0

What is the best way of storing my passwords? Which storage is considered the safest one? How safe/unsafe is to store passwords in the local MySQL database?

Kamran Poladov
  • 103
  • 3

1 Answers1

5

There's a bunch of details missing from your question, but I'll take a shot at answering. Let's break down your question:

I'm thinking about storing random 16 characters passwords from my accounts

Depends how you are generating these 16 character passwords. Are they truly random? In particular, what are you using as your source of randomness? How will you deal with the fact that different sites support different character sets in passwords?

in the local mysql database.

How secure is your database? Security is typically measured as Confidentiality, Integrity, Availability. - Confidentiality: is your local mysql database encrypted? Is the device it's on encrypted? How strong are the passwords protecting it? - Integrity: doesn't really apply here. - Availability: Do you have backups of this database somewhere? ie if the machine it's on dies, will you be in trouble to reset all your accounts?

Is it good idea or I better store them with the help of Google smart locks?

Your question is really "Should I invent my own password manager, or use a real one?". With security, it's always dangerous to invent your own because there are a lot of small things that you have to get right. There are a number of excellent password managers out there, I suggest you just use one of them:

  • Google smart lock (ie the password manager built-in to Chrome and Android). -- It's good on Availability because it's backed up in the Google cloud. Not as good as others on Confidentiality because once I'm in to your laptop, I have all your passwords. It also requires you to be using Chrome or Android, so it would prevent you from, say moving to Firefox.

Then there are dedicated password managers:

  • password safe -- I've never heard of it, but it comes with @symcbean's recommendation.
  • Lastpass -- Passwords are backed up on Lastpass' servers. Good for Availability, but requires you to trust them. Better for Confidentiality because your password database has a global password on it with lots of security options you can enable
  • Keepass -- A local app that you run on your device (supports all common mobile and desktop OSes). This one is probably the best for confidentiality because it saves to an encrypted local file (ie does not get stored on any cloud server), but not so great for Availability because you need to figure out your own backup system. That said, the android client knows how to sync with GoogleDrive, Dropbox, and ftp server and many more.

Bottom line, I'm glad you're thinking about the security of your passwords, but please use one of the many well-built solutions rather than inventing your own!

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
  • lastpass claims you don't need to trust them because encryption is done before it gets to thier servers. – dandavis Aug 23 '18 at 02:59
  • 6
    @dandavis: so you do not need to trust them, provided you trust what they claim... – Serge Ballesta Aug 23 '18 at 09:13
  • @SergeBallesta no, unlike what happens on their servers, we can verify what's sent to them w/wireshark. – dandavis Aug 23 '18 at 14:43
  • 1
    But are you really always going to check with wireshark every single time you unlock your vault? Anyway if you check with wireshark and see unecrypted or merely obscured data (assuming you could tell the difference between obscured and encrypted), it's already too late. You *do* need to trust your client app, which in the case of an auto-updated browser extension, also means trusting whomever owns the update site and holds the signing key. – Ben Aug 23 '18 at 19:41
  • In addition, I would expect the network chatter of the lastpass app to be hard to wireshark; assuming you can MitM their TLS connection, how do you know that the encrypted blob you're seeing is encrypted with your password and not a key that the server also has? @dandavis Is your comment hypothetical, or do you have experience wiresharking lastpass? – Mike Ounsworth Aug 23 '18 at 21:31
  • My comment was mostly about not needing to trust lastpass servers for security since it uses E2E and you can examine the source code/IO yourself. in short, since we can verify, we need less trust. – dandavis Aug 23 '18 at 21:45
  • @dandavis But is that true? Can I actually verify that it's doing the kind of E2E encryption that prevents LastPass employees from seeing my passwords? For example, does LastPass opensource the code for their server and all their clients, or are you relying on what they say? – Mike Ounsworth Aug 23 '18 at 21:51
  • @MikeOunsworth: server code isn't germane, and you can dig through any extension's source. – dandavis Aug 23 '18 at 21:52
  • @dandavis Cool. Where do I find it? Their GitHub `https://github.com/lastpass?tab=repositories` has APIs to integrate with their server, but I don't see the source for browser extensions or Android / iOS apps. To be clear, I have no reason to _distrust_ LastPass, but I wasn't aware that there was any way to independently verify their code. – Mike Ounsworth Aug 23 '18 at 21:58
  • 1
    look on your hard drive, ex: `C:\Users\usernamehere\AppData\Local\Google\Chrome\User Data\Default\Extensions\somelongalphanumericsequence\4.17.0.4_0` to find the root folder of the webapp with all the lastpass code and assets. there's a lot to digest, but it's all there; gotta love JS. – dandavis Aug 23 '18 at 22:12
  • @dandavis Neat! That is infact all javascript sitting on my hard drive. (too much for me, a non-js person to easily navigate and find the crypto and network bits, but neat to know that it's possible) #TIL – Mike Ounsworth Aug 23 '18 at 22:33