3
1
I am using Password Store as a password manager.
The system uses encrypted plaint-text files to store the passwords, one file per password. The files are encrypted using 4096 bit GPG and kept in an orderly file/folder hierarchy.
For convenience, I would like to put this collection of encrypted plain-text files in my dropbox, so I can access them from multiple computers.
Obviously, having these files "in the cloud" reduces the security at least a little.
How much risk am I taking by putting these encrypted passwords in a place where they may be able to be accessed by others?
Is it a relatively safe thing to do, or is it significantly increasing the risk of my passwords being hacked?
Answers to questions from other posters:
Where is your private key for decryption stored?
Not in the Dropbox, but on a few local machines that I trust. (Work, home, maybe phone). It is keyword protected.
Do you trust the implementation of pass?
Yes, I am comfortable assuming pass was implemented properly and without creating any additional security concerns.
Is someone else able to access said cloud store?
Yes. For the sake of this discussion, we're assuming the cloud service is as good as published on the web. It's more secure than that, but there are a handful of computers that I don't fully trust that have access to my dropbox.
Do you suspect to be a high profile target?
No. I'm a nobody. I'm pretty sure if I put my passwords in my dropbox in plain-text nothing bad would happen.
That being said, I'd like to know what risks I would be taking by effectively (for the sake of discussion) making the encrypted files publicly available.
That depends on a lot of things. Where is your private key for decryption stored? Do you trust the implementation of pass? Is someone else able to access said cloud store? Do you suspect to be a high profile target? – Seth – 2016-10-11T08:19:35.493
@Seth: Responded to your questions in OP, thank you. – JoshuaD – 2016-10-11T17:26:08.963
1Well the risks are that someone could be bored and have a lot of time on their hands to crack those passwords. Assuming that pass properly implements it with secure public key encryption we're talking about multiple decades (at least) with the current tech. An other disadvantage would be that you're possibly giving away information on what kind of websites you're using. Depending on who else uses said machines this might be an issue. A coworker finding out you have an account for a competitor etc. might be an issue. – Seth – 2016-10-12T05:22:36.253