Saving passwords in a txt doc inside 7 Zip? (bad idea?)

[Monkey Dust]

7 hours ago, Kisai said:

 

Again, many of these 2FA systems have "backup codes" and unless you stick these codes in proper safe, chances those aren't any better.

 

Spoiler: 

Drop/Bump it. Try the default code, Reprogram it. Pick it. Drill it. etc

 

Even a safety deposit box at the bank won't help you, since the bank can open it.

 

To go back to the XKCD image, if someone wants the back up codes, and you saved them/printed them out, they'll just get that from you under duress.

 

Fun fact, if you lose your discord password, and the 2FA is turned on, the account is gone, they can not reset it. Most other services have a mechanism to reset it.

 

The password reset mechanism is how people get into things, sim-swapping being one strategy of intercepting 2FA tokens. 

 

Like we are presently in a situation where "a password manager" is good enough, but will not stop someone who actually wants to get into the account bad enough and has the resources to do so. The password complexity requirements of banks make people more likely to have to reset the password frequently.

 

 

One of the best defences is not broadcasting that you have something worth stealing, particularly if you are into crypto. If you've found yourself in a situation where you are being threatened with serious injury, or death, no approach to cybersecurity is going to help you.

 

Agreed that a password manager covers almost all needs. But in the event of a big breach of the service, Lastpass style, you could lose everything. Probably a good idea not to put everything in there. Obviously, if you are being targeted specifically, it's probably not going to save you. But you are very unlikely to get individually targeted. The far more common risk is having usernames and passwords leaked in a big data breach, and using precautions, such 2FA, can limit damage. You don't need to be impenetrable in the event of a data breach, just more secure than most of the other victims of the leak.

[Winterlight]

Than just save in whatever you want file format and just simple use encryption on that file.

[Kilrah]

One problem with the "text file in encrypted archive" is you have to store it decrypted to consult/edit it and it's tremendously easy to leave a copy around by mistake.

[AngryBeaver]

On 12/26/2023 at 4:14 PM, Joe Bauers said:

I would like to backup the passwords I have stored in Chrome and need a safe method to do so. 

 

If I were to transport then over to a .txt doc and then zip them in a password protected folder using 7Zip, would this be a safe option incase my computer was hacked?

 

My worries are someone can access my desktop in an attack and get my password folder and crack the encryption of 7Zip. Is 7zip good enough or is there a more hardened method to encrypt password on a desktop folder?

 

Is this strategy any good?  What do you recommend? 

While more secure that say a plain text file... it isn't hard to take these zips and Crack them offline.

 

If they know a little about you then they can toss some lines into a rainbow table and likely get the password relatively quickly.

 

I mean yes with a really good password and luck on your side then in theory it would take them long enough to Crack it wouldn't be reasonable... that said new methods for cracking passwords, hashes, etc come out all the time.

 

So, is it better than no encryption? Yes. Is it a better option that a dedicated password vault (even some free ones) not really.

[LAwLz]

10 hours ago, AngryBeaver said:

While more secure that say a plain text file... it isn't hard to take these zips and Crack them offline.

I disagree, if you do it somewhat decently. But I guess that is kind of what you mean by "really good password", but I promise you I don't need any luck.

 

 

If someone is doubting the security of encrypted zip files, I have attached a little challenge to this post.

 

 

Just to be clear, I agree with you that a password manager is better than keeping it in an encrypted zip file. That's not really because the zip files aren't secure, but more about usability and features.

LAwLzs-LTT-Password.zip

[AngryBeaver]

1 hour ago, LAwLz said:

I disagree, if you do it somewhat decently. But I guess that is kind of what you mean by "really good password", but I promise you I don't need any luck.

 

 

If someone is doubting the security of encrypted zip files, I have attached a little challenge to this post.

 

 

Just to be clear, I agree with you that a password manager is better than keeping it in an encrypted zip file. That's not really because the zip files aren't secure, but more about usability and features.

LAwLzs-LTT-Password.zip 304 B · 2 downloads

It is going to come down to time investment and if the reward is worth it. I am sure by your confidence you have a nice complex password that is likely avoiding most of the words in a rainbow table.

The point is a lot don't. They use some 8-10 character password and think that is good enough. The tools for cracking passwords are getting better, the tables and algorithms are improving. We have Generative AI now which can also take password cracking to the next level. Then you have to look at the software doing the encrypting and consider the likely hood of a vulnerability existing in said software.

Will that file keep your information safe from people in your household? Most likely. It however, will only be a partial deterrent to someone set on cracking it. You can rent out a gpu cracking farm that is capable of guessing and insane amount of passwords per second. 

Now don't get me wrong. Password vaults aren't perfect, we see them breached from time to time too. Also, depending on setup they are a little more secure in the sense that if your pc crashes you don't lose all your passwords in that now inaccessible file.