Are online password managers safe to use?
in [Cryptography]
|
Prev: Shamir's Identity Based Encryption -- consensus
Next: Explicit Encapsulation Within the Ciphertext or Implicit Markup Database.
From: Maaartin on 23 Apr 2010 09:26 On Apr 23, 3:09 pm, bmearns <mearn...(a)gmail.com> wrote: > A better option, if you this is the sort of service you want, is to > set up a webserver for yourself, host the service on your own > webserver (after inspecting the code to make sure it only does the > right thing), and always make a secure connection to ensure no one can > swap out their own JavaScript for yours. If you already have a > webserver with a secure connection and know how to write JavaScript > and server-side script, then this is a pretty reasonable option. I agree with you, but see no reason for doing this. Using an offline password manager (like KeePass or PasswordSafe) and backup the file (using either (s)ftp or http(s) with JavaScript) is easier and has IMHO no disadvantage. An offline password manager with build-in backup option would be even better.
From: bmearns on 23 Apr 2010 09:53 On Apr 23, 9:26 am, Maaartin <grajc...(a)seznam.cz> wrote: > On Apr 23, 3:09 pm, bmearns <mearn...(a)gmail.com> wrote: > > > A better option, if you this is the sort of service you want, is to > > set up a webserver for yourself, host the service on your own > > webserver (after inspecting the code to make sure it only does the > > right thing), and always make a secure connection to ensure no one can > > swap out their own JavaScript for yours. If you already have a > > webserver with a secure connection and know how to write JavaScript > > and server-side script, then this is a pretty reasonable option. > > I agree with you, but see no reason for doing this. Using an offline > password manager (like KeePass or PasswordSafe) and backup the file > (using either (s)ftp or http(s) with JavaScript) is easier and has > IMHO no disadvantage. An offline password manager with build-in backup > option would be even better. Well one disadvantage is that you need to have the software with you. I presume that they are available in portable versions that can be run from an portable drive, but depending on your circumstances, this can be a significant disadvantage. -Brian
From: Anonymous on 22 Apr 2010 00:51 Ohm <Ohm(a)no.no> wrote: > > > > >> Can a password manager such as one of the listed above be trusted? > > > > No. You need to trust the owner of the online password manager. > > > I do not see where I should trust them, the encryption is performed on my > browser > before the data is sent, even if they read it, the password is still > encrypted. Thats what is done over at Hushmail, yet they can still be forced by a court order to change the code in order to record your password. This has happened more than once too.
From: Ohm on 21 Apr 2010 02:12 > >> Can a password manager such as one of the listed above be trusted? > > No. You need to trust the owner of the online password manager. > I do not see where I should trust them, the encryption is performed on my browser before the data is sent, even if they read it, the password is still encrypted.
From: bmearns on 21 Apr 2010 09:35
On Apr 21, 2:12 am, Ohm <O...(a)no.no> wrote: > >> Can a password manager such as one of the listed above be trusted? > > > No. You need to trust the owner of the online password manager. > > I do not see where I should trust them, the encryption is performed on my > browser > before the data is sent, even if they read it, the password is still > encrypted. So they claim, but it would be trivial for them to send the unencrypted password to themselves from that same script. Unless you put your browser into offline mode or carefully check the source code every time you run it, you really don't know what they're doing. -Brian |