Encrypted Data in a Dropbox: How much less secure does it become?

3

1

I am using Password Store as a password manager.

The system uses encrypted plaint-text files to store the passwords, one file per password. The files are encrypted using 4096 bit GPG and kept in an orderly file/folder hierarchy.

For convenience, I would like to put this collection of encrypted plain-text files in my dropbox, so I can access them from multiple computers.

Obviously, having these files "in the cloud" reduces the security at least a little.

How much risk am I taking by putting these encrypted passwords in a place where they may be able to be accessed by others?

Is it a relatively safe thing to do, or is it significantly increasing the risk of my passwords being hacked?

Answers to questions from other posters:

Where is your private key for decryption stored?

Not in the Dropbox, but on a few local machines that I trust. (Work, home, maybe phone). It is keyword protected.

Do you trust the implementation of pass?

Yes, I am comfortable assuming pass was implemented properly and without creating any additional security concerns.

Is someone else able to access said cloud store?

Yes. For the sake of this discussion, we're assuming the cloud service is as good as published on the web. It's more secure than that, but there are a handful of computers that I don't fully trust that have access to my dropbox.

Do you suspect to be a high profile target?

No. I'm a nobody. I'm pretty sure if I put my passwords in my dropbox in plain-text nothing bad would happen.

That being said, I'd like to know what risks I would be taking by effectively (for the sake of discussion) making the encrypted files publicly available.

JoshuaD

Posted 2016-10-11T04:15:15.360

Reputation: 733

That depends on a lot of things. Where is your private key for decryption stored? Do you trust the implementation of pass? Is someone else able to access said cloud store? Do you suspect to be a high profile target? – Seth – 2016-10-11T08:19:35.493

@Seth: Responded to your questions in OP, thank you. – JoshuaD – 2016-10-11T17:26:08.963

1Well the risks are that someone could be bored and have a lot of time on their hands to crack those passwords. Assuming that pass properly implements it with secure public key encryption we're talking about multiple decades (at least) with the current tech. An other disadvantage would be that you're possibly giving away information on what kind of websites you're using. Depending on who else uses said machines this might be an issue. A coworker finding out you have an account for a competitor etc. might be an issue. – Seth – 2016-10-12T05:22:36.253

Answers

1

Your files still have to be decrypted to be usable. You are releasing some meta data (file dates, number of files) but I wouldn't be worried. I use Roboform and they offer a cloud service that syncs the password and notes between multiple computers. I don't worry about the files being decrypted. I worry more about key loggers or other malware that could discover my master password. I think two-factor authentication (TFA) makes it much harder to steal your data.

Sun

Posted 2016-10-11T04:15:15.360

Reputation: 5 198

Asked: 2016-10-11T04:15:15.360

Viewed: 175 times

Active: 2016-11-23T19:00:44.913