Good Sam Community

I see we have a Big Bang Theory fan !

That is waay too much remembering, having to remember each pass phrase for each login, and which numbers you've substituted for letters. How does one do this for over 200 log ins?

Password managers make life much easier. Of course if I forget the password to my password manager, I am royally "attached to another object by an inclined plane, wrapped helically around an axis". 🙂

For long secure passwords make up a sentence. Example For RV.Net = My grandmother is 89 years old! This gives me fRV=#211is89ye3! That way you do not need to remember a password. You can use any combination of letters and words, all you need to remember is your key. For example the first number after the = is # charters. The hint "Grandmother's Age in 2014".

My actual long secure passwords are much more complicate and i do not need to remember any except the variable in each sentence which are related to the web page.

I personally was a little surprised by the results. But added keylogger protection some time ago after reading how difficult most are to detect by popular security apps. In fact, my highly rated AV package could neither detect the keyloggers I have running in real-time, nor by a separate on-demand scan. It also didn't detect AntiLogger Free whose behavior is very similar to a keylogger itself. However, Malwarebytes Free did detect them all using an on-demand scan, and I had to make exceptions not to delete them.

BTW, if you do use an anti-keylogger app, its important to let it auto run at startup by default. Should you run it after a keylogger is already running, it can actually render its protection useless as the keylogger can take control of the clipboard. So not a perfect solution by any means.

I am more worried about inputting an incorrect password and then being locked out, or not being able to access an online database of my passwords for some reason. I keep a written list, plus a backup - not permanently attached to my computer.

I'm sure that no matter what the precautions are there is a way to circumvent them short of unplugging the Internet.

There are numerous websites that can offer suggestions for safer computing as well as programs to assist in protecting your computer.

In the end it comes down to your actions that determines the level of threat you are exposed to.

How Safe Are Your Passwords?

Actually, virtually no method mentioned can insure that stored passwords are completely protected if the computer you're using is compromised by hardware/software data capture, such as a keylogger Trojan. What makes the situation worse is that many anti-virus/anti-malware software packages are ineffective in detecting the presence of a keylogger in real-time. Though can be more effective in doing so when utilizing an on-demand scan. Yet, often requires the use of specialized security apps such as Malwarebytes.

I did some brief testing of password security methods using two popular keylogging utilities readily available on the NET. One of which could capture contents from the clipboard(copy/paste). In each case, I used the normal procedure for inputting the stored account user name/password for the application or method to log into RV.NET. Here are some observations for common password storage methods mentioned.


Method 1: Using Paper to Store Passwords.
Password Database Access - NO?
User Name/Password Revealed - YES

The keylogger was easily able to record the website name, and the user name/password when utilizing the hardware keyboard.

Inputting using a virtual keyboard, such as Windows On-Screen Keyboard, made no difference. The keylogger was still able to record the user name/password.

This was by far, among the least secure methods.

Method 2: Using Firefox Browser's built-in Password Manager.
Password Database Access - YES if using Master Password.
User Name/Password Revealed - NO

The keylogger was "not" able to record the user name/password using Firefox's built-in password manager. However, it was able to record the Master Password, if enable for access, which could be used to reveal passwords if one had local access to Firefox.

Not using a Master Password leaves Firefox's passwords unsecured, unless the database is separately encrypted. Such as securing Firefox's profile folder in a encrypted virtual container.

Method 3: Password Manager Utility - KeePass
Password Database Access - NO if using Secured Desktop option for Master Password, or a Key File.
User Name/Password Revealed - YES

Using KeePass, the keylogger could not record the Master Password to unlock the database file if Secure Desktop is enabled under options. Nor could it record the Key file if used. However, the second keylogger utility was able to capture both the User Name/Password from the clipboard if using copy/paste from within KeePass. So not a secure method to use on a compromised system.

Method 4: Cloud Password Manager - LastPass.
Password Database Access - YES
User Name/Password Revealed - NO

Using LastPass in Firefox, the keylogger was able to record both the account email address/password from the Master Log-in form for account access. If "Remember Email" was enabled, the LastPass account password was still recorded though the associated account email address was not. No user names/passwords were revealed with auto log-in, but still the possibility exists to hijack the account itself containing the passwords online.

Though just a very limited test, it does demonstrate the dangers of keyloggers. A popular method used by cyber criminals to gain unauthorized access into personal/business accounts. Which was reportedly used to ultimately breach Target's database, by using captured credentials from a contractor through an infected email attachment. Resulting in the theft of 110 million customer accounts.

Notwithstanding, it was interesting that Firefox browser based password managers appear to offer the best protection, so long as the database can be adequately secured locally. None of the keyloggers were able to capture any data using auto login functions.

Another useful option would be to utilize a keystroke encryption app as part of a multilayered security approach, which could render keylogging Trojans ineffective in capturing data. However, they would not be effective against hardware based keyloggers.

There are a couple free anti-keylogging apps available. I personally use Zemana AntiLogger Free. In fact, with AntiLogger Free activated, the keyloggers tested could not effectively record useable data, nor capture any user names/passwords.

Zemana AntiLogger was also tested against 14 known keyloggers by another website, and passed in all instances.




UPDATED: To include results from a second keylogger to test clipboard data capture(copy/paste).

1Password it's not for everyone but I love it. Syncs across my home and work computer, iPhone and iPad. Most of all I trust my data.

But you're still vulnerable to a keystroke logger, something that a program like Roboform is not.

Periodicly I make a spreadsheet of all my passwords and organize them. I then store the file on a thumb drive which is very seldom actually attached to the computer(s). I print a hard copy of the list and keep it in my office.

Then I make sure I've cleaned my computer of any and all junk using Ccleaner to clean up any problems that have cropped up, then I defrag, then I wipe the drive so no fragments are left anywhere.

Call me paranoid, but I would not have my passwords on my computer even protected by some app that potentially could get hacked.

XXX I have used roboform for about 10 years maybe - excellent program

I use LastPass for all my every day things like forums and email. I use my head for the important ones like financial sites. I do have hints stored on my computer, my memory has slipped some over the years.

The hints are stored in documents totally unrelated to any type of financial information. As an example recipes would be a good place hide some hints in.

Annoyance passwords can be overcome using this site:

Bug Me Not

Why even use your own password when you don't need to?

WoodGlue