This project has moved and is read-only. For the latest updates, please go here.

Copy and Pasting Passwords from Microsoft Word (apostrophe issue)

Topics: Technical Issues, Users Discussion
Feb 23, 2016 at 9:47 PM
Hello,

Since a secure password is hard to remember I've gotten myself in the habit of storing passwords in a Microsoft Word document. The document itself is protected with a less secure password. Typically, I'll copy and paste a password from Word to the required field. Recently, I've been playing around with VeraCrypt and feel I may have come upon a fundamental issue using this technique.

It seems that the apostrophe in Microsoft Word isn't the same as the apostrophe one would type using a keyboard.

Here is the Microsoft Word apostrophe ’
Here is an apostrophe typed using my keyboard (into Notepad++) '

I've created a long password that uses an apostrophe for the container file created by VeraCrypt. I'm able to open the encrypted container - but for the moment I MUST copy the apostrophe from Word to reproduce the correct character.

So, it seems that I originally created (typed) the password in Word and then copied that into the VeraCrypt field at the moment when creating the container password. Not good. I should have copied from the VeraCrypt field into Word - if I wanted to store the password in Word.

Live and learn!
Feb 24, 2016 at 5:48 AM
from security point of view, it is much better to use your weak password directly with VC instead of doing the mambo jambo with MS Word ...... believe me, you are compromising the whole idea of encryption.
Feb 24, 2016 at 6:06 AM
The scenario is if the laptop gets stolen. But, yeah, I wouldn't trust the encryption of my 2003 copy of Microsoft Word very much.
Feb 24, 2016 at 6:41 AM
saving passwords in MS Word file is a really bad idea, to my mind. But saving (and generating) them using a decent password manager software - is good practice.

My rough guess is an average person has to deal with about 50 passwords for all kind of web sites, accounts, webmail, IM, logon accounts, PGP/GPG encryption key(s) and yes, data encryption software like VeraCrypt. No one can memorize ~50 unique random 16-24-symbols passwords (or the same number of DiceWare passphrases). And change them at least once or twice a year! Either you use a password manager software (well, you have an option of a hardware using password managing device too) or you'll end up using weak, non-unique (repeating across different purposes) passwords which do undermine the whole idea of encryption.

You also have an option of using a two-factor authentication instrument like Yubikey. I believe it really adds scores to your security policy. The key advantage here is that it can authenticate not with a static password or keyfile (which can be keylogged, captured and replayed) but with challenge-response algorithms that generate different input on each iteration. Unfortunately it's not yet implemented in VeraCrypt (and other FDE and container files encryption software I know). But Yubikey can also be set up to generate long (>32 symbols) static passwords too. So for your VC you can type in a short password you can memorize and then add a string automatically generated by the key. Together they will give you a sort of two-factor authentication, which I believe is the best option available at the moment.

However I think it's better to allow a user to decide either she/he wants to copy-paste a password into VC or type it in. It should be at least available as an option which can be turned on or off in the application preferences.
Feb 24, 2016 at 7:06 AM
mantr wrote:
The scenario is if the laptop gets stolen. But, yeah, I wouldn't trust the encryption of my 2003 copy of Microsoft Word very much.
its not the encryption of office 2003 that should concern you. IF you do it right, you can opt to encrypt the word file with RC4, which is not that bad..... however, Word is creating temp files in plaintext. I bet my 5 bucks that you have your VC password in plaintext saved on your HD right now, in more than one place :)
Feb 24, 2016 at 4:45 PM
Edited Feb 24, 2016 at 7:09 PM
Alex512 - Wow. I started using Word 2000 back in the year 2000 to save passwords - and have continued to follow this procedure into the present. Typically, I have one Word Doc for each password. I have these word documents on three computers and an NAS drive. Here's my IP address ... =D Seriously though, everything from my mortgage, stocks, insurance, business, bank accounts and even bills are sitting in password protected Word files.

I'd like to see these plain text temp files. Where do you suppose they would be placed on a Windows 7 Machine?
Feb 24, 2016 at 5:18 PM
_owl - Yes, I'm definitely in the average user category with dozens and dozens of passwords. 20 years ago I'd rubber stamp passwords for convenience - but over time realized that it's safer to use different passwords for each site. So, that eventually lead to the use of password protected Word Document to store passwords. From there it become convenient to copy & past credentials. It started a long time ago and now that has become legacy. For the moment I employed VeraCrypt to encrypt these Word Document files along with years worth of jpg scans of bills and other personal documents which aren't password protected at all. =P

I'm definitely open to using a better technology to strike a practical & modern balance between convenience & security - favoring security. Although - I'm never planning for the NSA to spend millions decrypting my hard drives LOL.

I would like my old laptop encrypted. A few years ago my house got broken into - I feel that a laptop would be an attractive score for a would-be thief and for that scenario I would definitely want the hard drive of my old laptop encrypted (already done BTW). Also, because this is my old laptop it is more likely to be left out in the open when I leave the house and therefore at higher risk of being stolen. I believe my new laptop (an Apple laptop) is already encrypted - but I'll have to look into that as well.

So, thanks for dropping a few new ideas my way (password manager software or possibly hardware). I'm actually not familiar with any of that stuff - yet.
Feb 24, 2016 at 6:51 PM
hi mantr,
you are describing exactly my situation from 20 years ago.... !!!!!!!!!
As to password manager, i can recommend you : https://pwsafe.org/
Feb 26, 2016 at 12:02 PM
Hello mantr,

You are welcome. I suggest you might take a look at KeePassX password managing software (www.keepassx.org). It's open source and you can use it across your platforms - Win, Mac, Linux and actually iOS too (with MiniKeepass App). I'm not sure about Android. PasswordSafe is a credible option too.

BTW, your Apple laptop is not encrypted by factory default. You need to explicitly enable FileVault2 full-disk encryption, System Prefs->Security&Privacy->FileVault. It's a must, I'd suggest.

Cheers!