Jump to content
Enpass Discussion Forum

Wisdom of what data to store


gaetawoo
 Share

Recommended Posts

I'm curious... how wise is it to store so much of one's information.. like bank account info, payment and identification information... 

On one hand, if you have all your logins stored in here... most of that stuff is available through that... so is it any worse to store it outright? I mean, if someone gets a hold of your database and cracks it, it's kinda over isn't it?

Link to comment
Share on other sites

Hi @gaetawoo,

Thanks for writing in. The security of Enpass lies totally on Master Password that you only know. Even if any bad guy gets access to your data file by any means, he won't get anything meaningful out of it until he knows your master password. So we always strongly recommend to use a strong Master Password. For more details about Enpass security check out: https://www.enpass.io/security/

Hope it helps!

Link to comment
Share on other sites

My 2 cents...

That is an essential question. Colocation of sensitive information into one place with added security is generally what you do with most your secrets or valuables such as passwords, creditcards (in the wallet) or money (the bank :-))

The main-problem today is that passwords as a single authentication-challenge is too vague. Too often, theyre not properly protected at the site storing them.

As a quantifier, we often re-use them, so gaining access to an email + password at a website many times gives access to 10 other sites,.

A password manager sorta moves the issue from having one password stored at 100 locations into having it stored at 1 (with a master password).

The issue isnt entirely solved, but at least you've compensated for those forums that didn't ran security updates since 2014 and are affected by heartbleed, poodle and whatnot. So you wont need to panic about public password-dumps like those on Flashback.org and immediately visit https://haveibeenpwned.com/ 

What I like about Enpass is;

  • I can place these secrets whereever I want, at any disk, any site, cloud, removable media etc, Im not bound to store them where "thieves" start looking.
  • Im not forced to bundle 100% of my credentials in ONE wallet-file. I can choose to place some less-sensitive secrets in one wallet which I sync, and other critical stuff in an ofline location like a removable drive or a disc which isnt even mounted other than when I actually need it.

Having that said, there's LOTS of factors that come into play.

  • Is the Master Password a sufficent challange to access all my stuff, or do I require another factor (2FA)? A peek over your shoulder is enough for someone to gain access to all stuff, if gaining access to the wallet. A keyboard-logger can easily be snuck into the back of a workstation, Heck, KeySweeper doesnt even require physical connection to your computer to intercept keystrokes from a wireless Microsoft-keyboard.
  • Storing a second authentication factor ALONG with the first one in the same place generally beats the purpose, at least partially, Use wisely.
  • What are the consequences if my wallet gets compromized? can I recover or will my life be over? (e.g I never store the credentials for my primary email anywhere, since that in the wrong hands with "forgot my password" would result in access to any accound, theoretically.
  • Many people today stare themselves blind on the level of encryption, "Oh its AES-256, that's militarygrade so its safe, Period, the competitor is just using 128-bits!". Sure the enc. implementation is of esssence, but its not "period". A simple comparision-instruction could potentially be swapped by a skilled rev. engineer to set security aside, (im not implying anything specific to Enpass here)Im just saying that often, security mechanisms aren't broken brute-force, they're simply bypassed,
  • Do I NEED to store the PIN for my creditcard in a passwordmanager? I remember it just fine prior to using any pwdmanager, so why should I store it outside my head?

IMHO, there's simply a balance between security and usability, between wisdom and stupidity. but its individual

Sorry for the.. hefty content,

  • Like 1
Link to comment
Share on other sites

1 hour ago, Ivarson said:

My 2 cents...

.......

 

Sorry for the.. hefty content,

That's a fantastic answer, and frankly, I wish you would go on for longer, giving your best practices and tips and tricks.

Here's my thing... I'm basically in charge of most of my family's important matters, so my wife doesn't know many of the details. And when she would know some temporarily, she'd forget over time. That's the main reason I've switched to Enpass, to co-locate. You bring up some great points, about remembering the PIN and stuff like that. But that's where I wonder what to do because my wife doesn't know all my pins, and if I get hit by a bus, that's that. My master password is one that howsecureismypassword.net says would take a computer  1 SESVIGINTILLION YEARS to brute force. So there's that. I do have 2FA with another app so they aren't in the same keystore at least (even if I can access both on the same device). Maybe a good idea would be to not generate passwords for accounts that have 2FA and just have memorable passwords for them and not store them, but that means my wife, should she need  access, couldn't get access if I'm not around or i'm ded. It's this kind of stuff, navigating the compromise of security, convenience, and accessibility that is so hard, and frankly I'd consider myself new and green to the ideas and best practices of security. Having separate wallets is an interesting idea, maybe one for logins and one for life information (bank, cards, things to know or remember..) but again that adds complexity, for good and bad. So many complex decisions, especially when I'm the one that knows most things and I'm trying to make a way for someone else to have access to them if the need arises.

Link to comment
Share on other sites

9 hours ago, gaetawoo said:

That's a fantastic answer, and frankly, I wish you would go on for longer, giving your best practices and tips and tricks.

Here's my thing... I'm basically in charge of most of my family's important matters, so my wife doesn't know many of the details. And when she would know some temporarily, she'd forget over time. That's the main reason I've switched to Enpass, to co-locate. You bring up some great points, about remembering the PIN and stuff like that. But that's where I wonder what to do because my wife doesn't know all my pins, and if I get hit by a bus, that's that. My master password is one that howsecureismypassword.net says would take a computer  1 SESVIGINTILLION YEARS to brute force. So there's that. I do have 2FA with another app so they aren't in the same keystore at least (even if I can access both on the same device). Maybe a good idea would be to not generate passwords for accounts that have 2FA and just have memorable passwords for them and not store them, but that means my wife, should she need  access, couldn't get access if I'm not around or i'm ded. It's this kind of stuff, navigating the compromise of security, convenience, and accessibility that is so hard, and frankly I'd consider myself new and green to the ideas and best practices of security. Having separate wallets is an interesting idea, maybe one for logins and one for life information (bank, cards, things to know or remember..) but again that adds complexity, for good and bad. So many complex decisions, especially when I'm the one that knows most things and I'm trying to make a way for someone else to have access to them if the need arises.

I think much of it depends on her skills with IT and whether she'll use enpass in daily life. 

If she's totally green on computers in general you wouldn't have her to worry about a relatively small software to work on a specific device/OS the day you pass on. Maybe store stuff in enpass and do regular export-printouts to paper and lock those in a safe?

If she's into IT like you though (but just not custom to keep records of passwords) then sure go ahead keeping them digitalized and encrypted. As you said yourself, maybe static information like bankaccounts and insurance-docs doesn't need to roam over devices like logins tend to do with syncing. 

Other then enpass, there's of course a multitude of software for this. 

What if you want to store some scanned documents in pdf format, or other pictures or files in the "wallet"? Enpass is not a filecontainer in that sense, it's a database/record-oriented solution which on the other hand makes cataloging, syncing and searching easy and less error-prone . A software like VeraCrypt (derivate of TrueCrypt) lets you store anything inside it and is also cross-platform and available as portable edition. 

With VeraCrypt you can also require a specific file  to be available to open the vault. So theoretically you can store that key-file in a usbdrive (and wear it around your neck or lock it in) , telling her that file is needed to access the main-vault. 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

×
×
  • Create New...