Spyware, Viruses, & Security forum

General discussion

Are password managers safe, even if the info is stored in the cloud?

by Lee Koo (ADMIN) CNET staff/forum admin / September 5, 2014 9:04 AM PDT
Question:

Are password managers safe, even if the info is stored in the cloud?


Hi, I was reading CNET's newsletter and a member was asking about cloud storages and how secure it was. My question is somewhat similar. There are many applications that offer to manage passwords. These days, I am sure that most people have at least 10 passwords or more that they need to remember and very likely rely on passwords managers to help them remember. I, for one, am currently using one. I use it across all of my devices--from my computers to my tablets to smartphone. My problem is, the password manager that I'm using stores the database in the cloud. Now, my big concern is if it's safe, since it is in the cloud. So is it safe? I would appreciate if the community can suggest methods or secure password management apps that I can manage all my passwords securely and use them across all my devices. Thank you Happy

--Submitted by: Christine P.
Discussion is locked
You are posting a reply to: Are password managers safe, even if the info is stored in the cloud?
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Are password managers safe, even if the info is stored in the cloud?
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
If the recent nude celeb pics are anything to go by...
by Dafydd Forum moderator / September 5, 2014 9:08 AM PDT

... then no. Not for me I'm afraid.

Dafydd.

Collapse -
As safe as safe can be.
by Kaffeguy2014 / September 12, 2014 4:04 PM PDT

How many times do security breeches happen yearly? Very low on a yearly basis. Keeping them on a Rolodex, a sheet of paper is not safe unless you store it in a vault. How many homes and business get robbed per minute? Many. So if you write them down they have the potential to be stolen. I have too many passwords to remember. So the 10 most important ones that would affect me and my family are kept on a sheet of paper on a bank security vault. This is just in case something happens to me, my family is able to retrieve information.

Collapse -
Home better than net security
by rrmram / September 13, 2014 5:52 AM PDT

How many times have I had a home invasion? -- once, 47 years ago. How many times have I had personal info compromised via the internet in the past year? -- many, two of the more notorious were Target and Home Depot, both of which have my data.

Bank storage may be good, but only if you never, or rarely, change your passwords; a concept I choose to avoid. I prefer encrypted on my thumb drive.

Collapse -
Internet Security breaches Very low?? Are you kidding me???
by stargate13 / September 13, 2014 9:51 AM PDT

I would have to disagree with this. Before computers came into existence there was only a need to remember your atm bank password, which was kept on a piece of paper at home...which is far safer than having these passwords used and saved on hundreds of internet sites network computers or in the cloud. Personally, with the influx of internet hacking, I have reduced the amount of internet password use and bill paying. I have begun using checks and mail again which was far safer than the internet has turned out to be...and will ultimately only get worse...!!

Collapse -
Re: Internet Security breaches Very low?? Re: ATMs
by dflory / September 30, 2014 2:48 AM PDT

re: Before computers came into existence there was only a need to remember your atm bank password,

Um! Before computers there were no ATMs. ATMs are basically computers. There wasn't too much need for passwords before computers.

Collapse -
misunderstood the problem
by adr5 / September 15, 2014 2:05 AM PDT

The celebrity pic fiasco has nothing to do with this. In those instances the celebrities picked poor passwords that were easily guessed. Had they been using a password manager, which meant they picked solidly secure passwords, they would not be in this situation now.

With that said, I would not use a cloud password manager. I would not trust anything important to the cloud.

Collapse -
How safe are online password managers?
by kamini_nigam / September 17, 2014 5:27 PM PDT

Even if the passwords are encrypted at rest, they must use reversible encryption. That means a hacker with access to the victim's machine could potentially steal the database/backup files, and walk away with the passwords. Of course, with a master password that's less of an issue.

Collapse -
No.
by R. Proffitt Forum moderator / September 5, 2014 9:16 AM PDT

Simple no when it comes to cloud storage.

Need proof beyond the recent news? Look at what happened to LAVABIT when they offered secure email. The US government stepped in. More at http://en.wikipedia.org/wiki/Lavabit

Bob

Collapse -
It's kind of scary
by itsdigger / September 5, 2014 10:15 AM PDT
In reply to: No.
Collapse -
Old School
by franciemr / September 5, 2014 10:55 AM PDT

A friend unexpectedly died and her family is having the hardest time with her electronics - they have no login IDs and passwords. This prompted me to started a list of things for my family so they have critical info when something happens to me. I was shocked at how many places I have to login. I have so far filled front and back of 1 legal pad page and am 1/2 through the front of the next page. Any time I have to login any site, whether for email or CNET, I make sure it is down. I have an old, tattered address book and I am penciling in the info, but I have sort of encrypted the written word. For example, for CNET I might say "ID is house" and "password is aunt". But the encrypted "translation" (which is not kept in the address book but in my safe) says "house = xy1st-lpyLsfja" and "aunt = 9psnrEbqjdb4-183nslq". So if anyone should get the address book, they still do not have the real IDs and passwords - they would think the ID is house and the password is aunt. As I change passwords, I update my address book and the handwritten list. I give written updates to siblings whenever we see each other. I know this isn't the best of methods, but probably just as secure as the cloud. One thing i have learned from CNET members: if you transmit it, it can be "seen" or hacked - now whether it will be or not is something else. So, I'm old school on this one and writing down. If anyone should break into my home and escape before cops respond to alarm, I would be surprised if they would take this old address book. It is literally taped up on the spine, has rubber bands around it, and there're at least 30-50 envelopes, return address labels, and sticky notes with address and phones numbers stuck into different pages. Plus they would not have the encrypted translation. It was a hassle to start it, but now that I'm just maintaining, it is easy.

Collapse -
saving passwords safely and retreivably
by ehsggs / September 12, 2014 1:20 PM PDT
In reply to: Old School

I use an old rolodex so I can have all my accounts in alphabetical order but have different PWs or each one. Very easy to find any PW and a lot easier than lists on sheets of paper. It is very easy to change a PW and easy to add one without loosing order - just put the new one in the right place in the file. and it is NOT on the cloud or in someone else's files

Collapse -
One time passwords, in case of death
by RKilroy / September 13, 2014 12:53 PM PDT
In reply to: Old School

LastPass has the ability to create one time use passwords which can be used to access your password vault. These passwords can be created, printed, sealed in an envelope, and stored to be accessed in case of your death. Additionally they could be broken up, x number of characters sent to different people, and spread around so that multiple people would be required to actually access your passwords. These same passwords can be revoked by you at any time.

One thing I will knock LastPass on is I have been unable to locate a chart showing the differences between the free and premium versions. I want a easy to access and quick to view chart showing the differences/limitations. I know the two things that I wanted, two factor authentication and use on portable devices, require the premium version. At one dollar a month I find the premium pricing more than acceptable.

Collapse -
LASTPASS
by Big_Mac_300 / September 14, 2014 9:42 AM PDT

The difference between free and premium is that free only works on computers. Premium allso you to useit on mobile dives with their app and the Dolphin plug in.

Just a lover of LastPass.

Collapse -
Are password managers safe? Comment on Reply By RKilroy
by LezLezLez / September 15, 2014 4:19 AM PDT

Hi,
I can add one piece of info re LastPass.
I understand, and have paid for a two-year subscription. This is purely to gain the advantage over the freeware version of "Cloud" retention on the LastPass website (encrypted data). This enables me to operate perhaps 100 different 12 character random, encrypted passwords from my various devices - with the LastPass "Vault" updated on my PC but then soon seen by each device. This avoids me having to learn or record 100 passwords. All I have to do is remember one "clever" master password for access to LastPass. I understand that the PC and cloud versions of this info, which then grants me access, is encrypted to an advanced level. My master password is not written or used anywhere else - it is only in m y mind.
There are other nice features too such as setting second level passwords, requiring re-entry of the master password for sensitive sites or to avoid possible "live" device access by others.
There are some downsides too e.g. some complexity when you want to change passwords using a general use website through a unique "change your password" process.
Finally, I found the 2-year subscription low priced and after 2 years, if I need, I can print out my 100 different complex passwords should I need to migrate them - or perhaps such a facility will exist electronically by then.
Good luck.
Geoff.

Collapse -
New School
by deepearson / September 20, 2014 11:26 AM PDT
In reply to: Old School

Sorry, I was out of the country when this was posted. But I still had secure access to all my accounts and that's why I'm answering. My son, an IT pro, threw up his hands when I showed him how to access my accounts. He researched password management and chose Lastpass. We love it and no, I have no connection to them. All info is encrypted on my computer AND on the LP servers so stealing one end is useless without the other.
Lastpass will choose NSA level passwords for your accounts (you choose the level you want) and automatically log you in to each account or you can log in manually. They use multiple server farms and guarantee 100% up time.
You choose one doosey of a password to log in to Lastpass. String together the names of your first pet, your first child, your first car, your first job, your first spouse... You can remember the sequence, but nobody else knows them all or would guess that's what you used.
To answer RKilroy. The big deal with premium, $1/month, is Sharing! I was able to make folders of important info for my kids and put all the accounts they would need to access in those folders. While I am traveling, they can take care of things if internet access is not available to me. You can choose whether the people you share with can see the password or just use it. You can rescind this at any time. Lastpass works on all current devices. You can also leave secure notes: lawyer's name, car insurance info....
Now all my accounts are in one place and as secure as the internet can be. I've had it three months and use it at least twice a week. It's much easier and much more secure. How would I use the address book or rolodex in Fiji? When i die, it's all right there, no looking for anything.
One last thing: Lavabit. My son explained that their company had worked with a lot of people who were on the NSA radar, not just Edward Snowden. Some companies are willing to take this risk, others are not. He found several companies that do not take that risk. They let you load the usual websites and if you do "risky" things they will ask you to stop or shut you down. If you don't know what I mean by risky, you aren't doing risky things. I'm sorry I don't remember the names of other companies. He chose Lastpass and I let the rest go.
Hope this helps.

Collapse -
Statement, not question
by RKilroy / September 20, 2014 10:19 PM PDT
In reply to: New School

It was more of a statement than a question. If given a choice between free and pay people want to know the difference. An easy chart is the best way, in my opinion. Something like this chart for Adobe Acrobat (http://www.adobe.com/products/acrobatpro/buying-guide.html). I want to easily be able to see which product I need for what I want to do, or what I will be doing without if I use the free version.

In my case I knew I wanted to use LastPass on more than the computer and that I wanted two factor authentication, both of these are premium features. It would be nice to tell people if all you want to do is X then the free version is fine. You will have to pay if you want to do Y.

Collapse -
Depends what you mean by safe.....

If you are looking for near 100% security, then store your passwords on a piece of paper. This is about the highest level of security you can get. But there are a few major downsides to this method. First, unless you plan to carry a copy with you everywhere you go - which may severely compromise your data security if you lose your password document, you will be limited to using most of your passwords at home - well, unless you've got an photographic memory. There are tricks that some people use to create fairly secure passwords (create a password "base", for example, and then add random segments to this base for each website), but these passwords will not be as secure as unique passwords created at random. You will get the highest level of security by making your passwords long (a minimum of 12 characters), including every character type (capital and lower case letters, as well as special characters and numbers), and using a unique password for every website. Some people use the same password for websites that store little to no personal information (for example, CNET and the like), while others always use a different password for each website regardless. If you use an email address to log into websites, you'll want to be sure that the password associated with the email address is particularly strong - but all web-based email accounts should have very strong passwords anyway.

As you may release, while using a piece of paper for passwords may be secure, it's going to be difficult to remember all of your passwords once you leave home. This is where password managers excel. Can any password manager promise complete and total security? No. But the better password managers use the most advanced encryption standards available. Furthermore, they offer other useful features. They can generate very strong passwords for you, save them to the website profile in your password manager account, and automatically fill the appropriate login information, if you wish (although some security experts suggest it's best not to use this last feature). The advantage here is that you can create very strong passwords - long, unique passwords containing all character types - and you will not be required to remember (or, perhaps, enter) these random passwords. Many people who do not use password managers compromise security for convenience, and this is a poor tradeoff. The chances of your online data being compromised when using a password manager to create very strong, unique passwords is much lower than it is when using short, easily guessed passwords - or the same password - out of convenience. But it's worth noting that not every website requires the same level of security, so less complex passwords are probably sufficient for websites that save little personal information (and even then you can use a pseudonym).

Here is some information you might find helpful:

http://www.independent.co.uk/life-style/gadgets-and-tech/news/microsoft-tells-internet-users-that-they-are-better-off-reusing-old-passwords-than-creating-new-ones-9610324.html

https://www.grc.com/haystack.htm

https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html

https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/li_zhiwei


And here is a password manager that does not save your password information in the cloud:

https://www.schneier.com/passsafe.html

Collapse -
Password Managers are safe, but not in the cloud
by Mr Windows / September 5, 2014 12:54 PM PDT

Christine, after years in law enforcement, and government service, I am distrustful of anything stored anywhere other than on my hard drive. The revelations of Edward Snowden, and the recent Apple iCloud hacking incident, only serve to strengthen my distrust of "The Cloud", regardless of who's it is.

On my computer I use RoboForm (http://www.roboform.com/) as my password manager. It's on sale right now for $9.95, for a one year licence, for all your devices. When you set it up, it gives you the option of storing your passwords in its Cloud, which I recommend against. Or encrypted on your hard drive.

That's what I do, and would recommend you do the same, no matter what password manager you choose. If you go to the CNET Forums and look for a Free Password Manager (http://www.cnet.com/search/?query=Free+Password+Manager), you will have quite the selection.

Just because I use RoboForm, doesn't mean I'm shilling for them. What I'm trying to say, is when you are looking for a Password Manager, you want one that stores your passwords on your hard drive in an encrypted file. You want one that has as many features as you need, and you want one that fits your budget. I hope this helped.

Regards,
Mr. Windows

Collapse -
PWD MGRS are demanded!!! To be safe... BUT NOT in the Cloud
by Jim Babcock / September 12, 2014 11:29 AM PDT

Heed MR Windows advice.... NO CLOUD store of even your encrypted PWDs. I use 1PASSWORD, encrypts all PWDs AND stores in my Hard Drive. That is B/U every day on an external drive AND B/U on a thumb drive once a month.
RoboForm is very good as well. 1PW goes costa a wee bit more... but is a winner. Soon it will integrate with iOS 8 for even easier use. (Yeah... I have Macs...) BUT 1Password IS available on Windows as well. I have over 100 PWDs in the DB, each is unique and from 12 -20 characters long...

Be safe... ignore all CLOUD storage for sensitive data... Best use them for photos etc.. I E throwaway data..

Cheers, Jim B

Collapse -
Not to DIStrust password managers nor the Cloud, BUT...
by exceluser / September 12, 2014 1:50 PM PDT

I use a small thumb drive - with a text file located on it. In addition to passwords thoughout the text, I put actual info about the subject of the text file - trying to be subtle.

NEVER identify, actually, what the string of text may be - have to rely on memory for that.

BUT when I need to log on, thumb drive goes in, I find what I want in the text file, Ctrl C to copy it, Eject, go to where the password is needed, Ctrl V to paste.

Even a key-stroke logger can't follow that.

Regards,

Bill

Collapse -
USB Drives Fail
by RKilroy / September 13, 2014 1:03 PM PDT

I can't tell you the number of USB drives I've seen fail over the years. These failures range from not recognized on any machine to the drive must be formatted messages. If you only have one copy of your data, plan on losing it. It is not a question if your drive will fail, but when.

If you think that copy and paste provides you with any protection you are mistaken. Anyone who has that much access to your machine can also query the clipboard buffer and send that along.

Additionally the use of USB drives may be blocked on some machines, specifically work machines. You can access your LastPass information as long as you can access their web site. These days organizations are becoming much more strict on user rights and allowing users to install software. LastPass has plugins for Internet Explorer, Chrome, and Firefox. If you can't install a plugin there is a stand alone, premium version required, no install software package that hooks into IE to provide LastPass functionality.

Collapse -
RoboForm
by magentry01 / September 13, 2014 3:07 AM PDT

I have tried saving my passwords (both web based and system based) to an encrypted hard drive using RoboForm and have not been successful. Do I need to download something additional from RoboForm?

My operating system is windows 8.1.

Thanks for your help,
Mark

Collapse -
Cloud password storage
by Illio / September 14, 2014 8:31 AM PDT

Thank goodness. I thought I was the only person left on the planet that didn't trust the cloud.

Collapse -
Password manager safety
by pgkumar / September 5, 2014 1:29 PM PDT

I don't want to seem to promote any one product, but this video pretty much convinced me go start using one and put my worries to rest. It is long but bear with it as they walk through the steps.
https://m.youtube.com/watch?v=_stBixODWf8

Collapse -
It depends on how good your passwords are
by LarryR9999 / September 6, 2014 12:03 AM PDT

Most of the cloud password storage services will tell you they use very good encryption, like AES-256, the encryption is done on your PC, not in the cloud, so they never have the cleartext version of your passwords, and it would take years to decrypt your passwords. There are at least two issues with this. One is there could be a backdoor programmed into their software that allows a hacker to capture your passwords as they are encyypted. The other is that if someone steals the encrypted data from the cloud (happens all the time) storage provider due to a security breach, they can try a brute force attack to get your passwords. If your passwords really are secure, and your data is not worth days of supercomputer time, you're still OK. But if your passwords are trivial (simple names, words, etc.) they will be able to get your passwords by simple brute force random guessing. They won't target you specifically - they will search for the passwords that are easy to guess, and then sell those with the login names on the 'Net.

Personally, I use a password encryption program that only stores data on my hard drive. I print out the info once in a while in case my HD or PC fails. I also back up the file to my own USB stick. I don't use the feature that lets the program autopopulate passwords in my browser - instead I copy and paste manually. And for important accounts, I use different complicated passwords that have mnemonics that are meaningful only to me but without personal info.

Collapse -
Only one has to be really really good
by schveiguy / September 8, 2014 6:21 AM PDT

Good info there, but generally a cloud-based password storage system has all your passwords encrypted as one file. The data is never sent unencrypted to or from the server, everything is only ever seen in clear text on your computer. But importantly, the hacker cannot decrypt each password individually based on the strength of that password, they have to decrypt the entire thing, based on the strength of the MASTER password. So either all your passwords are safe, or all of them are compromised, and it all depends on that one master password. So choose it wisely.

However, you should still have good strong passwords for each site, because each site could be compromised individually, and you have no control (and generally no insight) as to how they store your passwords. A big hint -- if you ever request your password, and they email it to you in clear text, then they are STORING it in clear text! Make sure not to store any compromising information there!

Fortunately, all the password storage tools have a generating feature that generates long good strong passwords for you, so you don't have to come up with them, and you really have no excuse not to use it.

Very true about the back door, you have to put some level of trust in the company, unless you want to write your own encryption system. But I think there is little reason for them to put that in, and a lot of reasons not to.

For the truly paranoid, you can get a secondary authentication mechanism, such as a yubikey to provide even more security. Without the key, your vault cannot be opened, but then you risk losing all your passwords if you lose that key.

Collapse -
Only one password has to be really really good
by purpledog2000 / September 12, 2014 12:42 PM PDT

Pardon me but that's nonsense. If you have lousy, as in not good, passwords nobody need to decrypt anything. They just dictionary it.

I've never seen so much inaccurate advice before from multiple, what "Apple iCloud incident", celebrity nudes? That was because they had poor passwords and someone guessed them. No clouds have been major exposed that I am aware. Are you saying Google has been compromised?

Password managers (PMs) are just a good organized way to maintain numerous, really really good passwords. PMs will generate "really really good" passwords for every site you have. They will be far better than anything you'd normally use for passwords. We know rules: don't reuse passwords for multiple sites, always use good passwords. PMs help you do that. If you don't use one you'll have to keep your own spreadsheet or DB of passwords with its own risks. Maybe you'll keep post-its of passwords stuck all over your monitor.

I use LastPass but there are a few well-known others just as good or better.

Collapse -
In context
by schveiguy / September 12, 2014 9:08 PM PDT

What I said is correct! Keep in mind the subject, cloud stored passwords. These are encrypted by *one* master password. Crack that one password and all your passwords are available in *clear text*. It doesn't matter how good those other passwords are!

Now in terms of an individual web site being compromised, yes you want a really good password for those. That way if that web site is hacked, your password isn't easily guessed. I don't disagree with that.

The original post I replied to suggested that if the cloud storage of your password was hacked, each password would be individually attacked. My reply simply clarified that this is not the case.

I highly recommend using a different really good password for every site, preferably auto generated from a tool. But the most important step is to use a very strong password to protect them all, or it's all for nothing!

Collapse -
google compromised
by monsieurms / September 12, 2014 10:10 PM PDT

Yes, Google has been compromised.

http://www.wfmynews2.com/story/news/nation/2014/09/11/hackers-post-millions-of-stolen-gmail-passwords-on-russian-site/15459311/

Who hasn't? A password manager doesn't help much if the site exposes everything anyway. I keep doing all the cool stuff with passwords, with great difficulty, but from heartbleed to other types of security breaches, it seems increasingly in vain.

Simple truth: passwords are obsolete. They don't work unless they are complicated and different everywhere. Even then back-door hacks can defeat you. And when they are complicated it becomes increasingly complicated to remember. Password managers help, but that also makes sure I never really know what's happening and I have to have them across multiple devices.

Two-step verification should be available everywhere. We need to migrate to systems that include something tangible to go with pass codes: cards to swipe, retinal scanners, etc. Passwords are dead. Security people just haven't caught up yet.

Collapse -
Google hasn't been compromised
by purpledog2000 / September 15, 2014 8:53 AM PDT
In reply to: google compromised

If you actually read the link you provided, obviously you didn't, you would see google has not been compromised. Add to that Google search will NOT make you smart.

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

CNET FORUMS TOP DISCUSSION

Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?