Saving passwords in a txt doc inside 7 Zip? (bad idea?)

[Joe Bauers]

I would like to backup the passwords I have stored in Chrome and need a safe method to do so. 

 

If I were to transport then over to a .txt doc and then zip them in a password protected folder using 7Zip, would this be a safe option incase my computer was hacked?

 

My worries are someone can access my desktop in an attack and get my password folder and crack the encryption of 7Zip. Is 7zip good enough or is there a more hardened method to encrypt password on a desktop folder?

 

Is this strategy any good?  What do you recommend? 

[Kilrah]

3 minutes ago, Joe Bauers said:

What do you recommend? 

An actual password manager like KeepassXC.

[Joe Bauers]

3 minutes ago, Kilrah said:

An actual password manager like KeepassXC.

I'm wary of password managers due to backdoors and connecting to the cloud.  I'd rather store PWs locally.  

[OhioYJ]

Just now, Joe Bauers said:

I'm wary of password managers due to backdoors and connecting to the cloud.  I'd rather store PWs locally.  

Then most definitely store them in something secure like a Veracrypt encrypted file container. Veracrypt picked up where Truecrypt left off which has had security audits. Veracrypt also is cross platform so you can access it from Linux, Windows, Mac, etc. 

[Levent]

5 minutes ago, Joe Bauers said:

I'm wary of password managers due to backdoors and connecting to the cloud.  I'd rather store PWs locally.  

Are you really? KeepassXC and keepass work locally. They dont store anything on the cloud.

[Kilrah]

8 minutes ago, Joe Bauers said:

I'm wary of password managers due to backdoors and connecting to the cloud.  I'd rather store PWs locally.  

KeepassXC stores in a local file, just that it's actually designed to store passwords in a safe way unlike a text file.

[will0hlep]

(This probably won't be a popular suggestion but...) You could always just write them down in a book.

 

I know it has been drilled into people that they should "never write down their passwords". However, you can't hack pen and paper. Also, burglers and visitors are very unlikely to be looking through your book collection. The only real issue would be a house fire (or similar) but (for most people who don't keep backups) any file stored on your PC is just a vunerable to that.

[Joe Bauers]

19 minutes ago, OhioYJ said:

Then most definitely store them in something secure like a Veracrypt encrypted file container. Veracrypt picked up where Truecrypt left off which has had security audits. Veracrypt also is cross platform so you can access it from Linux, Windows, Mac, etc. 

I'll look into Veracrypt, hopefully it's not a PITA to open and close but good idea. TY.  I presume the longer the password the harder the crack or is it pretty hardy from the start?

13 minutes ago, Kilrah said:

KeepassXC stores in a local file, just that it's actually designed to store passwords in a safe way unlike a text file.

I'll have to look into it! TY

 

3 minutes ago, will0hlep said:

(This probably won't be a popular suggestion but...) You could always just write them down in a book.

I agree with you.  It's a great backup for your backup.  Kind of like the 3-2-1 rule.  Google Chrome for cloud, desktop for local, and printed out for "off site" i.e. not on computer.

[Kisai]

2 hours ago, Joe Bauers said:

I would like to backup the passwords I have stored in Chrome and need a safe method to do so. 

 

If I were to transport then over to a .txt doc and then zip them in a password protected folder using 7Zip, would this be a safe option incase my computer was hacked?

 

This is a bad idea because a zip file can be brute forced pretty quickly, 4 characters is in about an hour. Every additional character is exponentially longer to crack.

 

So if you're going that route, your password needs to be batteryhorsestapler proof.

 

The point I'm going to make here, is that a password manager is probably the "better" idea if you don't want it copied in transit. The encryption used by 7z and zip are pretty weak compared to what is used by present TLS 1.3 encryption. When a file doesn't need to be bruteforced over the network, and someone wants the password bad enough, sending the same 7z file to large groups of computers to try and brute force becomes trivial.

 

So... if you want to slow down the possibility of bruteforcing, the actual document itself has to be pretty damn large too. Hence the suggestion to use the password manager instead.

 

[Zodiark1593]

2 hours ago, will0hlep said:

(This probably won't be a popular suggestion but...) You could always just write them down in a book.

 

I know it has been drilled into people that they should "never write down their passwords". However, you can't hack pen and paper. Also, burglers and visitors are very unlikely to be looking through your book collection. The only real issue would be a house fire (or similar) but (for most people who don't keep backups) any file stored on your PC is just a vunerable to that.

Pen and paper is quite more vulnerable to physical access, such as a police search, for example. I wouldn’t have the password stored in plaintext anywhere. 
 

I’ve personally moved to passphrases (in conjunction with randomly generated passwords from my password manager), as they’re far more characters, and more easily remembered. 

[Needfuldoer]

1 hour ago, Zodiark1593 said:

Pen and paper is quite more vulnerable to physical access, such as a police search, for example.

At that point you're already hosed six ways from Sunday. If the police are searching your house and them getting your password is that disastrous, you were probably already doing something you really, really should not have been doing and it's far too late to turn back.

 

At least a paper password log in a secure location can't get skimmed by a bored script kiddie.

[BrandonLatzig]

29 minutes ago, Needfuldoer said:

At that point you're already hosed six ways from Sunday. If the police are searching your house and them getting your password is that disastrous, you were probably already doing something you really, really should not have been doing and it's far too late to turn back.

 

At least a paper password log in a secure location can't get skimmed by a bored script kiddie.

I have.. *a stupid question*
Is keeping the file on a usb drive any better?

[it_dont_work]

38 minutes ago, BrandonLatzig said:

I have.. *a stupid question*
Is keeping the file on a usb drive any better?

Why not just use the usb as a pass key, along with your password. 

 

 

and honestly you've got to make the security assessment yourself, is it 'unsafe' to hold it on your desktop in an encrypted file probably, but weight that against the likelihood someone is going to break it, or you're going to send it in transit over a network. 

 

If both of those are unlikely then you're probably good, but then you might need to worry about spyware/malware such as key loggers grabbing the copy paste data. 

 

 

[BrandonLatzig]

14 minutes ago, it_dont_work said:

Why not just use the usb as a pass key

i should state first that all the passwords I have are for websites that I dont think have pass keys

 

15 minutes ago, it_dont_work said:

or you're going to send it in transit over a network. 

i see no reason to ever send this file over any network

[it_dont_work]

4 minutes ago, BrandonLatzig said:

i should state first that all the passwords I have are for websites that I dont think have pass keys

 

i see no reason to ever send this file over any network

 

Just use the password manager built into your google account, works fine for that kinda stuff. 

[BrandonLatzig]

6 minutes ago, it_dont_work said:

 

Just use the password manager built into your google account, works fine for that kinda stuff. 

I really should but like
I dont trust it? idk I just...I feel safer somehow knowing its only locally avaiable

[OhioYJ]

12 hours ago, Joe Bauers said:

I'll look into Veracrypt, hopefully it's not a PITA to open and close but good idea. TY.  I presume the longer the password the harder the crack or is it pretty hardy from the start?

I'll have to look into it! TY

No it's pretty straight forward to use. It has both GUI and command line tools (so you can use it for scripting).  Veracrypt also allows you to use things like key files to make it even harder, but lose your key file, and you're done. 

 

There have been court cases where they have tried to force people to hand over Truecrypt passwords (where Veracrypt started)

 

Also keep in mind you can create hidden containers on Veracrypt, so you can essentially have a "fake" and a "real" password. 

[will0hlep]

11 hours ago, Zodiark1593 said:

Pen and paper is quite more vulnerable to physical access, such as a police search, for example.

As at @Needfuldoer points out, if the police want access to your accounts and all that stands in their way is a few passwords, you are done for however you store your passwords. For one, computers are also quite vunerable to physical access attacks. For two, if the police are searching your home, then they already have a pretty good idea of what you've been upto, cause getting a warrent requires convicing a judge of your likely wrong doing, and therefore they probably arn't far off a conviction. For three, In many countries it is illegal to not hand over your passwords to law enforcement who have a warrent, so they've got you either way.

 

And to offer a counter arguement, physical access attacks are the rarest form of attack. You are far more likely to suffer a phishing attack or have your computer comprimised by malware.

[Sauron]

13 hours ago, Kisai said:

So if you're going that route, your password needs to be batteryhorsestapler proof.

it's worth noting that a "smart" brute force algorithm will try combinations of common words before it tries guessing arbitrary character sequences

[OhioYJ]

1 hour ago, will0hlep said:

For three, In many countries it is illegal to not hand over your passwords to law enforcement who have a warrent, so they've got you either way.

 

And to offer a counter arguement, physical access attacks are the rarest form of attack. You are far more likely to suffer a phishing attack or have your computer comprimised by malware.

Here in the USA this has been tested by the courts several times, you can't be compelled to reveal passwords. Similar testifying against yourself. 

 

Also keep in mind there are "fake" passwords in Veracrypt, however if you were in one of these situations, you would still be better off revealing nothing. 

 

* I am not a lawyer, not legal advice. 

[Polderviking]

17 hours ago, Joe Bauers said:

I'm wary of password managers due to backdoors and connecting to the cloud.  I'd rather store PWs locally.  

Why would password managers have backdoors?
Security is their core business and such a thing goes directly against this purpose. And credibility.
Besides if gouvernments want your info they can just strongarm the company that has your data directly, they are not going to be using your credentials with the risk of running into things like logged login attempts that you then will be able to vet, or even stop because you've enabled multi-factor auth.

 

I get you might want to stay out of "the cloud" (even though they only store data in a non reversibele format and are thusly fine I.M.O) but keepass ("offline" solution) definately beats out having a text file in whatever context.

[Monkey Dust]

14 hours ago, Zodiark1593 said:

Pen and paper is quite more vulnerable to physical access, such as a police search, for example. I wouldn’t have the password stored in plaintext anywhere. 
 

I’ve personally moved to passphrases (in conjunction with randomly generated passwords from my password manager), as they’re far more characters, and more easily remembered. 

There is a golden rule; Don't write down your crimes. Keeping evidence of your crimes on your PC or phone also falls under this rule. The police aren't kicking your door in for piracy (unless it's actual ship boarding piracy), or if they think you have a gram, or three, of something you shouldn't.

 

Passwords that you don't want to keep in your password manager, & seeds for 2FA apps, written on paper and stashed in a small document safe, isn't a bad option for all except those running a criminal enterprise. Passphrases are good, but human memory can be a fickle thing. A backup of some form is always a good idea.

[starsmine]

18 hours ago, Joe Bauers said:

I'm wary of password managers due to backdoors and connecting to the cloud.  I'd rather store PWs locally.  

then dont connect it to the cloud.
Products like Bitwarden you dont need to store in the cloud. 

Most managers you can skip the cloud. And ones with GPL licenses can and do have their source code publicly audited. 

Apple keychain is built into the OS.

[LAwLz]

There is a lot of bad advice and misinformation about how these things work in this thread. People making incorrect assumptions about how password managers work, how zip works and so on. 

 

OP, what you suggested is fine (depending on the program you use to zip the file) but I would recommend using KeePass instead. It's a program designed specifically for what you want to do. 

Whether or not it protects you from hackers depends on how you are attacked, but both options are better than what you currently use, and there will always be pros and cons for the various solutions. 

 

Personally I use KeePass. Interpret that as you will. 

[Kisai]

On 12/27/2023 at 8:19 AM, Monkey Dust said:

There is a golden rule; Don't write down your crimes. Keeping evidence of your crimes on your PC or phone also falls under this rule. The police aren't kicking your door in for piracy (unless it's actual ship boarding piracy), or if they think you have a gram, or three, of something you shouldn't.

 

Passwords that you don't want to keep in your password manager, & seeds for 2FA apps, written on paper and stashed in a small document safe, isn't a bad option for all except those running a criminal enterprise. Passphrases are good, but human memory can be a fickle thing. A backup of some form is always a good idea.

 

Again, many of these 2FA systems have "backup codes" and unless you stick these codes in proper safe, chances those aren't any better.

 

Spoiler: 

Drop/Bump it. Try the default code, Reprogram it. Pick it. Drill it. etc

 

Even a safety deposit box at the bank won't help you, since the bank can open it.

 

To go back to the XKCD image, if someone wants the back up codes, and you saved them/printed them out, they'll just get that from you under duress.

 

Fun fact, if you lose your discord password, and the 2FA is turned on, the account is gone, they can not reset it. Most other services have a mechanism to reset it.

 

The password reset mechanism is how people get into things, sim-swapping being one strategy of intercepting 2FA tokens. 

 

Like we are presently in a situation where "a password manager" is good enough, but will not stop someone who actually wants to get into the account bad enough and has the resources to do so. The password complexity requirements of banks make people more likely to have to reset the password frequently.