This is rather about grabbing passwords from RAM. Generally spoken: Keep in mind that if even you have a super ber secure pipe from keepass to the target application, at that moment, where the password stays in the input field of the target app, it can be grabbed.
The only implementation is a malware free system. If you HAVE TO use an untrusted system, you should only carry as few as possible passwords there AND you should change them asap.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
1. Complete security and protection is an illusion. The best you can do for protection against key loggers is use programs that have features that attempt to counter them (i.e. KeePass has some built-in counter measures) and attempt to keep a clean system. An internet caf, library or public computer should be considered as unsafe as shouting your accounts and passwords out in a crowded room of people at your local criminal court house.
2. In KeePass (v0.99c) turn on (check) the following settings:
a. Settings, Memory, Clipboard Behavior, Enhanced: allow pasting only once and protect against clipboard spies. selected
b. Settings, Security, Use more secure password edit controls checked
c. Settings, Security, Disable unsafe operations - checked
* Note using a public computer is always risky no matter how safe the provider states it is or how careful you are.
3. KeePass does have some built-in protection against clipboard monitors (so other applications should not get notifications that the clipboard content has been changed). Additionally a paste-once feature to allow only one paste operation, after pasting the clipboard is cleared automatically by KeePass. See the following for more information: http://keepass.sourceforge.net/features.php#lnkClipboard
* Note: Several methods do exists outside of the KeePass applications control to steal your passwords. It appears the KeePass makes attempts to keep your passwords safe and this is more than common password managers do. Additionally by having multiple passwords, databases, expiration reminders you should be safer than the standard old security practice of one password fits all. This is where the basic idea of KeePass comes in to help you have different strong passwords for each account you have and remind you to keep changing them.
4. For maximum security of a KeePass dB use both a key-disk file and master password with several encryption key rounds. (Comments on setup of disk files, command line options and how many key encryption rounds are ok can be found in this forum.)
5. Think about making segregated databases for your passwords that are separated by security level and personal/work use. (I.e. banking, work everyday passwords, home passwords, web email passwords, work highly secure passwords servers etc..) It is a good idea to at least keep e-mail passwords separated from others as password resets, account information and intrusion notifications often come by e-mail.
6. Consider using a mobile device like a PocketPC to store passwords on so that you are not exposing your USB to viruses or file copying and keyboard monitoring on a public PC. A version KeePass does exist for the PocketPC see http://keepass.net/index.php?kppc-download for more information.
7. When ever you use an untrusted PC, untrusted network or wireless connection you should always as soon as you return to a trusted system change the passwords used. I cannot stress how easy it is to grab a password off the data line, cable, from memory or from half a dozen standard internet caf (library/public computer) password stealing methods. * Keep those passwords expiring and changing this is a perfect use of KeePass to manage and track.
8. If you do not have a toolbox of anti-malware and updated antivirus (at least weekly) running on your CLEAN system consider it a dirty system. If you use a wireless internet connection with insecure encryption practices to access your financial information change the password and use a dedicated clean and hardwired system to access sites you want to keep highly secure.
*Starter Kit of anti-malware tools that you should use regularly (Note: It is best to have several as one does not generally catch every thing. A combination of some of the following with at least one resident in memory do some research to find what fits your system best. These are not replacements for virus scanning software that is generally speaking a separate category and class of programs.)
h. Spy Sweeper - http://www.webroot.com/ - Detect and remove spyware and adware from your PC, and prevents new unwanted programs before they can infect your machine.
9. Welcome to the ever growing and changing world of people trying to steal your information while you try to keep up to make yourself safe.
The internet it is not just about pictures anymore it is about business, policing, product buying and politics with these things you have true bandits trying to rob you at every corner. (A true open market and all the fun that goes with it.)
Be Safe,
Mr. Lister
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I'm curious if I am protected from keyloggers and such if I use KeePass to Auto-Type or Paste my user ID and password? CTRL-ALT-A or CTRL-V?
If not protected, how can this be implemented so that security is increased even further.
KeePass on a USB pen drive on a public computer would be optimal. Sometimes I have no choice but to use a public PC.
This is rather about grabbing passwords from RAM. Generally spoken: Keep in mind that if even you have a super ber secure pipe from keepass to the target application, at that moment, where the password stays in the input field of the target app, it can be grabbed.
The only implementation is a malware free system. If you HAVE TO use an untrusted system, you should only carry as few as possible passwords there AND you should change them asap.
1. Complete security and protection is an illusion. The best you can do for protection against key loggers is use programs that have features that attempt to counter them (i.e. KeePass has some built-in counter measures) and attempt to keep a clean system. An internet caf, library or public computer should be considered as unsafe as shouting your accounts and passwords out in a crowded room of people at your local criminal court house.
2. In KeePass (v0.99c) turn on (check) the following settings:
a. Settings, Memory, Clipboard Behavior, Enhanced: allow pasting only once and protect against clipboard spies. selected
b. Settings, Security, Use more secure password edit controls checked
c. Settings, Security, Disable unsafe operations - checked
* Note using a public computer is always risky no matter how safe the provider states it is or how careful you are.
3. KeePass does have some built-in protection against clipboard monitors (so other applications should not get notifications that the clipboard content has been changed). Additionally a paste-once feature to allow only one paste operation, after pasting the clipboard is cleared automatically by KeePass. See the following for more information:
http://keepass.sourceforge.net/features.php#lnkClipboard
http://sourceforge.net/forum/message.php?msg_id=3024321
http://sourceforge.net/tracker/?group_id=95013&atid=609911&func=detail&aid=1045393
http://sourceforge.net/tracker/?group_id=95013&atid=609911&func=detail&aid=988432
* Note: Several methods do exists outside of the KeePass applications control to steal your passwords. It appears the KeePass makes attempts to keep your passwords safe and this is more than common password managers do. Additionally by having multiple passwords, databases, expiration reminders you should be safer than the standard old security practice of one password fits all. This is where the basic idea of KeePass comes in to help you have different strong passwords for each account you have and remind you to keep changing them.
4. For maximum security of a KeePass dB use both a key-disk file and master password with several encryption key rounds. (Comments on setup of disk files, command line options and how many key encryption rounds are ok can be found in this forum.)
5. Think about making segregated databases for your passwords that are separated by security level and personal/work use. (I.e. banking, work everyday passwords, home passwords, web email passwords, work highly secure passwords servers etc..) It is a good idea to at least keep e-mail passwords separated from others as password resets, account information and intrusion notifications often come by e-mail.
6. Consider using a mobile device like a PocketPC to store passwords on so that you are not exposing your USB to viruses or file copying and keyboard monitoring on a public PC. A version KeePass does exist for the PocketPC see http://keepass.net/index.php?kppc-download for more information.
7. When ever you use an untrusted PC, untrusted network or wireless connection you should always as soon as you return to a trusted system change the passwords used. I cannot stress how easy it is to grab a password off the data line, cable, from memory or from half a dozen standard internet caf (library/public computer) password stealing methods. * Keep those passwords expiring and changing this is a perfect use of KeePass to manage and track.
8. If you do not have a toolbox of anti-malware and updated antivirus (at least weekly) running on your CLEAN system consider it a dirty system. If you use a wireless internet connection with insecure encryption practices to access your financial information change the password and use a dedicated clean and hardwired system to access sites you want to keep highly secure.
*Starter Kit of anti-malware tools that you should use regularly (Note: It is best to have several as one does not generally catch every thing. A combination of some of the following with at least one resident in memory do some research to find what fits your system best. These are not replacements for virus scanning software that is generally speaking a separate category and class of programs.)
a. Malicious Software Removal Tool - http://www.microsoft.com/security/malwareremove/default.mspx - Microsoft
b. Microsoft Windows AntiSpyware (Beta) - http://www.microsoft.com/downloads/search.aspx?displaylang=en&categoryid=7 Free for home use?
c. Ad-Aware SE Personal or Professional: - http://www.lavasoftusa.com/support/download/#free - Lavasofts Ad-Aware comes in both a free and an advanced version which offers real time protection.
d. SpyBot Search and Destroy - http://www.safer-networking.org/en/index.html - Has an "immunize" feature and Scans.
e. PestPatrol - http://www.pestpatrol.com/ - now provided by Computer Associates\E-trust Provides real time protection as well as scanning.
f. LEARN WHAT A HARDWARE KEY LOGGER LOOKS LIKE - http://spycop.com/keyloggerremoval.htm - picture and an explanation of a NON-Software key logger.
g. SpyCop - http://spycop.com/spycop-personal-product.htm - scours your system looking for surveillance spy software your PC.
h. Spy Sweeper - http://www.webroot.com/ - Detect and remove spyware and adware from your PC, and prevents new unwanted programs before they can infect your machine.
9. Welcome to the ever growing and changing world of people trying to steal your information while you try to keep up to make yourself safe.
The internet it is not just about pictures anymore it is about business, policing, product buying and politics with these things you have true bandits trying to rob you at every corner. (A true open market and all the fun that goes with it.)
Be Safe,
Mr. Lister