1

With products such as LastPass that store encrypted passwords on remote servers, what are the associated risks that aren't applicable to locally stored and encrypted passwords? If something is encrypted well enough, it's unlikely anyone would be able to break the encryption no matter how much processing power they have so I don't see any problems. Basically I'm asking why (even on this site) there is so much negativity and mistrust towards storing encrypted passwords over the internet?

Celeritas
  • 10,039
  • 22
  • 77
  • 144
  • Possible duplicate of: http://security.stackexchange.com/questions/45170/how-safe-are-password-managers-like-lastpass/ – paj28 Jan 23 '14 at 10:56

2 Answers2

1

If something is encrypted well enough, it's unlikely anyone would be able to break the encryption no matter how much processing power they have so I don't see any problems.

And that's a huge if! You have no control over how your data is encrypted with a service like LastPass. You can only trust that they have done so properly and that they do not have malicious intent.

Contrast this with an application like KeePass that stores your data locally. You control the application, you know how it's encrypted. You can take proper steps to secure the key file (if you are using one).

(Shameless advertising, I wrote a blog post about this about a year ago: http://www.infosecstudent.com/2013/02/switching-password-mangers-why-lastpass-just-isnt-working-out-anymore/)

  • But why do you arbitrarily trust KeePass and not LastPass? KeePass could just as easily be lying to you about encrypting passwords. Is it because KeePass is open source and LastPass isn't so you know the inner workings? Is it because since KeePass store the files locally that makes them some how easier to check - if so how? For example you can't say "I tried opening the .kdbx file Keepass created with notepad and I couldn't see any of my passwords, therefore it's encrypted" – Celeritas Jan 23 '14 at 03:59
  • @Celeritas Yes, because the source code is available. –  Jan 23 '14 at 04:09
  • Well I don't believe just because a product is closed source it's automatically insecure. – Celeritas Jan 23 '14 at 04:36
  • @Celeritas It's not "automatically insecure". You ask about risks. It's a risk you take if you entrust your passwords with a service that you cannot verify. Can you accept that risk? I cannot so I use KeePass, which I *can* verify. If you can accept the risk, go ahead with LastPass. No one is stopping you... –  Jan 23 '14 at 04:38
  • @Celeritas https://lastpass.com/support.php?cmd=showfaq&id=1096 - You will be able to view the JavaScript source in your browser to verify LastPass. – SilverlightFox Jan 24 '14 at 17:17
1

The Internet isn't the security risk. Assuming all your stuff is locally encrypted and the password is reasonable and isn't known to the attacker, then you're golden.

Now, what might affect that? Choosing a bad password obviously, but more interesting is a local compromise on one of your workstations. If a piece of local malware gets the key to your lastpass or keepass or chrome or any other password storage database, then you lose. This is irrespective of whether that encrypted database is accessible over the Internet. The risk is your workstation.

So choose good passwords, don't re-use your passwords, but more than anything, don't use your password on a potentially-compromised workstation.

tylerl
  • 82,225
  • 25
  • 148
  • 226