Cloud password manager vs. desktop one, which is more secure?

Which one is more secure and why?

For the online one, there is concern about whether your password is encrypted locally or not, or can anyone get an access to it if needed. Above all do you feel secure saving your passwords online?

For desktop password managers, a trojan, or a virus can steal all your passwords.

Would you prefer an old type chit keeping, where you write down all your passwords on a small piece of paper or in a small diary and keep it in your wallet?

This question was inspired by this question.

munnaBhai

Posted 2010-02-23T14:54:30.593

Reputation: 37

Answers

If you have malware on your local machine, it will compromise any cloud based service that you log on to anyway. Based on this, I would say that using a local password manager is better simply because unless you know the source code of the service you are using, anything is possible.

The real question is, are you willing to to sacrifice security for ease of use?

I have never used a password manager of any sort (other than the one built in to Firefox) as I use other techniques for remembering my passwords, however, I am quite impressed and like Keepass. You could always back up your password database to a service such as Dropbox or Mesh.

William Hilsum

Posted 2010-02-23T14:54:30.593

Reputation: 111 572

2I use KeePass + Live Mesh, works like a charm. KeePass encrypts its database so the part of it living in the cloud is safe. – ThatGraemeGuy – 2010-02-23T15:03:04.227

@ Will, Say I use Keepass, then sometime if my computer get infected with a trojan or a virus, are my passwords safe? i mean it does not get stolen by that virus. Assume that I already have a backup copy. Just curious! – munnaBhai – 2010-02-23T18:31:53.780

That depends, technically yes as long as you have a strong password protecting it - however, if the virus is some kind of keylogger, it will know your password - however you will have the exact same problem by using lastpass or any other product. – William Hilsum – 2010-02-23T19:59:54.080

An encrypted database uploaded via an encrypted connection into a secure database (With proper hashing and salting algorithms) is pretty much just as secure as a desktop solution, providing you don't have a password that can be bruteforced or guessed.

Either way, it's not that secure if the attacker has access to your PC.

Phoshi

Posted 2010-02-23T14:54:30.593

Reputation: 22 001

You mean, even though the pass file is encrypted (e.g. say in Keepass), it still can be read by virus or attacker! – munnaBhai – 2010-02-23T18:36:18.943

1@munna, no, no, encryption is encryption, it can't be broken just through proximity. However, if a virus or keylogger can grab your password, then an attacker can read use that to get your passwords. They could, however, do that anyway with the passwords keypass stores! – Phoshi – 2010-02-23T18:40:25.717