Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Are password managers safe, even if the info is stored in the cloud?

Sep 5, 2014 9:04AM PDT
Question:

Are password managers safe, even if the info is stored in the cloud?


Hi, I was reading CNET's newsletter and a member was asking about cloud storages and how secure it was. My question is somewhat similar. There are many applications that offer to manage passwords. These days, I am sure that most people have at least 10 passwords or more that they need to remember and very likely rely on passwords managers to help them remember. I, for one, am currently using one. I use it across all of my devices--from my computers to my tablets to smartphone. My problem is, the password manager that I'm using stores the database in the cloud. Now, my big concern is if it's safe, since it is in the cloud. So is it safe? I would appreciate if the community can suggest methods or secure password management apps that I can manage all my passwords securely and use them across all my devices. Thank you Happy

--Submitted by: Christine P.

Discussion is locked

- Collapse -
Are password managers safe
Sep 12, 2014 10:39PM PDT

I don't trust others to keep my password.

That's why I stored them on a USB key and make a paper copy for daily use. As soon as I need a knew one I wrote that down on my paper copy and later add it on my USB key.

Let say that my situation differ of lot of people. I'm alone at home with my wife who even do not want to know anything about computer except to search recepies that I profit a lot. HUM! HUM! Good.

- Collapse -
Password managers
Sep 13, 2014 12:02AM PDT

I don't use cloud storage for anything that is personal (files, pictures, etc.). I keep all of my passwords in a local excel file which I have password protected. There is no guarantee that this method is totally fool proof but at least I have it stored only on my hard drive - the password for the file is not written down anywhere. So far, I have had no problem managing my password list (hundreds of entries). Knock on wood that nothing changes!

- Collapse -
MS Excel encryption is not very good
Sep 13, 2014 5:41AM PDT

The default encryption for Excel is terrible. There are numerous articles about how easy it is for anyone to crack it. There are ways in the later versions to make it better, but it's not simple. Beware!

- Collapse -
Excel file
Sep 13, 2014 8:11AM PDT

At least 10 years ago, I created an Excel file for keeping user names and passwords. After writing one word, I transferred it to a USB drive and continued entering all my info; columns for website-user name-password. I then printed 2 copies - one stays in a vault. I hand-write-in any changes, then every once in awhile I'll update the Excel file, print a new copy and burn the old one.
I now have the file on 2 USB drives (one in the vault) plus an external HD that only gets plugged in for weekly backing up. So, this file is rarely accessible through my computer, and if nobody except my wife knows a hidden paper copy exists, then why would anybody look for it?
My only concern is that now that I'm retired I don't have a safe place to keep an off-site USB drive.

- Collapse -
Is perfection the enemy of the very good?
Sep 13, 2014 2:08AM PDT

I am of the school of thought that a very good PW manager which I use is better than a perfect one which I don't.

I used RoboForm 6 for about a decade which kept info on my hard drive and I synched the HDs on our 3 computers. That worked well until I got a tablet. And what happens if I ever get a smart phone? So I upgraded to RoboForm Everywhere which keeps info on their server. I have not figured out if they know my master PW. I do like that all our devices can access the PWs and that they have a virtual keyboard available if on a public wifi so I can log on to RoboForm without any keystrokes. Because RF is convenient and easy to use, I have stronger PWs than I would otherwise.

Keeping PWs on paper has its problems, too, like robbery or fire. In a safe? Are you kidding me? Having to open and close a safe everytime I use a PW or even every online session would just never happen in my world. But if it works for you....

I also use LastPass on some computers of friends/family I help with tech issues. The free version does everything they (or I) need and LP cannot give anyone the master PW because they do not know it. But it is not as quite convenient as RF with its toolbar on IE and Firefox, though it is close. If using Chrome, it is a toss up.

- Collapse -
Password management
Sep 13, 2014 3:12AM PDT

Any password scheme based on a system like that to be described is vulnerable just because it uses a system. However, this system/scheme is known only in your memory. Because your choices are known only to you, it should be fairly safe. Choose 3 or more modules outlined below. Each module will have at least 3 characters with a format of your choosing. Possible modules are: (1) URL, (2) Date, (3) Name, (4) Location, (5) State, (6) Domain, (7) ? ... . In your password, the composition and order of these modules is uniform but is known only to you. The resulting password should be at least 12 characters long. For example, if you are Bob Smith in Pittsburg, your password for cnet.online.com might be: *2014cNEbSPITTorgPA. It is left to the reader to discover which modules and the capitalization rule used. Just make certain that you are comfortable with the composition. Some websites do not recognize splot or other symbols so S might be used instead of *. The vulnerability of such a scheme lies in the fact only the website identifiers cNE and org change from site to site in this example. The 12 or more characters provide protection against a brute force attack.
Ernie

- Collapse -
Password Schemes renedered useless by compromosed passwords
Sep 13, 2014 9:18AM PDT

Any password scheme is immediately compromised and complicated by any password created being compromised. Look at it this way, you create your 25+ passwords with your "password scheme" now password number 1 has been compromised, through no fault of your own. What do you do? Create a new password scheme? How do you handle the other 24+ passwords? What happens when password number 2 is compromise next week? The more popular the site, the bigger the target value for attacks.

One thing that hasn't been addressed are the additional functions a password manager brings to the table. Such as random password creation, password entry, and anti-phishing protection. I'd hate to have to enter passwords like "0c%Y0k9^H&&G58od". LastPass not only creates that password for me. It will populate it when I go to the site it was saved with, so if I go to CNET.com it will populate the correct password for CNET, but if the site is CMET.com it doesn't know what password to use. This is especially important for sites like Blizzard.com which is frequently a subject of phishing attacks. B1izzard.com won't fill in my password. If my password of "0c%Y0k9^H&&G58od" isn't acceptable I can tweak the LastPass generation to omit the symbols "79SIhfXY0YPyKNsf", make it shorter "WSnl4fRy", or whatever is required by the site. I don't have to remember the type of password the site wants, LastPass does it all for me.

- Collapse -
Be more creative
Sep 13, 2014 3:39AM PDT

There are lots of ways to hide encrypted files in other files, pitcures etc, be creative.

- Collapse -
What I do
Sep 13, 2014 5:00AM PDT

Yes, password storage is a difficult issue but here's what I do:
I use 3x5 index cards and a plastic box to store them in. Every time I sign up for a new site I list the name of the site, the date I joined, the user name, password & any security questions & answers needed to join the site, banks & cc banks require that type info.
I store the plastic box in my office so they are nearby when I'm on line. It works pretty good for me and when my wife & I go to Florida for the winter I just take the box along with me so I can keep in touch with my banking activities.

- Collapse -
What I plan to do
Sep 13, 2014 9:06AM PDT

I am following this thread with great interest. I have been keeping a list of sites and their passwords on a spreadsheet, which I keep in dropbox, so I can access it from all my devices. I know this is not a great plan, and it can become cumbersome... I have over 160 sites, many of which have the same password.

After reading the entire thread, I think I will download Lastpass. I plan to convert all my passwords using their generator. However, the websites for my bank, credit card and other sensitive financial info I will not include... I will continue to access them manually, because of the concerns I have read about info in the cloud.

I'd love to to know people's thoughts on this plan.
JB

- Collapse -
I don't care what other say here..
Sep 14, 2014 1:56PM PDT

The cloud is the inevitable future - yes it has troubles now, because it has just started and the industry doesn't know how to deal with all the attacks, advanced persistent threats, and network penetrations - but if anyone in the industry gets it right I'm banking on LastPass. They have only had one problem in all the years they've been in business, and the IMMEDIATELY notified the customers that they were monitoring suspicious behavior inside their network!! How many security companies do you know that actually do that instantly on the 1st sniff of trouble? NONE! So this gives me great starting confidence in this company, and they have not had an incident since. The after action investigation concluded that only some "blobs" were moved around inside the network and were never compromised. As far as I've known about encryption technology, a blob is a file of encrypted information that the service has no control over because they have no access to it. LastPass does not know your console password, and will never know anything about the contained information without that knowledge. This also puts hackers/crackers to a disadvantage if they think they can steal information. First, they would have a hard time knowing if the data belongs to any particular individual - NOT - then they would have to know where it begins and ends - NOT - then they would have to get away with exporting it because it is encrypted and cannot be of value to them, unless they have a package they can send some where and attack it. This would take some of the best hardware known just to get reasonably encrypted data cracked, but with advanced technology, it would practically take a nation state effort!!

I for one am not paranoid enough to think the Chinese or aliens are after me, so I am going to continue to trust (but verify) that LastPass knows its stuff, and is the best solution on the market for a free service!! However, I have not asked LastPass as of yet, if they think a screen capture or key-logger can detect your console login. This is the most vulnerable time, and of course this is true for ANYTHING you do on a PC or cell phone. So no matter what you use you can be compromised by this fact. I use Rapport by Trusteer to protect against screen shots, as long as I am in an SSL browser session. The only problem is - sometimes I am not in a browser session when logging into my vault, so I also use Keyscrambler Pro to assure that at least the key strokes are scrambled while typing into the console. I have never seen a better way yet to do this, and of course you should always have a blended defense in any device you are using with sensitive personal information on it.

- Collapse -
Does anyone clean your office?
Sep 16, 2014 6:29AM PDT

This sounds far more dangerous than anything in the cloud, especially if anyone else--technicians, custodians, emergency personnel, etc.--has access to your office. My office is at a university, and we are regularly warned to lock our doors if we leave even for a minute or two, yet many colleagues leave their doors open with abandon.

- Collapse -
LastPass is good; simple passwords on paper are bad
Sep 13, 2014 2:46PM PDT

If you want to write down your passwords on paper, be safe. Make one secret, short password (NOT a word in any language - modern, historical, fictional included). If you want to keep a copy of this secret, keep in a safe deposit box. Then in notebook write a unique password for each website. However, when entering your password, type your secret short password and then the password you wrote down. Now if somebody copies or steals the notebook, your passwords are still safe.

A better answer is LastPass. If you are using a desktop or laptop computer, the free version is fully adequate. If you want to securely synchronize your passwords you need the premium version. Where the encrypted password file is stored really does not matter, whether it is local or in the cloud; it could be stolen or compromized. What matters is how the encryption is done. Using a secure algorithm like AES-256 alone is not even close to adequate -- there are lots of details that are all critical. LastPass is secure because they do their security well, and all the encryption is done on your system, using information that is present only on your local system, and only in secure form. For details (lots of details) see https://www.grc.com/sn/sn-256.htm

However, you do need to memorize one good password for LastPass. It needs to be both complex (upper case, lower case, numbers, special characters) and long. Do not make it long using any dictionary words, and do not try to be cute, simply changing letters to numbers in any pattern - hackers will try every dictionary word with i replaced by 1, e by 3, and many, many others.

- Collapse -
Definitely true!!
Sep 14, 2014 2:14PM PDT

And I forgot to mention in another statement I posted here that LastPass makes it VERY easy to recover after a disaster, because all you have to do is install the plugin after recovery and voila! All your data is recovered. Some folks here might not realize that LastPass also stores the data on your hard drive in case the network goes down, and they use the same ingenious technology to encrypt it there on your hard drive.

There may be competitors that have a USB device like Yubikey that can securely store this vault, but I tend to lose such devices, and cannot take a chance on that - if I were able to put it on a key-chain around my neck, and NOT lose it, that would the best ever solution, I would think. Key-loggers are still the enemy in these situations though, so good, blended security on the device is still a requirement. Yubikey's one time password can make this a very difficult avenue of attack for keyloggers and other malware - so it still looks like one of the best solutions on the planet. There may be other competitors just as good, it is just that I can't remember their names. Non of these key fob devices are free either of course.

- Collapse -
USB Drives get lost
Sep 16, 2014 6:41AM PDT

I have lost two USB drives, usually by leaving them in a computer somewhere, to ever trust confidential data or passwords to them. I guess I'm a little absent-minded after making a presentation using a USB drive, or just plain careless, but I do try to watch it and sometimes fail. If the data are encrypted, maybe these would work, but if a drive gets lost so are your passwords. So I'm glad you brought this up, JCitizen.

After keeping PWs in a little notebook by my desktop for over a decade I am moving to LastPass Premium. I need to have access to my PWs when I travel and on my smartphone, and this is a lot safer than copying them down somewhere, whether electronically or on paper. Wallets get stolen, USB drives fail or some dummy like me leaves them in a computer, and memory blurs especially since I have over 100 PWs and maybe 30 login ids, all in different combinations.

Everything carries some risk, and certainly we should be apprehensive about the cloud. I won't keep financial PWs on LP, for instance. But from everything I've read here combined with my own recent review of PWMs, they seem a lot less risky than any other solution.

- Collapse -
I think you will find it is great!!
Sep 16, 2014 9:23AM PDT

Once you learn the little peccadilloes of having it remember passwords from sites you already had or recently created - just be sure an tell it to replace the existing site, if it is already in LastPass memory. I never click confirm on any LastPass pop down - I don't remember why, but I got unexpected results. It might not remember User IDs once and a while but they can be edited to include them. Surprisingly it remembers answers to security questions, but it is a little tricky if done out of order.

I don't know what I'd do without it, because I cant stomach any other kind of usage - although there may be other similar competitors, I always recommend it to my indigent clients because it is free, also. The support for the Pro version is nice to have - especially if a browser update breaks the plugin.

- Collapse -
I use keepass
Sep 14, 2014 5:43AM PDT

Keepass works great for me and stores it on my HD. I also keep backups of it on external drives.

I suppose if I were to keep a cloud copy, I would change the file type and name, create dummies, encrypt it in an archive amongst lots of dummy archival files, each with random character names and complex passwords....most hackers would probably never find the exact file amongst all the dummies, then they would have to figure out which file is the real one, find out what it is, then further hack all the passwords to even get to that point....overkill but what else can you do if you're really into hiding something on the cloud?

- Collapse -
nothing safe in the cloud...
Sep 14, 2014 6:20AM PDT

I keep my passwords in an encrypted file on my computer, in a name and format that isn't obviously a password file. I lay it out in a way that I can find my passwords, but someone snooping will have a hard time understanding. I also created a paper copy for my wife which I update whenever my file changes (adding or changing passwords).

More importantly, I make strong passwords that no one would be able to guess based on their knowledge of me- no names, birthdays, addresses etc. and I change them often, several times per year.
I don't reuse passwords, or use the same ones on different sites.

I believe that these precautions keep most prying eyes out of most people's data. Most of my data isn't valuable enough to make it worth the time it would take to beat this system. But, let's face it, if the NSA or CIA wants into your stuff they are going to get in.

Data breaches are serious, and can greatly affect individuals this is true. But a little caution on everybody's part can keep most of our private data safe from those who would do us the most harm- people who would steal our personal resources, money, credit, identification.

It's a sad truth that governments and business have gotten so greedy and paranoid that they can and do use their nearly limitless resources to constantly spy on citizens and create such an atmosphere of fear.

- Collapse -
Manually in multiple clouds
Sep 14, 2014 7:47PM PDT

I have now gone to RoboForm because it is so simple and it is secure enough for me.

Before this i had two files stored on two different internet sites.

First list contain the identification of the password (site or whatever) and current password number along with date of change and previous number. I email it to myself as a backup because it has nothing sensitive in it.

Second list was a numbered list of passwords stored on another site. On top of that, i had a systematic error in the passwords, the last position in the number told me which position in the password was garbage and should be omitted when entering the password. This list i email to another mail account for backup. It is without meaning unless you also have the other list.
Even if someone got hold of the two lists they would have to know about the systematic error to be able to use it.

- Collapse -
Is Pope a Muslim?
Sep 15, 2014 1:37AM PDT

Same answer. In one word- NO. Clouds are not safe, we've (well, most of us) agreed on that a few weeks ago.
Storing all your eggs in the same basket is a primarily bad idea (I'd say stupid... yet there would be those who'd scorn me for that). So my advice, after more than 25 year spent in computing, is as follows:
1. Only store in the cloud things that may cause you no harm if stolen or mean nothing for you if lost (not last holiday's pictures, not those from the company party that went wild, NOT your home sex videos... or this kind of stuff). You may for instance store your essays from college, report cards from your son's school, scans of your 5 year old's pictures or images taken of his play-dough modelling exhibits.
2. NEVER, and I mean NEVER use a password manager. Instead of having to steal numerous passwords, the supposed hacker would only have to break your password manager to have it all.(See above with all eggs in the same basket).
3. Use your brain, or if all else fails, notes you carry in your wallet or as text notes on your mobile, which may help you remember those passwords (my son's birthday and his 2 name initials, a.s.o.). I use combinations of difficult to guess notions and numbers which are important to me and have never written any password down.
Be sure to always complete and update all the data that may help you retrieve your password (secondary mail, phone number, secret questions, etc.), since if your mnemonics or memory fail, you may have to "request a new password".
All in all, if you have to use a password manager, store the information anywhere you want BUT the cloud.

- Collapse -
This Koo question breaks a record
Sep 15, 2014 9:08AM PDT

I can't remember one of your forum questions that had more dumb answers than this one. Especially all the "don't use the cloud" responses. It appears some responders are just using Google search to dig up headlines that support their case, then provide a link that doesn't offer any support.

Now you should ask some real experts in the field. Obviously they missed this one, but I'd like to know.

- Collapse -
Add yours to the list of dumb answers
Sep 16, 2014 3:20AM PDT

So called experts are either trying to sell you something or the guys who came up with the idea. You don't trust a fox to guard the hen house. Anything that is important to me, I want under my full control. The only thing the companies selling cloud services care about is making money off of you. Now that all the bad guys know that so many people are using the cloud, the cloud has a giant target painted on it and lots of criminals are aiming to break in. If a criminal can break into one of those password managers stored on the cloud, they just got the keys to someone's kingdom.

The best, and safest, way to manage passwords is with an application you can keep on a USB drive. Password protected and with you at all times. You can back it up to your home computer in case you lose the USB drive. Safe and secure.

- Collapse -
Again, it depends on the Password Manager
Sep 16, 2014 7:40AM PDT

" If a criminal can break into one of those password managers stored on the cloud, they just got the keys to someone's kingdom."

Stealing the information LastPass stores for me doesn't hurt me at all. You need to guess the correct master password, along with how many password iterations (PBKDF2) I used. LastPass recommends 5000 iterations. (https://helpdesk.lastpass.com/security-options/password-iterations-pbkdf2/). In short getting the encrypted data that LastPass holds is worth next to nothing because you're not going to be decrypting it any time soon.

- Collapse -
Are you living your car (closed) in public places?
Sep 16, 2014 11:15AM PDT

Or all the time you leave the car in the garage at home? At least it's not very convenient. But even that does not give full guarantee of security - it can be stolen even from there.

The point is that clouds are NOT safe. And should only be considered from this point of view. A good password manager IS safe - regardless of where the password database is stored.

Of course, there is no such thing as absolute security. But there is a sufficient level of it.

- Collapse -
common sense
Sep 16, 2014 11:10PM PDT

To use your analogy, if I keep my car in my garage it is safer than keeping it in a public garage. I can secure my garage better. I can make sure I am the only person with keys to the car. Yes, someone can still steal my car if they wanted to, but it is much safer than in a public garage where some minimum wage worker is working for a giant company that is only interested in profit.

Yes, you are right there is no absolute security. My sufficient level is higher than some cloud companies level.

- Collapse -
common sense
Sep 17, 2014 3:07AM PDT

Yes, maybe it's safer.
But why do you need the car, if it can not go anywhere?

I need full access to the password database from multiple locations with the ability to create new records in it. Previously, I used to synchronize databases usb stick, now I'm using a cloud service. It's faster, more convenient and, in my opinion, not less safe.

- Collapse -
Too hot under the collar?
Sep 26, 2014 5:29PM PDT
- Collapse -
Sticky Password is the solution
Sep 15, 2014 11:03PM PDT

Well if you are concerned about your passwords being stored in the cloud I would recommend Sticky Password - I use this software for many years and even-though they have online version, they have also desktop version which is offline and not syncing your passwords with cloud. I care about my security so I choose always offline approach.

- Collapse -
password managers
Sep 18, 2014 7:53PM PDT

Password managers are safe to a limit. If you are using password manager you are securing your confidential data. Do not compromise with your data security. Every website have it own features. The most confidential data can be saved only on reliable sites. Only this is the reason that why I am using Free Cloudbacko. I found it very secured and my passwords are also managed confidentially. I usually put strong passwords according to privacy of my data.

- Collapse -
password mgr
Sep 18, 2014 10:58PM PDT

1st keeping passwords all in one location be your hd or cloud is not safe clowd makes everything easier for both hackers and big brother to get why do you think it is big business and the gov. doing the big push to go cloud its easier for them to watch us also i believe people keep too many passwords while i agree critcal stuff should be diff why have 35 diff ones IF as example you are a member of say 8 diff sights about cooking thing like that one for all is good enough