undefined | Better HN

0 pointsr00fus9y ago0 comments

Perhaps because the concept of a cloud keychain is just too tempting for exploits?

If someone gets my keychain they own me completely and can quite possibly ruin my life.

0 comments

9 comments · 3 top-level

pixelcloud9y ago· 5 in thread

But the most common alternative is Keepass in Dropbox... Which is effectively very similar

One difference is that Dropbox isn't the only option: there's Google Drive, Amazon Drive, OneDrive, Box, OwnCloud, Syncthing, Resilio Sync, SFTP, and many other "plain dumb file sync" tools to choose from. That certainly increases the security footprint some. You might know I synchronize a KeePass file with a cloud provider, but you might not know which cloud provider, and while the chances of any one particular cloud provider being hacked are somewhat large it seems, the chances of all of them being hacked enough at the same time that you find the KeePass file needle in my particular cloud footprint haystack is hopefully pretty rare. It's also something that if you get wind of an attempt in progress you can mitigate/defend by switching sync services or removing it from sync altogether until the attempt ends...

Because it's "dumb file sync" with a number of options, there are also some really interesting options with interesting security footprint trade-offs of their own. Resilio Sync, for instance, originally known as "BitTorrent Sync", supports peer-to-peer sync and more interestingly supports "encrypted peers" where you can have a cloud provider participate that "knows nothing" about what is inside the synced folder but can still share/sync it with your devices that do.

Similarly, if someone develops something crazy like a killer secure and somehow user friendly IPFS sync option tomorrow, you could switch immediately.

nindalf9y ago

Not that similar. The reward-to-effort ratio for attacking LastPass is much better, you'll gain access to the passwords of so many users. With Dropbox, its less likely that you'll find something valuable and therefore less worthwhile to try. Most users would store their vacation photos, perhaps income tax info which might be useful but not as instantly exploitable as passwords.

patrickk9y ago

Plus the password database is likely encrypted with a decently long master password and encrypted with AES (assuming this if the user has gone to the trouble of using a PW manager with Dropbox sync, hopefully with Dropbox 2FA also). That should be enough to keep out virtually all hackers, barring perhaps a nation state. For an extra level of security, you can (with KeePass at least) require a master password and key file (perhaps stored offline on a USB key), which will likely keep out virtually anyone.

josephcooney9y ago

Not really. If dropbox is compromised and they get your .kdbx file they've still got to be able to break that (unless you use the same password for dropbox and your kdbx file....which is not a good idea).

creshal9y ago

There's self-hosted team solutions around, they just don't get as much exposure.

(Like mine: https://pave.software/ )

sthrs9y ago· 1 in thread

You don't have to keep all of your credentials in LastPass. For example, I don't store any email credentials or important accounts such as Google or Microsoft. Everything else (like HN) is negligible if LastPass gets owned.

kakarot9y ago

So where is the benefit over keeping all of my passwords in a non-cloud storage solution with KeepassX2?

dbg314159y ago

To say something cliche... aren't you letting perfect be the enemy of good? =P

Most teams (you'll agree?) have horrible aggregate password management. With every person storing passwords their own way... and only a few people actually having good passwords... isn't security at the organization level really crappy? Here's a real world example... you can have all the security you want on your servers... but if someone in legal still has access to the "Passowrd123" for the AWS account... isn't the team at a disadvantage? Another cliche warning: I need to care about forests, not trees.

At least with LastPass (or whatever other system you can think of that's similar) you can setup "pretty good" team-based policies... share passwords with people who need access (and often not even expose the actual password just access to it so you don't have to change everything in the event of turnover)... set up dead man switches on key accounts (for the hit by the bus scenario we all talk about)...

I know that LastPass has made my life significantly easier since adding it to a number of companies I consult for. I don't know of any security issues first-hand, and I've been using their service for 7 years (personally, and 5 years with teams). I like all the self-hosted options I keep reading about -- glad people are taking security more seriously... but at the end of the day if it's not a comprehensive team-based solution, it's just not something I want to put any stock in. If I can't administer it across a team, if it's just another "personal use only" type option... I don't find any value to it in the workplace.

j / k navigate · click thread line to collapse