Just continuing to think (or maybe not think ;-) about password managers / password security, changing the focus slightly (I think) but keeping the same thread.
I'm now thinking about the security (or vulnurability) of passwords during "normal" usage--I mean, I'm thinking about the times when a password, even though stored in a very secure manner (in a password manager or encrypted file(s) of some sort), the password is viewable in plain text, and thus, to a greater or lesser degree, vulnurable. The first two situations that come to mind include: * during copy and paste operations, the plaintext password could remain on the C&P "stack". thus making it vulnurable: Some notes: (1) I've read about at least one password manager that, somehow, deletes the plaintext password from the copy and paste "stack" after a time delay--I didn't make a note of which one that was. (2) another approach could be that a password manager provides a facility to write the password to a designated textbox without using the copy and paste facility, thus, presumably, never putting the plaintext password on the copy and paste "stack"). * during hibernation (or maybe suspend and resume): (I use neither at the present time, but, one stores the machine's state (including RAM) to disk, the other stores the (CPU) state to RAM while preserving the other contents of RAM.) Hibernation could result in the plaintext of passwords being stored on disk while the power is off, making the plaintext passwords vulnurable if the machine is stolen. My current approach to passwords includes storing them in an encrypted file which is only ever decrypted to a RAMdisk, with the idea / intention that, if power is lost, or the machine is shutdown, the plaintext passwords would disappear from RAM (except to the extent that (iiuc) there are (NSA) ways to recover the contents of RAM if power is restored to the machine fairly quickly). My assumption, without considering hibernation. was that the only remaining copy of the passwords would be in the encrypted files. Maybe my concern about these situations is unrealistic, but I want to consider it, so all comments are welcome. BTW, I can see that the Master Password approach might be the solution for most of the problem, unless I (or it) uses copy and paste to put passwords in a textbox. On Friday, March 30, 2018 09:44:18 PM Andrew McGlashan wrote: