9

I'm a big time user of cloud based password managing services like LastPass.

But in the light of recent revelations like various government backdoors in popular sites, programs like prism, etc. I'm beginning to wonder if services like Lastpass can be trusted.

To be more specific, how do we know what happens in the backend of such services and can we really trust what they claim about security?

irenicus09
  • 233
  • 2
  • 5
  • I wouldn't trust they aren't giving it some third parties for a second. Don't be a fool. http://www.bbc.co.uk/news/world-us-canada-22836378 – john-jones Jun 11 '13 at 08:01

3 Answers3

11

You'll never be able to know. You can however, exercise reasoning and logical judgement based on

  • The company's ToS.
  • The company's track record.
  • Your trust of the company providing that service.
  • The importance/value of the data handled by that service.

Regarding password management; call me a little paranoid, but I really never trust any cloud service with my passwords. I like using KeePass with Dropbox, because I know that KeePass is open source (less likelihood of monkey business there) and my trust in Dropbox is irrelevant (they only see an encrypted file).

Adi
  • 43,808
  • 16
  • 135
  • 167
  • 2
    +1 I also like to use KeePass with Dropbox, works like a charm. – 1615903 Jun 11 '13 at 08:12
  • 1
    Thanks for the idea, I'm planning to do the same with KeePass + Dropbox + Truecrypt (Encryption). Btw any ideas on the best way to start migrating from Lastpass to Keepass? – irenicus09 Jun 11 '13 at 09:30
  • 2
    @irenicus09 Check [this tutorial](http://www.guidingtech.com/11787/transfer-passwords-lastpass-to-keepass-right-way/) on how to do that. – Adi Jun 11 '13 at 09:49
6

No, but you can still use them relatively securely. Specifically, if and only if the data is encrypted with a known, non-broken algorithm on the client side. In that case their only recourse to get to your passwords is to decrypt the files by whatever means. That said, I wouldn't use such services until any of them actually do that and have a very long unbroken track record.

A related issue is that if a vulnerability in the algorithm is found, you effectively have to change all of your passwords since you can assume that anyone with access to the service's files has been able to decrypt them. And even if you re-encrypt, you have effectively revealed what you use your passwords for. That means a bigger attack surface since the attacker can now target the third party services rather than your encrypted file. Then you can only hope that the third party services have implemented good security.

l0b0
  • 2,981
  • 20
  • 29
2

Like l0b0 and Adnan said you cannot trust them 100%. You don't know what flaws they have and they try to hide.

I also use KeePass, but I keep my database with me all the time on my USB stick.

John The Ripper
  • 129
  • 1
  • 10