed built in, which I find very convenient; no apps, downloading or other external software, just the one strong password (its interface appears with contextual instructions in whatever device, and vanishes on disconnection, which automatically logs out. There's an unencrypted space for contact details in case someone finds it, and it's quite compact despite being cushioned with rubbery stuff (which also avoids skittering about). I don't know what other makes/types are out there (just happened on mine in an airport tech shop a few years ago, knew Integral as reputable and asked a few questions).

If I was researching this I'd start at the websites of good manufacturers, rather than trawling Amazon/ebay (sorting originals from fakes/inferior imitations there is just too much hard work with electronics). Some excellent companies have outlets there of course, but in that case their website will point straight to the right page (and this subject needs extra vigilance when searching the wider web).

Integral's website has maybe all the tips needed for choosing secured USBs in general. They still do my model (link is to that page in case it sounds like a contender).

[URL="integralmemory.com/product/crypto-drive-fips-140-2-encrypted-usb"[/URL]

Johnboy1951

https://www.youtube.com/watch?v=Srh_TV_J144

Fogmatic

Johnboy1951 wrote: »

https://www.youtube.com/watch?v=Srh_TV_J144

Very efficient - only one layer of security missing (write so small that most people need some optical aid to read them!).