Password Managers and Banking?

gsmh

OK. Whatever. You clearly know best. Where security products are concerned open source is highly thought of. It means there is nothing proprietary about the mechanism which stores your data so it is easy for those with the skills to see what's going on and verify nothing untoward is at play. The actual security of your data will be via the same encryption system as anyone else uses. The ability to self host is a further advantage as it means your data is only stored on your system.

masonic

gsmh said:

OK. Whatever. You clearly know best. Where security products are concerned open source is highly thought of. It means there is nothing proprietary about the mechanism which stores your data so it is easy for those with the skills to see what's going on and verify nothing untoward is at play. The actual security of your data will be via the same encryption system as anyone else uses. The ability to self host is a further advantage as it means your data is only stored on your system.

It's not a case of anyone knowing best. This is a highly subjective area and people have different criteria. Open source products can and do have serious flaws, and these can go unnoticed for extended periods of time, but there is the capacity for them to be found, if enough people are looking. As mentioned previously, Lastpass is open protocol, which allows inspection of the inputs and outputs to verify they are in accord with what is documented, even if the actual code is not disclosed. There is no debate around that being a less satisfactory situation than a fully open source product as it requires some degree of trust in the author of the code, which at this time is not the parent company if my understanding is correct.

The ability to self host can be viewed as an advantage if you do so securely, but for most people their own system is the weakest link, and there is the temptation to store a copy of the database on removable media. In any case, hosting your Keepass database online using your own online storage solution is no safer than having a third party do that, and might be weaker.

gsmh

colsten said:

Of course a PW Manager is useful for these sites, even if the PW Manager cannot log you in automatically. For example, you can still [securely] store your full PW, and manually enter the random characters required for the login.

I think you and I have a different use for a password manager. For me it has to be able to fill in the username and password of apps and websites. I use a different product to store banking information - I used to use Evernote but in recent years I am more security conscious and want to host my own data so I use my Synology NAS and NoteStation where I have keep useful snippets of websites, info an how to do things I have needed to do over the years, serial numbers of software, product receipts and banking information.

gsmh

masonic said:

gsmh said:

OK. Whatever. You clearly know best. Where security products are concerned open source is highly thought of. It means there is nothing proprietary about the mechanism which stores your data so it is easy for those with the skills to see what's going on and verify nothing untoward is at play. The actual security of your data will be via the same encryption system as anyone else uses. The ability to self host is a further advantage as it means your data is only stored on your system.

It's not a case of anyone knowing best. This is a highly subjective area and people have different criteria. Open source products can and do have serious flaws, and these can go unnoticed for extended periods of time, but there is the capacity for them to be found, if enough people are looking. As mentioned previously, Lastpass is open protocol, which allows inspection of the inputs and outputs to verify they are in accord with what is documented, even if the actual code is not disclosed.

The ability to self host can be viewed as an advantage if you do so securely, but for most people their own system is the weakest link, and there is the temptation to store a copy of the database on removable media. In any case, hosting your Keepass database online using your own online storage solution is no safer than having a third party do that, and might be weaker.

It is interesting that some governments (eg. Germany) outlawed the use of products such as Microsoft Office by governmental institutions because it used to have a very proprietary file format owned by Microsoft and this was a seen as a security risk. The Open Document format used by OpenOffice, LibreOffice and others was the preferred format as it was open source and not owned by any company. Indeed, Office 365 is currently banned in schools in Germany for privacy reasons. Big companies effectively owning your data because it is stored in their proprietary format is an issue, a major issue, particularly for government and intelligence. I host what I can myself and use self-hosted NextCloud to provide me with contact and calendar syncing and cloud storage. I eliminated Google from my life some time ago and I still have the same functionality of which I am in control.

masonic

gsmh said:

masonic said:

gsmh said:

OK. Whatever. You clearly know best. Where security products are concerned open source is highly thought of. It means there is nothing proprietary about the mechanism which stores your data so it is easy for those with the skills to see what's going on and verify nothing untoward is at play. The actual security of your data will be via the same encryption system as anyone else uses. The ability to self host is a further advantage as it means your data is only stored on your system.

It's not a case of anyone knowing best. This is a highly subjective area and people have different criteria. Open source products can and do have serious flaws, and these can go unnoticed for extended periods of time, but there is the capacity for them to be found, if enough people are looking. As mentioned previously, Lastpass is open protocol, which allows inspection of the inputs and outputs to verify they are in accord with what is documented, even if the actual code is not disclosed.

The ability to self host can be viewed as an advantage if you do so securely, but for most people their own system is the weakest link, and there is the temptation to store a copy of the database on removable media. In any case, hosting your Keepass database online using your own online storage solution is no safer than having a third party do that, and might be weaker.

It is interesting that some governments (eg. Germany) outlawed the use of products such as Microsoft Office by governmental institutions because it used to have a very proprietary file format owned by Microsoft and this was a seen as a security risk. The Open Document format used by OpenOffice, LibreOffice and others was the preferred format as it was open source and not owned by any company. Indeed, Office 365 is currently banned in schools in Germany for privacy reasons. Big companies effectively owning your data because it is stored in their proprietary format is an issue, a major issue, particularly for government and intelligence. I host what I can myself and use self-hosted NextCloud to provide me with contact and calendar syncing and cloud storage. I eliminated Google from my life some time ago and I still have the same functionality of which I am in control.

Regarding the old office file formats, it wasn't just a concern. These were known to use weak encryption for password protection, amongst other flaws. I'm well aware that Office 365 has been outlawed in Germany for privacy reasons, yet elsewhere in the world, many companies are using it without concern. Do you consider all of the IT professionals working within those companies using Microsoft products to be negligent? Perhaps there is no right or wrong answer when it comes to matters like these.

Personally, I'm aware of the drawbacks of using Google services, yet I still use them to some extent because they provide me with an overall experience I value and cannot get elsewhere. I do not provide them with information or data that I am not comfortable with them possessing, and have other services I use for more sensitive things.

I am typing this on a computer running Ubuntu. I do not have Windows installed at all. That's one compromise I am unwilling to make. Yet I must use Windows at work, and I do.

Bobblehat

gsmh said:

colsten said:

Of course a PW Manager is useful for these sites, even if the PW Manager cannot log you in automatically. For example, you can still [securely] store your full PW, and manually enter the random characters required for the login.

I think you and I have a different use for a password manager. For me it has to be able to fill in the username and password of apps and websites. I use a different product to store banking information - I used to use Evernote but in recent years I am more security conscious and want to host my own data so I use my Synology NAS and NoteStation where I have keep useful snippets of websites, info an how to do things I have needed to do over the years, serial numbers of software, product receipts and banking information.

Oh Dear … sounds even more intricate than I first thought! My primary enquiry revolved around the use of PM for Banking, but obviously extends to internet shopping and other sign-in websites etc

masonic said:

The ability to self host can be viewed as an advantage if you do so securely, but for most people their own system is the weakest link, and there is the temptation to store a copy of the database on removable media. In any case, hosting your Keepass database online using your own online storage solution is no safer than having a third party do that, and might be weaker.

So.... self host ….. not storing the PM "database" on a Cloud ... have I got that right? And there seems to be 3 choices (at least)  ... own PC (e.g.) ... own USB (e.g.)  .... 3rd Party. If I stored the database on a USB stick that I use to store my Banking info (not PASSWORDS and only hints for security data, all encrypted via MS Office 2007 Word/Excel) .... is that a good or bad idea. I don't intentionally store any banking data on the PC.

p.s. I am looking at updating Office 2007.

masonic

Bobblehat said:

masonic said:

The ability to self host can be viewed as an advantage if you do so securely, but for most people their own system is the weakest link, and there is the temptation to store a copy of the database on removable media. In any case, hosting your Keepass database online using your own online storage solution is no safer than having a third party do that, and might be weaker.

So.... self host ….. not storing the PM "database" on a Cloud ... have I got that right? And there seems to be 3 choices (at least)  ... own PC (e.g.) ... own USB (e.g.)  .... 3rd Party. If I stored the database on a USB stick that I use to store my Banking info (not PASSWORDS and only hints for security data, all encrypted via MS Office 2007 Word/Excel) .... is that a good or bad idea. I don't intentionally store any banking data on the PC.

p.s. I am looking at updating Office 2007.

If you have confidence in the encryption and the complexity of your password, then storing in the cloud should not be a major concern, although if it is not too inconvenient to do so, keeping a single copy on a single device is ideal. Storing on USB would be a concern if you were tempted to insert that USB stick into devices you didn't own.

It's been a long time since I've looked at the encryption in Office 2007, but I seem to recall that even the new .docx file format had sub-standard encryption in Word 2007 (presumably Excel too) and a compatibility toolkit needed to be installed to make it compatible with newer versions of Office with better encryption. In my view you'd be better with an unencrypted document stored within an encrypted container (such as Veracrypt).

If you are not storing full usernames and passwords, rather disguised hints to prompt you of this information, then the risk is very low.

gsmh

masonic said:

gsmh said:

masonic said:

gsmh said:

OK. Whatever. You clearly know best. Where security products are concerned open source is highly thought of. It means there is nothing proprietary about the mechanism which stores your data so it is easy for those with the skills to see what's going on and verify nothing untoward is at play. The actual security of your data will be via the same encryption system as anyone else uses. The ability to self host is a further advantage as it means your data is only stored on your system.

It's not a case of anyone knowing best. This is a highly subjective area and people have different criteria. Open source products can and do have serious flaws, and these can go unnoticed for extended periods of time, but there is the capacity for them to be found, if enough people are looking. As mentioned previously, Lastpass is open protocol, which allows inspection of the inputs and outputs to verify they are in accord with what is documented, even if the actual code is not disclosed.

The ability to self host can be viewed as an advantage if you do so securely, but for most people their own system is the weakest link, and there is the temptation to store a copy of the database on removable media. In any case, hosting your Keepass database online using your own online storage solution is no safer than having a third party do that, and might be weaker.

It is interesting that some governments (eg. Germany) outlawed the use of products such as Microsoft Office by governmental institutions because it used to have a very proprietary file format owned by Microsoft and this was a seen as a security risk. The Open Document format used by OpenOffice, LibreOffice and others was the preferred format as it was open source and not owned by any company. Indeed, Office 365 is currently banned in schools in Germany for privacy reasons. Big companies effectively owning your data because it is stored in their proprietary format is an issue, a major issue, particularly for government and intelligence. I host what I can myself and use self-hosted NextCloud to provide me with contact and calendar syncing and cloud storage. I eliminated Google from my life some time ago and I still have the same functionality of which I am in control.

Personally, I'm aware of the drawbacks of using Google services, yet I still use them to some extent because they provide me with an overall experience I value and cannot get elsewhere. I do not provide them with information or data that I am not comfortable with them possessing, and have other services I use for more sensitive things.

I am typing this on a computer running Ubuntu. I do not have Windows installed at all. That's one compromise I am unwilling to make. Yet I must use Windows at work, and I do.

Really it's about being aware of what's going on and, as you say, accepting a certain lack of privacy in return for services you feel are useful. I run pi-hole on my system. It runs on a Raspberry Pi and all DNS queries go through it. It effectively blocks certain websites and organisations from accessing your data, as well as blocking advertising network-wide. I can see it prevents Microsoft from accessing my data and my Amazon Echos have huge amounts of 'phone home' data blocked. I'm not a tin-hat sort of person but I don't like companies thriving by monetising my data. I do run MS Windows, but I think with pi-hole I give them much less data than the average Joe. As a computing teacher I have explained all this to students. Some are shocked at what Google knows about them, others couldn't care less. I think this is pretty much the same for the wider population. Same with 'loyalty' cards. Data is valuable and it is often taken from us without a commensurate reward. I think Google is somewhat nefarious in that its raison d'etre is to monetise your data and its 'services' and other products exist merely to make that task easier and fool people into handing it over.

colsten

gsmh said:

I think you and I have a different use for a password manager. For me it has to be able to fill in the username and password of apps and websites. I use a different product to store banking information - I used to use Evernote but in recent years I am more security conscious and want to host my own data so I use my Synology NAS and NoteStation where I have keep useful snippets of websites, info an how to do things I have needed to do over the years, serial numbers of software, product receipts and banking information.

Yes indeed. I am using biometric login wherever I can, so only have a very limited need for a password manager that can intelligently log me in with random bits of information from e.g. my password, or from memorable information. I can cope with having to figure out and type this stuff myself for the few websites which have this sort of login. Most of the sites I viti regularly do not have those requirements, anyway. I do, however, still need to have all this information available somewhere as I am unable to remember hundreds of different login credentials.

I also need to keep other information, such as credit card numbers, PINs, passports, driving licences, codes for several safes and locks, social security information, luggage, WiFi codes, alarms etc etc somewhere safe - and crucially, somewhere where one or more others can securely and confidentially share some or all of that information, either on an ongoing basis, or in case of emergency. Lastpass lets me do all of that, in a totally reliable and relatively user-friendly manner, so that's totally perfect for my needs.

Bobblehat

Many thanks Masonic and gsmh (and others). 

Yes, I never plug my USB stick in anything other than my own desktop PC and don't store usernames or passwords or security data directly, only via coded hints in encrypted files. I keep a back-up copy of the stick in a safe place and update it at least monthly. 

I might be taking a risk using Office 2007 to store these and screen dumps in encrypted docs, but they are on the USB stick and the MS office files have passwords that are unrelated to the Banking passwords. It's the sheer number of Bank Accounts, shopping sites  ... and forums etc …. that have made me start to look into how to simplify the process. I have to admit that the answers I have got in this thread may have shown me how naïve I may have been in thinking a PM would do the trick