'Rapport' Security

ETROL

masonic wrote: »

That is true for excel 2007 (.xlsx) files, but less true for earlier versions of excel. It also depends very much on the strength of the password used.

masonic
I use excel 2003 so perhaps not so good then
I dont keep any bank details there but i find it very handy for low risk stuff like Ni numbers etc
Can it be cracked by anything other than brute force?

judging by the interest in security on this post then perhaps a sticky with best practice advise in laymans terms might be worthwhile?

masonic

ETROL wrote: »

I use excel 2003 so perhaps not so good then
I dont keep any bank details there but i find it very handy for low risk stuff like Ni numbers etc
Can it be cracked by anything other than brute force?

The problem with the default encryption for Office 2003 was that it wasn't properly implemented. To cut a long story short, if somebody is able to obtain several different versions of the same document, then they would be able to crack the password with significantly less effort than a standard brute force attack. To get around this, you have two options:

1) Install the latest compatibility pack for office 2007, which will allow you to save encrypted documents in the secure 2007 file formats.
2) Install Service Pack 2 (which, of course, you will already have done), which will then allow you to change the default encryption method (Tools->Options->Security->Advanced) from 'Office 97/2000 compatible' to RC4 Microsoft Enhanced RSA or AES. I believe you need to do this for every new encrypted document you create.

ETROL

masonic wrote: »

The problem with the default encryption for Office 2003 was that it wasn't properly implemented. To cut a long story short, if somebody is able to obtain several different versions of the same document, then they would be able to crack the password with significantly less effort than a standard brute force attack. To get around this, you have two options:

1) Install the latest compatibility pack for office 2007, which will allow you to save encrypted documents in the secure 2007 file formats.
2) Install Service Pack 2 (which, of course, you will already have done), which will then allow you to change the default encryption method (Tools->Options->Security->Advanced) from 'Office 97/2000 compatible' to RC4 Microsoft Enhanced RSA or AES. I believe you need to do this for every new encrypted document you create.

Thank you masonic
yes that option is showing (automatic updates is set) and i am now using Microsoft Enhanced RSA or AES with a strong password

hebron

I use Roboform, one password is all that is needed. It's free to try. I used others but decided roboform was far Superior and I bought is at about £14. Best bit of software I have got. I've got loads of passwords so it's a real needed piece of software.

surfcat

LeifGR wrote: »

Spot on!!!

For the last thirteen years, my Swedish bank has had a security dongle that produces an authentication response to a challenge from their web site, much more secure than the typical UK bank site. The recently introduced similar solutions that also require a debit card to be inserted (Nationwide, NatWest) are even more secure. This is a much better solution than requiring the installation of yet another software (which may not always be possible or desirable on the PC you wish to use).

But why on earth would I want to carry around some device that might get lost, just on the off chance I might use internet banking while I'm on some trip somewhere?

tradetime

surfcat wrote: »

But why on earth would I want to carry around some device that might get lost, just on the off chance I might use internet banking while I'm on some trip somewhere?

If you are going to use internet banking on a "trip somewhere" a holiday perhaps? You should be carrying your own computer with you.

masonic

surfcat wrote: »

...I might use internet banking while I'm on some trip somewhere

:eek::eek::eek:

Nothing I can imagine would ever tempt me to do any internet banking from a public computer.

hansi

Too right! Asking for trouble!:eek:

gt94sss2

LeifGR wrote: »

For the last thirteen years, my Swedish bank has had a security dongle that produces an authentication response to a challenge from their web site, much more secure than the typical UK bank site. The recently introduced similar solutions that also require a debit card to be inserted (Nationwide, NatWest) are even more secure.

Sadly, the Chip and Pin readers recently introduced for internet banking in the UK are not as secure as you believe - hence some banks refusing to roll them out here.

Also, for all the comments about HSBC's UK web site, its worth noting they suffer the lowest levels of online fraud compared to the other big UK financial institutions.

Getting back on topic to Rapport, I tried it on one computer and thought it would be useful, especially for non-IT literate users and was slightly amused to see it blocked/shielded cookies from Trusteer among others!

Regards
Sunil

KingL

StevieJ wrote: »

the question was do keyloggers pick up on copy and paste?

It might be worth a squint at Safekeys - which claims not to suffer from the keyboard buffer/copy_paste/screenshot exposures mentioned here.
http://www.aplin.com.au/?page_id=368


Also, I haven't checked recently, but if I remember correctly, if you keep any written record of your HSBC login credentials (e.g. in Keypass, Egg moneymanager etc) it is a direct infringement of your HSBC terms and conditions.

,