Taking passwords abroad safely?

TUVOK

Thanks for all replies.
my son's partner only yesterday told me that she use's Keepass, I'll be having a look at it.

TUVOK

Thanks for all replies.
Speaking to a friend yesterday who is tech savvy and he recommended Keepass too.
Thanks for the link to Keepass for Android phones, hopefully look at it today.

PHK

A couple of points to consider. There are some known flaws in Keepass that mean a determined hacker could recover passwords from local storage.

It also worth considering that if you have them stored on  a physical medium like a hard drive or USB then you need to secure that both physically and electronically. You should also have a copy off-site as it were in case of hardware failure.

For personal home use, Cloud based that's encrypted ( so that neither the security company or cloud provider can access it ) is usually a better option. 

Micron

Have the new 2.54/2.55 releases addressed the memory exploit you may have been referring to ?

Or are there other security problems?

Please tell us more PHK.

TMSG

PHK said:

A couple of points to consider. There are some known flaws in Keepass that mean a determined hacker could recover passwords from local storage.

It also worth considering that if you have them stored on  a physical medium like a hard drive or USB then you need to secure that both physically and electronically. You should also have a copy off-site as it were in case of hardware failure.

For personal home use, Cloud based that's encrypted ( so that neither the security company or cloud provider can access it ) is usually a better option. 

Any evidence for claiming there are "some known flaws in Keepass"? The only thing I am aware of is the recent discussion about https://nvd.nist.gov/vuln/detail/CVE-2023-32784 which many security experts think wasn't a flaw to start with... once an attacker has physical access to the PC involved then no app is safe against this sort of breach if it's currently running and unlocked. The KeePass2 dev has included a sort of work-around in v2.54 but this does not address the fundamental issue of security breakdown once the attacker has physical access to the hardware.

Any evidence for claiming that "Cloud based... is usually a better option"? If you use a trusted and audited app to store passwords locally, use a safe master password* (and preferably also a keyfile as a second factor) this is safer than storing passwords on somebody else's cloud server. Bitwarden is, as I wrote, probably the best option here, because they open-source their code but even there the user has no control over their security arrangements, bug handling etc. If you store stuff yourself, you have more of a responsibility but you also can make sure it's as safe as possible. 100% security doesn't exist.

* That's a topic in its own right.

outtatune

Micron said:

I've been using KeePass2 for many years on my PC and more recently Keepass2Android Password Safe on an Android phone.

It's free, open source, no need to open an account, works locally without internet access and works well for me.

You can also run a portable version of KeePass2 from a USB stick, it's said to be secure as it doesn't store any sensitive information on to the running system.

I use exactly this combination and frankly can't understand why anyone would choose any other option.

outtatune

PHK said:

A couple of points to consider. There are some known flaws in Keepass that mean a determined hacker could recover passwords from local storage.

It also worth considering that if you have them stored on  a physical medium like a hard drive or USB then you need to secure that both physically and electronically. You should also have a copy off-site as it were in case of hardware failure.

For personal home use, Cloud based that's encrypted ( so that neither the security company or cloud provider can access it ) is usually a better option. 

You need to provide some evidence to back up that assertion.