You are here

USB password protection into Portableapps.com Platform

25 posts / 0 new
Last post
Gamepwner
Offline
Last seen: 14 years 8 months ago
Joined: 2010-03-13 22:35
USB password protection into Portableapps.com Platform

USB drives are excellent for storing data. Their small size allows them to take data on the go. USB's are small, inexpensive and can store massive amounts of files. But one of the disadvantages to USB's are the fact that they are small. They are lost or stolen easily. Data on USB's can fall into the wrong hands. Sensitive data like passwords can be lost, only to give a stranger the access to your accounts.

There are many USB protection software on the internet, but many are not useful for everyday usage. Some USB protection software available are Bitlocker, Folder lock and USB protect. Each has its own disadvantage, like requiring Admin rights or having Windows 7 Ultimate. Many USB protection software also isn't free. Many of these also require admin rights. In the case of USB protect, you need to set your password each time you are about to remove your drive.

The Portableapps.com platform allows you to have portable software, passwords saved in portable apps like Firefox or Chrome can be lost. A good idea is to have a new feature available in the Portableapps.com platform to prevent sensitive data from being lost to anyone that may come across your missing USB drive. Everyone can sleep better at night knowing that their data on their missing USB drives will not end up in another's hands.

Hope this feature will be added! Biggrin

NathanJ79
NathanJ79's picture
Offline
Last seen: 4 years 9 months ago
Joined: 2007-07-31 15:07
geek.menu

geek.menu (google it) is a fork of an old version of the PortableApps.com Platform that has TrueCrypt built in. Of course, you need admin rights to use it.

By far the simplest solution would *probably* be to zip your data folder in Firefox and put a password on it, then delete the source folder. Unpack to restore it. Since your browser profile is really the only thing that shouldn't "fall into enemy hands". So I guess ditto for any alternative browsers you may have, and perhaps your Documents folder. Not sure if 7_zip can do this, I haven't got it on my flash.

OliverK
OliverK's picture
Offline
Last seen: 3 years 5 months ago
Developer
Joined: 2007-03-27 15:21
zip isn't really that great.

zip isn't really that great. This question has had so many posts . . . . . SargentSiler suggested it once upon a time. Didn't go so well.

TrueCrpyt. I just howp you can has admin rights.

Too many lonely hearts in the real world
Too many bridges you can burn
Too many tables you can't turn
Don't wanna live my life in the real world

NathanJ79
NathanJ79's picture
Offline
Last seen: 4 years 9 months ago
Joined: 2007-07-31 15:07
Zip

Wait, what's wrong with zip?

Suppose your flash drive is lost and you've done what I say. Your Documents folder has a few docs, and a zip file with more docs. When the end user starts Firefox Portable, a new profile will be created. No harm no foul. If they go digging they will find that zip file with your real profile. But what will they be able to do?

A zip file can possibly be hacked with a brute force password cracker, but it would take time. Who's got that kind of time? And whose data is that important? In the time it would take them to crack your zip, you could have taken a Caribbean cruise and then changed relevant passwords at your leisure. Some of those archiving programs run 256-bit AES, isn't that pretty good? I thought I heard once it would take an NSA supercomputer a few weeks to crack 128-bit. That may have been an exaggeration though. Anyway the NSA won't be cracking your code, and whoever is won't be using a supercomputer. A quad-core at best.

John T. Haller
John T. Haller's picture
Online
Last seen: 24 min 46 sec ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Undelete

The problem is that there is always undelete. Unless you securely erase the files you just zipped up on the drive. But even secure erase isn't quite perfect on flash.

Sometimes, the impossible can become possible, if you're awesome!

NathanJ79
NathanJ79's picture
Offline
Last seen: 4 years 9 months ago
Joined: 2007-07-31 15:07
Oops, forgot undelete

Oh yeah, forgot about that. But I thought flash drives read/write information differently. Is undeleting/recovering deleted files really as easy as it is on hard disks?

Then I guess the best solution is to make sure you don't lose your flash drive. Or, what's this about Keepass that Darkbee posted below? I use it to store my passwords, and to copy the password to the clipboard (you should see my PortableApps.com password, it's 20-odd random characters I could never memorize. I really should have every site have such a secure password) but I don't know anything about using it to automatically log in to a site. That would be quite a trick. That, or perhaps a Firefox extension which encrypts the password files in Firefox when Firefox is closed, and decrypts them given the right password when it starts. This would be great for PortableApps users, but of course you couldn't bundle it with Firefox, nor share it with certain countries. (Silly law, like they really can't get encryption software. Easy way is proxy; worst case scenario they have someone burn them a CD.)

computerfreaker
computerfreaker's picture
Offline
Last seen: 13 years 2 months ago
Developer
Joined: 2009-08-11 11:24
I use KeePass too; all my

I use KeePass too; all my passwords are randomly generated, and long enough that 1. I can never remember them and 2. I doubt anybody but NSA could crack them without some serious delay (3 or 4 months, maybe).

You should never copy passwords to the clipboard, though; if malware is watching the clipboard, as many trojans do, you're toast. Use KeePass's auto-type instead.
1. Go to the site you want to log in at
2. Place the cursor in the "username" textbox
3. Pull up KeePass
4. Right-click the appropriate password entry in the password list
5. Click "Perform Auto-Type" from the dropdown list that appears
6. Watch as KeePass logs you in

You could also select the appropriate password from the list, then hit Ctrl+V to perform auto-type; for a keyboard guy, that can be significantly faster than using the popup menu.

If you have a website with different login demands (e.g. just a password), you can customize auto-type to do that, too. In the notes field for the password entry, type
Auto-Type:{PASSWORD}{ENTER} (note that {PASSWORD} is what you're supposed to put in there - don't put in the actual password)

You can actually do quite a lot with auto-type; I use it for IRC, too, where my auto-type sequence looks like this:
Auto-Type: /msg NickServ identify {PASSWORD}{ENTER}/clear{ENTER}

You can get more information from KeePass's help file, but this should be enough to get you started.

"The question I would like to know, is the Ultimate Question of Life, the Universe and Everything. All we know about it is that the Answer is Forty-two, which is a little aggravating."

Darkbee
Darkbee's picture
Offline
Last seen: 4 years 7 months ago
Joined: 2008-04-14 09:41
Like CF said above, often

Like CF said above, often you'll find with banks that they don't have the standard unsername/password procedure. Understandably they usually have additional steps. Setting up Keepass, you can almost create a little script that mimics these user steps. For example, my bank requires a couple of screens to log in, so I have to actually put a pause in the auto-type sequence to allow time for the second page to load.

Even then, they actually have one component that there is no way around that I know of (you have to click images to enter a PIN), so it's still somewhat of a manual process.

I have credit card site that requires me to enter in about 10 different things including Zip Code and a bunch of other stuff. Hooray for Keepass!

BTW, Keepass clears the clipboard (after a period of time) when you use it to copy/paste usernames/passwords, however watch out if you're using a clipboard manager as I frequently do because that will store the information anyway! Smile

I sort of had a chuckle at the bit about using random passwords that are impossibly long to crack, but CF is right, I've done a similar thing with some websites, so that even under torture If I were to say that I didn't know the password, I'd be telling the truth! Smile As long as you ignore the fact that I'd completely breakdown and tell my captors that everything they needed to know is in Keepass. (which I'd better know the password for!) Biggrin

Master_tarquin
Offline
Last seen: 10 years 5 months ago
Joined: 2007-09-17 11:10
R.E - I use KeePass too;

Thanks computerfreaker.
I’ve read I various things on the net recently about using public computers, and how insecure your info can be.

I’ve just read your post about keypass (and how to use its Auto type function)
I looked at the help section (with the instructions as below -in the stars-)

****Auto-Type :{PASSWORD}{ENTER} (note that {PASSWORD} is what you're supposed to put in there - don't put in the actual password****

Unless I was being incredibly dense, I wasn’t sure how to get it to work.
Then i tried the other way, the one you numbered. And with those instructions. It was so easy.

And i also read a thing about something called USB DUMP. When someone (probably a hacker) can place a bug into the Pc-from their Memory stick. which is apparently hidden from the systems administrator. So when you plug your memory stick in, the bug copies all your files. And when they get back to the Pc and plug in their memory stick they have your files.

Do portable apps do anything that can prevent this from happening? (Is Trucrypt as daunting as it seems to a non programmer like me, to figure out how to set partitions?)

Any help with these would be much appreciated. Also this request is open to everyone else.

Stop stabbing me...How many more times, do i have to say this
Im not a vampire.

ottosykora
Offline
Last seen: 5 hours 59 min ago
Joined: 2007-10-11 17:48
usb dump

well this can not be prevented other then by stopping traffic between usb device and pc. And if you do this, you can, but then your usb device is locked out.
So if you have access to your usb device, any other 'user' at that time has.
OK, one could provide ntfs formated usb device with user rights and then all will be slightly restricted, but will still work.
There can be also arrangements, when an usb device with particular id number is allowed to communicate with certain pc, but all others are not, this making it slightly more difficult for the attacker. But this has to be done at the pc side not on the portable side.

If truecrypt volume is not mounted, well the attacker will get beside other files also one big strange file full of garbage (encrypted data) which he can not make any reasonable use of except estimate that there is possibly something hiding in it.
However if the trucrypt is mounted, well then the 'on the fly' decryption is on and your windows, that means you or other person or 'virtual person' in form of a trojan or similar can read it.

so bear in mind:
windows can read it = everybody who has or had access to your pc can read it

Otto Sykora
Basel, Switzerland

OliverK
OliverK's picture
Offline
Last seen: 3 years 5 months ago
Developer
Joined: 2007-03-27 15:21
Flash drive random store data

Flash drive random store data to different places. Its called wear leveling. In a way this can make it harder, in a way, it can make it easier.

It can make it harder if well used because the data will be over written with other things. If not used alot, the data will sit somewhere else and be available for recovery. Recuvva actually works pretty well for this sort of stuff.

I believe there is a master password for firefox. But I'm not sure how it works.

Too many lonely hearts in the real world
Too many bridges you can burn
Too many tables you can't turn
Don't wanna live my life in the real world

Gamepwner
Offline
Last seen: 14 years 8 months ago
Joined: 2010-03-13 22:35
admin rights

the problem is admin rights, i would be able to use it at my house but not anywhere eles, this is a problem for me cuz i use it at school, where there's no admin rights, i cud also password protect my passwords in firefox, but still, any other files i have on my usb could still be read by anyone.

OliverK
OliverK's picture
Offline
Last seen: 3 years 5 months ago
Developer
Joined: 2007-03-27 15:21
Yup, you'll need admin

Yup, you'll need admin rights. Nope, there's no way to get around that.

The best you could do is some sort of physical access control, i.e. http://www.corsair.com/products/padlock2/default.aspx

There's another you can get at newegg that is similiar, but its like a padlock that you can add to any USB.

Too many lonely hearts in the real world
Too many bridges you can burn
Too many tables you can't turn
Don't wanna live my life in the real world

Darkbee
Darkbee's picture
Offline
Last seen: 4 years 7 months ago
Joined: 2008-04-14 09:41
Why is it necessary?

As long as there is a human involved somewhere in the process then it's impossible to be 100% secure.

Really, you have to ask yourself what's on your USB Disk that could be utterly disastrous if your drive were stolen? I never allow FirefoxPortable to remember my usernames/passwords to critical sites like my bank account. I've set KeePass up with auto-sequences to type those out. I have a high level of faith in the security of the Keepass database.

For me personally, I can't quite understand why people are so paranoid about having stuff stolen from them. Do you work for the Secret Services? If so, I would hope they would have this all figured out.

Have you got the world energy crisis all figured out on your USB drive and are just waiting for the right time to swoop in, save the Earth and make millions on the process? Are your plans for world domination sitting on your Flash drive?

Even in this case securely localized files would surely be adequate (with something like Toucan). Sure, it's a pain in the butt to work with but if your files are that sensitive then surely the price is worth it. Who cares what Facebook apps you play. I don't.

My guess is, if some Joe Blow happened to steal your Flash drive, first thing he'd do is check for pr0n or MP3s, and then just format it.

I'm off to take some happy pills and post my bank account details on Twitter. DarkBee out.

ottosykora
Offline
Last seen: 5 hours 59 min ago
Joined: 2007-10-11 17:48
there are enough examples

let take simple keypair for encryption /signing , either 509 or pgp. For reasonable useage, you need to have the keypair on your stick if you want use it portably. So you have your private keyring simply avaiable on the stick, if lost you have to make revocation of it and then get new key. Not big problem, but it is one, for key pair of the 509 system, you might pay lot, set all possible services to understand the new key etc. OK, if the passphraze is strong, it might be more complex to make some use of the key, but still, not nice situation.

Normal data files might be protected by some ziping softwarre, they use strong algos today, so this might be helpful. It is however not so convenient, each time when you receive encrypted mail, and want answer it, first go and dig the keys out of some zip file, copy them to propper location, do your mail, then remove all the files again...

Therefore only hardware solutions are reasonable. I have one, but even this is somehow strange, just to put the password to the stick, one needs admin rights... which is BS for sure, there are better ways of doing it.

Otto Sykora
Basel, Switzerland

Darkbee
Darkbee's picture
Offline
Last seen: 4 years 7 months ago
Joined: 2008-04-14 09:41
Doesn't really answer the question

I agree, losing a PGP key would be terribly inconvenient, but the question still stands... what are you emailing that you need to encrypt that badly? I think you're talking about the exception here rather than the rule. Most everyday, regular users don't even know what PGP is nevermind use it. I can't even imagine trying set my dad up with PGP, that is just asking for trouble (for me!).

I would still argue strongly encryption isn't even needed for the most part. Look how easily we hand out our credit card, at a restaurant for example where they take the credit away. They could be cracking it, hacking it, tagging it, ripping it for all we know. Why is our digital data so special, so precious?

I definitely agree that a hardware solution is more convenient, but I question whether "we" (meaning most average users) need a solution at all. How paranoid do we have to get? I think people watch too many spy movies on TV. Common sense is your best friend in keeping your data safe (and also the most convenience and cheapest solution).

ottosykora
Offline
Last seen: 5 hours 59 min ago
Joined: 2007-10-11 17:48
you are right Darkbee

but all this is just kind of philosophy behind all those things.
I work for company producing security hardware and software for banks and big companies. With previous manager we had all pgp keys and were bound to use it for all communication, but the next manager could not find out how it works so canceled the policy and nothing happened we still do the same job as before.

Many people are however still very surprised, when I take sniffer , wireshark will do, and show them that I can read all their e-mails including the password for the account in plain ascii chars on my screen, can copy, save and do with it what I want.

I use pgp/gpg encryption for all communication with some friends, thought nothing special is transmitted. Just for training, so we keep knowing how it works.
And when I have fun on my mind, at the and of the encrypted message I add a plain text list of about 500-800 so called 'trap words' like BinLaden, WTC, scud, plutonium,...and at the and I add :
nice greetings to domestic surveillance

This might trigger the filters number of times at some special servers and some people will be busy for some time...we pay tax for that don't we?

For other communication, like with some gov offices, I need to make digital signature. For that reason one needs also key pair, this time the 509 cert system. So the thunderbird I am using this way I have in encrypted portion of the stick.
So it is not about encryption only, but digital sigs too and those are much more common today.

And since the problem of loosing usb stick is given, in Switzerland we can get new 509 qualified certificate keys only on a special hardware stick which is made so that it not possible to copy the private key out of the stick at all, it can be used, but not exported.

Otto Sykora
Basel, Switzerland

Darkbee
Darkbee's picture
Offline
Last seen: 4 years 7 months ago
Joined: 2008-04-14 09:41
Message received and understood.

Hahaha! Biggrin Good one Otto. Smile I think I might throw in a few 'trap words' in my emails tomorrow at work! Biggrin On second thoughts, I work in the great US of A so perhaps not, lest my office door gets busted down and I get taken away in hand-cuffs. Smile

I appreciate your intellectual, yet humorous commentary!

tgrantt
tgrantt's picture
Offline
Last seen: 3 years 10 months ago
Joined: 2007-02-26 12:43
To go more off topic...

I use a tag line on a BB with some "trap words" (I like that, Otto) followed by "the NSA is going to love me." On a totally unrelated note, the small town where I work had high-res satellite images on Google Maps looong before any of the surrounding (much larger) towns. Maybe the fact that I'm in Canada, and only an hour from the US border had something to do with this... Smile

Seriously, if many (many) people did this, would the false positives overload the system? (I know that that the algorithms are more complicated than I've indicated, I'm just simplifying)

I am not my signature.

Darkbee
Darkbee's picture
Offline
Last seen: 4 years 7 months ago
Joined: 2008-04-14 09:41
:D

Blame Canada! :evil:

d_byrnes
Offline
Last seen: 14 years 1 week ago
Joined: 2009-03-07 21:19
Maybe to bring this back onto the topic...

There ARE apps that come with flash memory devices that DO provide password protection. I´ve seen it with external USB "hard drives", and my Sandisk S3 drive also has this capability included in their launcher. And while a true geek could probably get through the encryption, it´s more than sufficient for most users. If I lose my drive, when someone plugs it in, it asks for a password. If they can´t provide it, they have to click as to that, and the drive gets erased, and they can use it. Not a perfect solution, but at least they won´t be reading my email and documents

Jimbo
Offline
Last seen: 4 years 10 months ago
Joined: 2007-12-17 05:43
Misleading

You say "there ARE apps that come with flash memory devices that DO provide password protection"

It would be clearer to say that "there ARE flash memory devices that DO provide password protection, which come with an app to enter the password"

In other words, the encryption is a feature which is fundamental to the drive itself and all that the app does is send the password to the controller chip inside it so that it can decrypt the contents for you.

Nobody here is saying that hardware encryption cannot be done, only that it is not possible to write a software only application which can encrypt a drive on the fly, working as a mounted drive, without administrator rights.

It is fundamental to Windows that adding a drive letter can only be done by an administrator. Hardware drivers operate at this level, so can do it. Applications run as normal users cannot. The drives that you mention actually do the encryption bit on the drive itself, so all that windows ever sees is a normal flash drive, effectively.

Aciago
Aciago's picture
Offline
Last seen: 1 year 1 month ago
Joined: 2007-01-24 14:23
Darkbee

With all respect I think you are thinking very "domestic", this is Internet, please think a little bit more global... there are countries where you can go to jail just for saying that your president is ugly... which, I think we all agree, is not a matter of national security, so some people might want to have the sentence "the president is ugly" under a secure environment to prevent "unconfortable situations" that in other places should not be scandalous.

I know of some people that share the "portable & secure applications" knowledge to prevent this kind of stuff to happen to them in some places that speak Spanish and can't access ironkeys or anything else at hardware level.

I don't want to be more specific on a public site, sorry... I'm not in one of those countries (now) but it's better to prevent...

If a packet hits a pocket on a socket on a port,
and the bus is interrupted as a very last resort,
and the address of the memory makes your floppy disk abort,
then the socket packet pocket has an error to report Biggrin

Darkbee
Darkbee's picture
Offline
Last seen: 4 years 7 months ago
Joined: 2008-04-14 09:41
Why Risk It at All?

Then why risk it at all? It doesn't make sense to me that you'd endanger your life simply for the sake of "sticking it to the ugly president". I understand that people want to be able to have opinions, and have freedom of expression (something I am very fortunate to be able to do in the United States), but if your life is on the line then surely it's better to keep your thoughts to yourself than risk persecution by writing them down somewhere. You don't need any security measures to keep your thoughts private... yet.

I take a very broad view on security and I do question whether half the people here that say they need US, Central Intelligence Agency equivalent level of security and protection, really do. Yes, I am certain that there are extreme cases where that might be necessary, but for most common cases I am convinced it isn't. As a simple example, you could be a journalist reporting from a foreign country where there exists some oppressive regime. However, you are the exception, not the rule. This is an unusual case where extreme security might be justified and warranted but this is not the every-day scenario for the majority of portable apps users (AFAIK).

I'm not making light of anyone's situations or circumstances and I'm certainly not naive enough to think that we all share the same freedoms and liberties around the world. However if you want to risk going to jail just for saying the "president is ugly" then that is your responsibility, not mine. In that situation, you'd better do your homework, and some hobbyist site with casual, "average" users is not the place for such "homework". If you were going to be a Spy then would you train with the Boy Scouts?

computerfreaker
computerfreaker's picture
Offline
Last seen: 13 years 2 months ago
Developer
Joined: 2009-08-11 11:24
SafeHouse Explorer

According to http://www.techsupportalert.com/best-free-file-encryption-utility.htm, SafeHouse Explorer can do file encryption without needing admin rights. Gizmokid2005 and I tested this, and it seems to work as advertised. There is one big caveat, though. It will only encrypt pre-existing files, and won't let you actually create files in the program's interface. This means a potential security breach, since somebody could use a program like Recuva to get the unencrypted files back; while SafeHouse Explorer includes a secure-deletion tool to work around this, you need to invoke it manually.

"The question I would like to know, is the Ultimate Question of Life, the Universe and Everything. All we know about it is that the Answer is Forty-two, which is a little aggravating."

Log in or register to post comments