Password Manager Discussion.

Same for me. Lastpass, Sticky Password, Roboform etc annoys me more than being a valuable and effective tool for daily use. If it doesn't work perfectly I'm quick to switch to something else.

 

Anybody tried SafeinCloud? https://www.safe-in-cloud.com/en/
It has some very good reviews and a very reasonable price

 

As far as I can see this is done by one developer dealing with the product from A to Z .... it may be good and solid but I would be personally scared to deposit all my passwords in the hand of one developer. May be I am wrong.

 

Trust no one. For example I got "Lastpass" yesterday. If I had done it their way I would have erased all traces of backups on my computer...I have the back-ups copy's encrypted with Axcrypt, I just added the websites passwords as I logged in automatically leaving keepass's database intact. What you should do is get 2 or 3 password manager's that meet your specifications and set them up with the same list of password's incase one password manager method of putting in the password doesn't agree with the website and can't be modified for just that one website.

 

Please explain how LastPass would have erased the backups on your computer.

 

When Installing Lastpass the dialog box said that it found my passwords on my computer and it would erase the copys not in Lastpass's vault or I could chose to enter the password's later on logon or manually.

 

That sounds like LastPass doing its job of offering to make the computer more secure. If it hadn't given you a choice that would have been a problem.

 

Lastpass has revealed - if the US Govt. asked for their users password databases - they'd turn them over.

"If ordered by the government, we would hand over a blob of encrypted data that they could attempt to brute force." -Joe Siegrist CEO

 

Can you link to that quote?

Also, can data encrypted with 256 bit AES be cracked by a brute force technique in any reasonable amount of time? If not what would be the point of trying to withhold the encrypted information from the government?

https://lastpass.com/whylastpass_technology.php

"A large number of PBKDF2-SHA256 rounds are utilized to create your key, with the ability to increase the number of rounds over time to render brute forcing your master password impossible."

 

Thanks for the link.

 

Yes, bruteforcing AES256 in reasonable amount of time is currently impossible regardless of PBKDF2 (it is for preventing password bruteforce, not for key bruteforce). Nobody knows future, but at least it will remain impossible for several years. So I don't care if they hand my encrypted contents on to law-enforcement or so. I don't think other pwd mgr is excpetion as long as they are in such country.

 

I set those rounds at 100.000, just in case....

Has anyone tried this?

https://encryptr.org/

It's being recommended by this privacy oriented website:
http://www.privacytools.io/

 

Haven't tried but from all review articles I have read, it seems not yet matured. No sort function, no automatic filling, no 2FA etc. Also they don't have detailed explanation of their encryption.

Contrary to this, Mitro have quite detailed explanation. I read all of them, and have doubt about their claim about algorithm. I believe NSA or such organized attacker can bruteforce 128 bit AES. [EDIT: I misunderstood sth. It seems even AES128 is secure enough as well as RSA2048. Good to know.] It's too bad cuz otherwise they looks very promising, automatic filling in secure way, detailed transparent explanation and security experts' audit, 2FA etc.

 

NSA is scooping up and 'holding' encrypted data in huge amounts. NSA is currently the largest hard drive purchaser in the world. It is assumed they are holding this data for such a point when they can readily decrypt it with less effort, potentially quantum computing advances that are moving forward. Archiving the worlds encrypted data takes considerable resources obviously.

 

Let's see how much resource is needed to brute force AES.
https://www.reddit.com/r/theydidthe...e_and_energy_required_to_bruteforce_a_aes256/
http://www.eetimes.com/document.asp?doc_id=1279619
NSA currently have PFLOPS level supercomputer which is same as Tianhe-2, and planning to build EFLOPS level computer.
But with simple math, you can see even this EFLOPS level computer is meaningless against AES.

Ofc there are more efficient way to attack encryption and thet are chosen-plaintext attack , relative-key attack and more practically side-channel or even malware, physical intrusion, bribery or menace. But those attack are not possible by just getting encrypted at-rest data.

Also even if they had quantum computer capable of using Shor's factorization (note there's no known quantum computer which can use it in practical way), it is only useful to decrypt RSA, DSA, and ECC. It doesn't accelerate much against bruteforcing AES or generally symmetric encryption. At most strength of AES256 might fall to the degree of AES128 so it can't decrypt AES256.

[EDIT:] Well, it seems I misread your comment. Maybe your point is more on they can decrypt them in the future when computer became much more faster, right? But then, I doubt I use the same password until then...

 

Correct. Sigint often is about gathering data, and accessing specific points when necessary, or when capable, but the data is still gathered.

How is Sticky Password? I have the opportunity to get a lifetime license for $20 or so right now.. Satisfied with Dashlane, but Dashlane is relatively expensive.

 

Why would anyone trust a password manager that stores information on their servers?? Or pay for a subscription. I don't use such things, obviously, but if I did, I would want it to be secure and only use local storage and preferably be an open source GPL app that was accountable. And I would only use it for less important passwords. Otherwise, I'll manage my passwords myself.

 

Cloud storage is often more secure than local storage for a variety of reasons. Cloud companies have specific high level engineers tasked with ensuring security, and monitoring divergent parameters. Also the risk level for corporate destruction in the event of a large compromise is a strong motivator for their business models, hiring, and operational mandates. We have full time engineers with the only purpose of securing our cloud systems, and watching for anomalies. 24 hours a day, and making security adjustments/improvements almost daily. Generally speaking, your individual machine may actually be less secure.

 

https://stacksocial.com/sales/a-lifetime-of-sticky-password-premium-password-security-management

 

Out of curiosity, can these password managers cope with web sites that ask for third, fifth, eighth etc letters of your password?

 

I tested and used Mitro extensively a couple of years ago, before the project was basically abandoned.
I also wrote a short review, but I cannot find it any longer. It was in the "old" Wilders, before the migration to the new Xenforo platform..Maybe the mods can retrieve that, if of interest.

I installed Encryptr just to try it. But as you said, it's not ready yet. Also it lacks any import function which is big hurdle when you have many passwords. However I liked much the way it was able to copy username or password: just clicking and holding on the field. Very comfortable!

 

Don't care. If they wanted that same info, it would be easier to get other ways. If they want my login for a particular site, they would be able to get it by demanding it from that site. Nothing to see here.

 

You are missing the point, which I am unsure of how it could be missed..

The fact they are willing to turn the data over without any resistance is the problem. Not what the data is. What the data is - is - largely irrelevant.

 

It doesn't matter how competent they are, you are still handing over extremely sensitive information to a corporate 3rd party. If you want real security, learn how to handle it yourself and divorce yourself from from dependence on corporations. Even well intentioned corporations can have bad or incompetent employees and not all of them are so well intentioned.

Hard drives for cold storage of sensitive data are cheaper and better than subscriptions to services that have to be renewed to keep working. Encryption software is not a problem either, there are decent free and open source options. For real sensitive passwords, I would still go the notebook approach and some manual cryptography if you are really paranoid.