Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


529 posts

Ultimate Geek
+1 received by user: 125

Subscriber

Topic # 240232 27-Aug-2018 20:50
Send private message quote this post

I'm looking at options for hardware-based password managers; with good physical (chip-level) security, simple regular backup options, ideally stand-alone usability and Android compatibility.

 

Currently looking at the following:

 

     

  1. http://www.seclave.se/product.html
  2. https://www.getpassfort.com/
  3. https://trezor.io/passwords/
  4. https://www.pastilda.com/

 

Does anyone have any experience using these or others on a daily basis?

 

Trezor is probably the mostly readily available however the password manager software is still fairly immature and lacks offline & standalone use and official mobile support.


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
14109 posts

Uber Geek
+1 received by user: 2527

Trusted
Subscriber

  Reply # 2079990 27-Aug-2018 21:04
Send private message quote this post

Why do you want hardware? How is a standalone piece of hardware compatible with Android - wouldn't you have to bring up the password and type it in?





AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer




529 posts

Ultimate Geek
+1 received by user: 125

Subscriber

  Reply # 2079998 27-Aug-2018 21:16
Send private message quote this post

timmmay:

 

Why do you want hardware? How is a standalone piece of hardware compatible with Android - wouldn't you have to bring up the password and type it in?

 

 

I don't know of any "software" solutions that have anywhere near the level of actual security. Most are vulnerable to keyloggers, virus etc whereby the master key can be intercepted revealing all the keys.

 

Hardware-based managers present only the selected decrypted keys to the OS so worst case a malware infected system only compromises they keys accessed on that system; coupled with 2FA however negates that issue.

 

Standalone usability = The ability to use offline if needed to display building alarm codes etc on built-in display (in addition to PC/mobile connectivity); not a deal-breaker but nice to have.


270 posts

Ultimate Geek
+1 received by user: 46


  Reply # 2080018 27-Aug-2018 21:48
Send private message quote this post

Passfort looked good, but judging by its kickstarter page comments, it may no longer be available/supported.

 

I don't use a hardware password manager - I use LastPass, although I do so in combination with physical 2FA via Yubikey (I bought a couple of them from Amazon during one of their seasonal sales). I've also used my Yubikeys with Kryptel to provide quick simple 2FA encryption for important documents as well as an offline backup password file. Probably not as secure as you'd like, but good enough for my needs.


14109 posts

Uber Geek
+1 received by user: 2527

Trusted
Subscriber

  Reply # 2080019 27-Aug-2018 21:54
One person supports this post
Send private message quote this post

Agree that software plus second factor authentication likely sufficient. It's sufficient for corporate enterprise use for resources that are critical like banking systems.




AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer




529 posts

Ultimate Geek
+1 received by user: 125

Subscriber

  Reply # 2080021 27-Aug-2018 21:56
Send private message quote this post

tieke:

 

Passfort looked good, but judging by its kickstarter page comments, it may no longer be available/supported.

 

I don't use a hardware password manager - I use LastPass, although I do so in combination with physical 2FA via Yubikey (I bought a couple of them from Amazon during one of their seasonal sales). I've also used my Yubikeys with Kryptel to provide quick simple 2FA encryption for important documents as well as an offline backup password file. Probably not as secure as you'd like, but good enough for my needs.

 

 

Yeah that's the problem with these things; none have yet managed to get enough traction to ensure good compatibility and continued development.

 

I also thought Passfort looked pretty good but also appears to have gone vapourware. Seclave also looks pretty good (albeit a bit unpolished) but concerned about it's lack of adoption.

 

I think Trezor has the best chance of becoming a ubiquitous standard due to it's primary use as a popular cryptocurrency wallet however it's not quite there yet on the software side.




529 posts

Ultimate Geek
+1 received by user: 125

Subscriber

  Reply # 2080030 27-Aug-2018 22:15
One person supports this post
Send private message quote this post

timmmay: Agree that software plus second factor authentication likely sufficient. It's sufficient for corporate enterprise use for resources that are critical like banking systems.

 

It's "sufficient" in centralised / regulated industries like banking where you can "Ctrl-Z" most issues (through technical or legal channels); it's insufficient however for e.g. encryption-based work which necessitates dedicated portable hardware-based (as above) or less flexible roll-your-own air-gapped systems.


338 posts

Ultimate Geek
+1 received by user: 47


  Reply # 2080045 28-Aug-2018 07:14
2 people support this post
Send private message quote this post

I use a pen and note book...


303 posts

Ultimate Geek
+1 received by user: 81

Trusted
Emergency Management

  Reply # 2080071 28-Aug-2018 09:08
Send private message quote this post

solutionz:

 

timmmay: Agree that software plus second factor authentication likely sufficient. It's sufficient for corporate enterprise use for resources that are critical like banking systems.

 

It's "sufficient" in centralised / regulated industries like banking where you can "Ctrl-Z" most issues (through technical or legal channels); it's insufficient however for e.g. encryption-based work which necessitates dedicated portable hardware-based (as above) or less flexible roll-your-own air-gapped systems.

 

 

If you are dealing with that level of Security have you looked at the latest NZ ISM? https://www.gcsb.govt.nz/publications/the-nz-information-security-manual/ This will guide you in terms of what equipment you need.
Yes this mainly for Government but this and the PSR https://www.protectivesecurity.govt.nz/ are now for wider use in New Zealand. 




529 posts

Ultimate Geek
+1 received by user: 125

Subscriber

  Reply # 2080085 28-Aug-2018 09:39
Send private message quote this post

Azzura:

 

I use a pen and note book...

 

 

Yip, sufficient for most purposes. Also as a backstop for master keys (inc for hardware wallets) & backups when housed in a secure safe deposit box or similar.

 

But don't forget about all the dedicated hardware secure chips you use on a daily basis; smart cards, SIM, mobile secure enclave, computer TPM...

 

ResponseMediaNZ:

 

If you are dealing with that level of Security have you looked at the latest NZ ISM? https://www.gcsb.govt.nz/publications/the-nz-information-security-manual/ This will guide you in terms of what equipment you need.
Yes this mainly for Government but this and the PSR https://www.protectivesecurity.govt.nz/ are now for wider use in New Zealand. 

 

 

Thanks I haven't checked out NZ ISM in a while and hadn't seen the new PSR so will take a look - but pretty aware of risks / mitigations hence the topic.

 

I'm particularly interested in what hardware anyone's using on a daily basis as with many things if it's took complex people will bypass it. Particularly the process of adding / backing up new credentials so that it's done regularly and you don't end up losing them.

 

I started playing around with the Trezor Password Manager and it doesn't seem too bad so will probably end up going with that. 


252 posts

Ultimate Geek
+1 received by user: 6


  Reply # 2080212 28-Aug-2018 12:06
Send private message quote this post

if you are using Google products, it might help?




529 posts

Ultimate Geek
+1 received by user: 125

Subscriber

  Reply # 2080213 28-Aug-2018 12:11
Send private message quote this post

01EG:

 

if you are using Google products, it might help?

 

 

Password manager is quite different to 2FA; however speaking of which Google also have https://landing.google.com/advancedprotection/

 

 


14109 posts

Uber Geek
+1 received by user: 2527

Trusted
Subscriber

  Reply # 2080251 28-Aug-2018 12:40
Send private message quote this post

I'm very familiar with NZISM and reasonably familiar with PSR. I don't think they always go far enough with encryption, particularly for in-confidence data.

 

I suspect national security type applications might want individuals to have a hardware portable key store, but less than that I don't see much of a need. There are many ways to lock things down, including hardware MFA, private connectivity, IP restrictions, time restrictions, IPS / IDS, etc.





AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer




529 posts

Ultimate Geek
+1 received by user: 125

Subscriber

Reply # 2080254 28-Aug-2018 12:50
Send private message quote this post

It's no secret security agencies are all about promoting "just enough" security that they themselves can still defeat.


169 posts

Master Geek
+1 received by user: 67

Subscriber

  Reply # 2080286 28-Aug-2018 14:33
One person supports this post
Send private message quote this post

solutionz:

It's no secret security agencies are all about promoting "just enough" security that they themselves can still defeat.



Complete bollocks

Security agencies in NZ are working desperately hard to get the general level of security awareness and practice in the vast majority of the state sector up above the level of "Security? Yes, we've heard of that. Why do you ask?"
They are actually promoting "just some" security with a hope that it might become "just enough" to keep script kiddies out and stop users shooting themselves and their employers in both feet - eg ACC 'sensitive clients' and MSD public access kiosks.





529 posts

Ultimate Geek
+1 received by user: 125

Subscriber

  Reply # 2080300 28-Aug-2018 14:47
Send private message quote this post

PolicyGuy:
solutionz:

 

It's no secret security agencies are all about promoting "just enough" security that they themselves can still defeat.

 



Complete bollocks

Security agencies in NZ are working desperately hard to get the general level of security awareness and practice in the vast majority of the state sector up above the level of "Security? Yes, we've heard of that. Why do you ask?"
They are actually promoting "just some" security with a hope that it might become "just enough" to keep script kiddies out and stop users shooting themselves and their employers in both feet - eg ACC 'sensitive clients' and MSD public access kiosks.




http://lmgtfy.com/?q=NSA+backdoor

 

 


 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.