Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

saberahul

macrumors 68040
Nov 6, 2008
3,645
111
USA
Do people use Cloud-based password keepers? Isn't it inevitable that they will be hacked?

It is possible. I use Dashlane with 2-step authentication (which, for the record, isn't failsafe) but am slowly moving to iCloud Keychain. Mine is set up such that every password is over 20 characters long and unique in its own way; hence, if one account was to get hacked, others wouldn't be affected. Of course, my iCloud Keychain itself can be hacked but I am not some high-end person whose private information will cause a dramatic effect; i.e., if someone hacks my account, so be it - I can easily manage with it.
 

ApfelKuchen

macrumors 601
Aug 28, 2012
4,334
3,010
Between the coasts
It's hard to know what's inevitable. There's certainly added exposure with the cloud, since a locally-saved password keeper isn't going to put that encrypted data out where it can be sniffed. The question is, will the encryption be cracked? On that basis, every web commerce transaction, every electronic banking transaction, every corporate VPN... It's going to be a matter of the resources available to the "bad guys," and whether the target is worthwhile.

Security inevitably involves trade-offs. If a constantly-up-to-date-on-all-devices cloud-based approach encourages us to abandon passwords we can remember in favor of long, randomly-generated codes, will we increase overall security to the point where the cloud risk is secondary?

But in the end, cloud-based or not, a single password that unlocks access to hundreds of passwords is a chink in the armor. It's a trade-off I accept, because its a darn sight more secure than Post-its.

I trust that any of the well-known password safes will be as secure as any other, on a technical level. The field is sufficiently competitive to help assure that. I find usability to be more important. The password keeper I use is more valuable than the one that's a pain to use. It's more about avoiding unnecessary password resets than about keeping the NSA and Asian hackers at bay.

I've used SplashID for quite a while now. There are things about it that I find clunky or inconvenient. But it does the job, and I'm not sure that the grass is greener among the competing products - everything's flawed, just in different ways.
 

flynz4

macrumors 68040
Aug 9, 2009
3,242
126
Portland, OR
It's hard to know what's inevitable. There's certainly added exposure with the cloud, since a locally-saved password keeper isn't going to put that encrypted data out where it can be sniffed. The question is, will the encryption be cracked? On that basis, every web commerce transaction, every electronic banking transaction, every corporate VPN... It's going to be a matter of the resources available to the "bad guys," and whether the target is worthwhile.

Security inevitably involves trade-offs. If a constantly-up-to-date-on-all-devices cloud-based approach encourages us to abandon passwords we can remember in favor of long, randomly-generated codes, will we increase overall security to the point where the cloud risk is secondary?

But in the end, cloud-based or not, a single password that unlocks access to hundreds of passwords is a chink in the armor. It's a trade-off I accept, because its a darn sight more secure than Post-its.

I trust that any of the well-known password safes will be as secure as any other, on a technical level. The field is sufficiently competitive to help assure that. I find usability to be more important. The password keeper I use is more valuable than the one that's a pain to use. It's more about avoiding unnecessary password resets than about keeping the NSA and Asian hackers at bay.

I've used SplashID for quite a while now. There are things about it that I find clunky or inconvenient. But it does the job, and I'm not sure that the grass is greener among the competing products - everything's flawed, just in different ways.

Nice post.

I personally use 1Password... which of course keeps the vault secure on your own machine (if you choose). In that case... the biggest vulnerability is the combination of someone having physical (or virtual) access to your machine... plus the ability to decrypt the vault. Both

However, having the vault on a single machine is too limiting for me to be useful, so I choose to share it via dropbox. The other alternative is to share it via iCloud. Either of those does indeed add a new vulnerability... the security of the cloud.

Still... it requires cracking both vulnerabilities. Cracking dropbox plus cracking my vault. I am willing to take that risk... because as you said, the alternative has its own different vulnerabilities. I do not know a single person who could possibly manage hundreds of unique and complex passwords... so most have some system of password re-use. That would leave vulnerable to a password breach on any of the hundreds of sites (such as the one here on MR)... and then using that common password on other site. To me, that is a MUCH greater risk than using a secure vault... even if that vault is shared via the cloud.

/Jim
 

Spink10

Suspended
Nov 3, 2011
4,261
1,020
Oklahoma
I personally enjoy the interface of LastPass - very helpful especially with a premium account for $1 a month. The iOS browser needs some work but I generally just use it to copy the user/pw into safari on iOS.
 

Pharmscott

macrumors 6502a
Dec 13, 2011
624
2
Sacramento, CA
Another vote for Lastpass. I recently started using this and the interface and functionality are great. The app even will give you an overall security score and point out any weak or repeating passwords that you have.
 

old-wiz

macrumors G3
Mar 26, 2008
8,331
228
West Suburban Boston Ma
No matter what password manager you use, the most vulnerable point is the password needed to access the password manager. It isn't going to help if you use 1Password or any other if your entry password is itself vulnerable.

The managers and keychain can encrypt until even NSA can't break the encryption, but if the entry password is too simple....
 

yassinee12

macrumors newbie
Nov 27, 2013
1
0
1password for me is the best. I migrated from LastPass a few months ago and couldn't be happier.
 

flynz4

macrumors 68040
Aug 9, 2009
3,242
126
Portland, OR
No matter what password manager you use, the most vulnerable point is the password needed to access the password manager. It isn't going to help if you use 1Password or any other if your entry password is itself vulnerable.

The managers and keychain can encrypt until even NSA can't break the encryption, but if the entry password is too simple....

Very true. I'd be willing to bet that many have very weak passwords for their vaults.

It is kind of like writing the combination on the safe.

/Jim
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.