Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Are password managers safe, even if the info is stored in the cloud?

Sep 5, 2014 9:04AM PDT
Question:

Are password managers safe, even if the info is stored in the cloud?


Hi, I was reading CNET's newsletter and a member was asking about cloud storages and how secure it was. My question is somewhat similar. There are many applications that offer to manage passwords. These days, I am sure that most people have at least 10 passwords or more that they need to remember and very likely rely on passwords managers to help them remember. I, for one, am currently using one. I use it across all of my devices--from my computers to my tablets to smartphone. My problem is, the password manager that I'm using stores the database in the cloud. Now, my big concern is if it's safe, since it is in the cloud. So is it safe? I would appreciate if the community can suggest methods or secure password management apps that I can manage all my passwords securely and use them across all my devices. Thank you Happy

--Submitted by: Christine P.

Discussion is locked

- Collapse -
Copy 'n Paste -- Yes
Sep 13, 2014 6:05AM PDT

For absolutely secure ID and p/w entry use cut and paste. NO ONE can determine what you entered.

- Collapse -
password managers
Sep 6, 2014 3:17AM PDT

Not sure about online or in the cloud password managers; but, I have written down on paper the log-in info including passwords of many sites that I've registered with. As long as those sheets of paper stay where they are, they will always be available whenever I need them.

- Collapse -
Paper burns, fades, gets lost and/or stolen.
Sep 12, 2014 12:24PM PDT

I used to keep a list of my passwords on paper, too.

Where do you LOCK that piece of paper away? Who has a key....or the combination? What if you lose them?

Go online/electronic; it's the only smart thing to do.

- Collapse -
Absolutely safe, if done properly
Sep 6, 2014 4:28AM PDT

You need a solution that keep your passwords in an encrypted form, where only YOU pocess the key. Where the owners of the service have absolutely no way of ever looking at your content.

Such a service do exist: Lastpass.

The basic service is free.

You install the addon to your browser.
Sign up with an e-mail address and a master password.
Your data are encrypted in your computer and ONLY the crypted version is ever transmitted. Your user name and password are NEVER EVER transmitted.
If you have multiple devices, that same e-mail address and password are useable.
You can export the saved passwords from your browser.

Please note that the Lastpass staff don't have your master password and there are NO password recovery possible.
If they get a court odrer to transmit your informations, they have NO possibility to comply. YOU are the one and only person in the world to pocess the key.

- Collapse -
Yes, but only if you have a good master password
Sep 6, 2014 9:20PM PDT

I also use lastpass and am convinced of its security despite it being in the cloud. But only as long as the master password you use is very strong. The security comes not from their ability to defend from hackers, but from the fact that even if hackers get your vault, they cannot crack it in any quick way. With a lousy master password, this will not be the case.

- Collapse -
Agreed
Sep 15, 2014 2:55AM PDT

And to help insulate yourself against choosing a lousy master password, supplement using LastPass with the Google Authenticator.

You add your LastPass account to it and you get a revolving random number only good for about 30 seconds.

- Collapse -
Try this link.
Sep 9, 2014 4:46AM PDT
- Collapse -
Dead link
Sep 12, 2014 12:27PM PDT

Your "supposed" link to a CNET story goes to a 404 error.

- Collapse -
I noticed.
Sep 12, 2014 5:06PM PDT

But R. Proffitt beat me to it. Hope this helps.

- Collapse -
LastPass
Sep 13, 2014 5:23PM PDT

I agree; I also use a two step yubikey authentication for it so think it is pretty safe. Got to go Premium for a small fee. Security has a price

- Collapse -
Not safe even if when you send your PC for fixing
Sep 7, 2014 7:08PM PDT

some time ago when the cloud was launched I read about it and said to my friends: no way it will be safe - now with the celeb photos spilling out it just got confirmed.

NO WAY I would send any passwords to the cloud. Will keep on writting them in the annotations book I keep near my PC (at home)

- Collapse -
no but GREAT question.
Sep 8, 2014 12:18AM PDT

That is the problem I have with newer versions of Norton. They do not support local vault for password managers or cc information. Everything is on their cloud.

I have asked repeatedly and encourage everyone to do so to write to Norton (if you use them) and ask them to continue to support local vaults (not just online vaults).

Keep that stuff on your local machine if you ask me. For now I am still using an older version 6.4.1.14. that uses local vault and they continue to provide virus definitions on a regular basis. I ignore pop ups that say upgrade for free. Once they stop supporting it I'm done with them (I may continue to use Norton just not their password manager) and will look for another utility that resides locally and is encrypted.

Anyone out there that uses Norton please ask them to continue to support local vaults.

- Collapse -
To hookdw, post deleted
Sep 9, 2014 6:29PM PDT

I deleted your post.

I didn't recognise the link you gave and it could have taken me anywhere. Too dangerous and needless to say I didn't click it.

That's why I deleted your post.

Try again, but with a proper link this time.

Mark

- Collapse -
Cross-platform app with flexible net storage (?)
Sep 12, 2014 11:33AM PDT

Give me a solid encryption app that stores all of my data in one file ...

... and then let me stash that file in the cloud whereever I want to put it. No 'service' involved ... other than a simple file service.

But it would be very helpful if all of my devices could run a version of the same app, and access the same file service, so that I have access everywhere.

Does it exist?

Thanks!
Barry

- Collapse -
PWSafe
Sep 12, 2014 12:01PM PDT

I use PWSafe, an open source app, and store the encrypted file on Dropbox. All my computers and iPad have access to it. There is a balance here - if you have the discipline to remember very complex unique passwords, then fine - but most people don't. And I believe simple passwords or shared passwords are a bigger risk. With PWSafe, I have it generate very complex passwords unique to each site. I believe the bigger risk is a site getting hacked, but you have to make your own tradeoff.

- Collapse -
Constantguard?
Sep 13, 2014 1:05AM PDT

So I use Constantguard by Comcast and decided I had better change my pw. Well, I can only enter 8 numbers. that would be figured out in seconds with the right program. How safe is it? do they store my pw in a manner that anyone could get my information? I thought they said by using their site, it would be an added layer of protection.

- Collapse -
Constant Guard
Sep 13, 2014 6:28AM PDT

Comcast no longer offers Constant Guard in my area - I did use it successfully for several years - never had any problems.

- Collapse -
Another requirement ...
Sep 13, 2014 7:21AM PDT

This is an interesting thread! I'm adding a third requirement to my own list:

(1) Solid encryption app, portable across all my devices
(2) File service (independent from, and unknown to, the encryption tool vendor)
(3) Functionally-composable encryption apps.

If the encryption vendors could get together and agree on a way to allow me to easily do this:
cyphertext = e1(e2(plaintext,password),password)

- e1() - is one vendor's encryption function
- e2() - is another vendor's encryption function

Hypothetically, if there are 6 'good' vendors, then there are 30 compositions of two encryptions. And if one of the vendors has included a backdoor, I'm still protected. And if I want to be super-secure, I can use a longer sequence of encryptions.

To make this reasonable, the vendors would have to support a standard that would allow me to configure the encryption sequence on my device. At the user end, the result must still look like one encrypt/decrypt step.

--Barry

- Collapse -
Jesus Christ!hehe
Sep 12, 2014 12:14PM PDT

First of all, using password manager is like giving everyone a copy of your car key. Using is password manager is a no-no!

- Collapse -
It depends on the password manager
Sep 12, 2014 12:35PM PDT

I personally use LastPass Premium (http://www.lastpass.com) with a Yubikey (http://www.yubico.com/) for two factor authentication. While LastPass stores your passwords in the cloud LastPass cannot access your passwords without your master password as they only store an encrypted copy. For a dollar a month being able to access all of my passwords on any computer with Internet access, my iPhone, iPad, and Kindle Fire HD, I'd be lost without it. You can read/listen to how this is accomplished from Security Now! - Episode 256 - LastPass (https://www.grc.com/sn/past/2010.htm#256)

A password manager is the only way to secure your online life. It is impossible to create and remember the massive amount of passwords that we need in our digital life without password reuse, accounting for compromised passwords, and adhering to each site's varying password requirements. Humans are not good at being random (http://www.dailymail.co.uk/home/moslive/article-1334712/Humans-concept-randomness-hard-understand.html).

Until something better comes along, like SQRL (https://www.grc.com/sqrl/sqrl.htm), we are stuck with creating and recalling a vast number of passwords to access our online lives and prove our identity to the various sites we access.

Now if we can only stop sites from thinking that secret questions are anything close to secret. I'd rather lose all of my data if I forget my password than have someone, like an ex-wife, access my data because she knows my mother's maiden name, my first pet, where I was born, the color of my first car, my best friend, my favorite band...

- Collapse -
There is a secret to the "secret questions" insecurity.
Sep 12, 2014 11:58PM PDT

Don't give the right answers! Obviously, you have to remember the wrong answers you give. You cans store them in the notes section of your password manager.

- Collapse -
Excellent links!
Oct 4, 2014 6:24AM PDT

Excellent post! Thanks RKilroy! Happy

- Collapse -
Don't store anything vital/private in cloud storage
Sep 12, 2014 12:38PM PDT

Would you trust your banking details in cloud storage? No, so don't store security details there. To have my password manager have the passwords on all my devices (desktop, laptop, tablet) I make a password protected archive and email it to myself. I also have the archived passwords and passcards stored on a USB thumb drive.

- Collapse -
Don't store on cloud?
Sep 12, 2014 7:31PM PDT

And you feel it's safer to transmit something via email, which is stored on email servers as well, is safer than having it in the cloud?

There is a far greater chance of: Someone breaking into your house and stealing your password book. Your house burning down and there go all your passwords. Having just one book makes it pretty hard to log on at home, at work, on you tablet on the go, on you cell phone on the go...

- Collapse -
Last Pass is a help
Sep 12, 2014 12:55PM PDT

I use Last Pass Premium. For a few dollars, I can select and store and retrieve random difficult-to-even-begin-to-guess passwords, and since I would never remember them, I get to store them with ready access when I need them. While this is not perfect, it is near-impenetrable if you stick with long random passwords and change them every few months.

There are utilities for the Mac and PC that allow deep encryption of an area of disk, opening only with a password, where one can store any form of files, including passwords. Of course, a strong password to access the encrypted area of the disk would be a good idea.

Paper storage in a hidden area is not such a bad idea, but it would not be accessible except at home.

I think the sloppiest password usages are on our smartphones, due to the current problems of using, for instance, Last Pass to automatically fill out the passwords on our programs. Perhaps IOS8 will help this. Don't know about the world of windows and google phones.

Last and not least by any means, think about what you want to store on the 'cloud', and resist the programs that automatically want to send all of your data to the cloud. If you are in doubt, just turn off cloud storage!

- Collapse -
It depends on password manager
Sep 12, 2014 1:36PM PDT

and it is safe if:

- the password database is encrypted with good enough password / passphrase;
- the password manager uses strong and proven encryption algorithms without backdoors;
- the password manager has correct and trusted implementation of these algorithms.

- Collapse -
Are password managers safe,...
Sep 12, 2014 2:58PM PDT

Absolutely not!

I think people's head must be in the cloud too if they use this alleged "commodity".
I am not a geek but I used to work for the Feds. I had a reasonable degree of security training so I would NEVER mess up in the so-called "Cloud".
Think of the basic "storage unit" that people use to store things. It is often personal junk stuff, yet things are stolen from it just the same. Can you imagine what moderately competent hackers will do to get at passwords & account numbers?
I fare better with my own master PW list on a small external device, with a lesser sensitive list on a second HD not directly linked to drive C. In anticipation of a crash, I also keep a paper copy to use with a stand-by computer.
I never used all that ancillary back up. The third drive file does the trick for most instances.
I have worked with the same credit card for 15 years, I have been defrauded only once and it was by a store I had just used - so they had my account anyway.
With good common sense and a serious internet security anyone can be fairly safe online.
Leave the Cloud for the birds.

- Collapse -
Rolodex and papers
Sep 12, 2014 6:45PM PDT

Many suggest that you store the important passwords on scraps of papers, put manually up to date.
This is great if you stay at home and change your infos on your record immediatly !

Now, don't you go anywhere ! You get stuck unless you use passwords managers stored in the cloud...

- Collapse -
Don't use a password manager for everything.
Sep 12, 2014 7:07PM PDT

I use Lastpass for all my passwords except banking and financial sites. For those sites I use an encrypted file on my local hard drive.
Somebody wants to hack into all my website passwords they are welcome but they will find no critical stuff.

Peter