> Maybe you can't. Everybody has their own risk tolerance, but at some point, everybody's going to have to draw a line.
I'm in agreement with parent, I think putting your passwords in the cloud is a wild single point of failure. Even if you can tell a compelling story about how they carefully encrypt everything right now, you're always a silent update away from it all being dumped on the internet.
I think people (in aggregate) just don't care about the risk and will take the path of least resistance. They don't have to draw the line there, but they will.
> My password manager being compromised would indeed be a huge time suck, but I don't think the long-term consequences would be any more severe than a few key individual accounts that are probably even more vulnerable.
Having your main email account compromised seems like an absolute nightmare where you potentially lose control of every single service that you subscribe to (banking, utilities, cell phone (so maybe 2fa is even broken), medical portals, social media, etc).
Having your entire set of passwords compromised is like that on steroids. Rather than your attacker having to use your email to get to each of those services one at a time, they just have them immediately. And who says you'll even know that your stuff was compromised?
I'm a bit of a crank though. I don't do any of the smart home stuff. I see my phone as a necessary evil. If some company shoehorned an app or a WiFi connection into their product, I don't buy it. After being in tech long enough, I just want things that work for me, not for the company I bought them from.
> you're always a silent update away from it all being dumped on the internet.
This is true of all password managers that have any ability to connect to the internet. You’re one silent update away from your manager suddenly uploading all your passwords to a random endpoint in Russia.
Theoretically, if you audit the source then you only really need to care about updates to the actual code. If it doesn't do silent updates then it can't change underneath you, even if it does some kind of network operations.
Its not fool proof, but it feels better than a black box that could be a different black box tomorrow or after the next acquisition or round of investment.
> Even if you can tell a compelling story about how they carefully encrypt everything right now, you're always a silent update away from it all being dumped on the internet.
This is also true for your operating system updates, browser, browser extensions, compilers, the infrastructure for your email service provider, any libraries those things use etc. Not to mention your local password manager. Even if you don't accept push updates, do you evaluate the code? What if the vulnerability was timed to pop a few weeks after release? What if it was included in an update that patched a major vulnerability so you went faster than your normal process afforded? Even if you have a local firewall that stops external connections from unrecognized programs— what if it's a whitelisted program or the operating system or the firewall itself?
Why would you a password manager's encryption less than you would trust your email service's encryption? I'd bank on the password managers' being a lot more robust.
What about RATs that could access your local password database? RATs are a lot more common than cloud service breaches.
And as I mentioned previously, Dell shipped a hardware trojan in 2010.
There are tons of single-point attack vectors in this chain. I'm not a security expert, but storing encrypted data in cloud storage seems less likely than others be a viable target.
> Having your main email account compromised seems like an absolute nightmare where you potentially lose control of every single service that you subscribe to (banking, utilities, cell phone (so maybe 2fa is even broken), medical portals, social media, etc).
> Having your entire set of passwords compromised is like that on steroids. Rather than your attacker having to use your email to get to each of those services one at a time, they just have them immediately. And who says you'll even know that your stuff was compromised?
Let's say they did compromise your email account. Since only a few of your accounts are genuinely consequential to nefarious criminals, the number of password resets they'd need to execute might set them back, what— 5 minutes if it's not scripted? And all of it is moot if you use a 2FA method aside from email? Beyond that, considering how much more frequently email accounts get compromised, singling out the storage location for password manager databases seems pretty arbitrary.
I just don't see how the opposition stands up to a comparison of attack vectors.
Agreed, those are already risks, and ones that are a lot harder to mitigate (though I do try where I can). Does that mean I should add another one that I can easily avoid?
There are risks in both local and cloud password managers. Maybe those risks seem equivalent to some folks, and the cloud features are useful enough for it to be a no brainer for them. For me, I don't at all mind manually backing up and manually copy/pasting credentials, and I don't miss the convenience of the cloud features.
> Let's say they did compromise your email account ...
This seems focused on the case of a dedicated attacker focused on you specifically. Id think each of us is more likely to be affected by various automated attacks that are backed by large dumps of account credentials.
In any case, I agree risks already exist in other places. For me in my specific set of circumstances this just seems like an easy one to skip.
Hey— whatever works for your setup. Especially for those who don't use a smart phone and have one machine, it's probably a minimal loss in functionality.
> Does that mean I should add another one that I can easily avoid?
All other things being equal? Avoid it, of course. I firmly oppose letting perfect be the enemy of good in the sense that more secure is better than less secure even if it's not perfectly secure. But I also oppose it in the sense that rejecting beneficial functionality because it's not perfectly secure, especially when it's not close to the biggest or most attractive attack surface, doesn't make sense. Even when password managers' servers were compromised— LastPass, for example— I don't think anybody ever got ahold of passwords. KeePass OTOH was broken with KeeFarce and RATs are a lot more common than cloud service server breaches.
> This seems focused on the case of a dedicated attacker focused on you specifically. Id think each of us is more likely to be affected by various automated attacks that are backed by large dumps of account credentials.
Nope— If it was automated the distinction is even less significant. A script would only need to search your email for whatever specific types of logins it supported and fire off password resets. Non-email 2FA becomes even more of a hurdle without the option of social engineering it or some other human-touch fix.
Consider this. (very) Roughly, this is the market penetration for these products:
* computer: 90%+
* smart phone: 85%
* tablet: 50%
* computer, smart phone and tablet: 40%
Most people (in this country, at least,) have multiple devices. Most people have internet access. Most people aren't going to be able to manage storing and sharing passwords among their devices at all, let alone more securely than cloud storage would do it. So for most people's use cases, it would be like citing health when refusing to put a teaspoon of sugar into the cup of tea they're having with cake and ice cream.
So like I said, avoid it if it doesn't improve your life— I have no stake in your password management choice— but I will actively butt in to qualify the sentiments expressed in this thread because, a) many users, even on this site, aren't sophisticated enough to engage in the sort of cost/benefit analysis that we are, and b) to them, this conversation is unintentional FUD. Cloud-based password management is vastly superior to regular folks' existing methods. If they're put off by technically savvy people saying they're fundamentally insecure, that is the embodiment of perfect defeating good.
> I don't think anybody ever got ahold of passwords. KeePass OTOH was broken with KeeFarce and RATs are a lot more common than cloud service server breaches.
Can we actually know this? We only know about the breaches that we're told about, or that are found and disclosed by researchers. I'm not familiar with KeeFarce, but presumably attackers need local access, in which case you're boned anyway.
> ... many users, even on this site, aren't sophisticated enough to engage in the sort of cost/benefit analysis that we are, and b) to them, this conversation is unintentional FUD
So this is the part that I worry about. I think we're in a bit of an age of innocence with everything moving to the cloud, where everyone still believes that all of these services are going to be well meaning, competent, capable stewards for your bits. I'd love to be proven wrong, but I imagine in 10 or 20 years we're going to have a very different attitude about these things, sorta like people who were using xray machines to size shoes before they learned about the effects.
Once any info gets to the cloud, its out of your control forever, and its in a place where it can be attacked by the current ~8 billion people on the planet, and all the new people coming along after that. Its an impossible task to defend against that. Not to mention as someone like lastpass grows, what could be a juicier target than that? Why try to pwn individual services when you can just get all of the legit credentials at once from one place?
If the options are only use the same 6 character dictionary word for every account, or use a cloud subscription password manager, I'd probably recommend the latter. But for someone not tech savvy, I'd probably recommend a pen and paper with memorable (long) pass phrases before I'd recommend a cloud solution.
In the past I've recommended a local password manager with generated passwords on your one machine that you do anything sensitive with. Back it up on a thumb drive once in a while. For your most used accounts (e.g. email) that you really want to use on multiple devices, use long memorable pass phrases and just enter them in. Some people might think this is primitive, but its not that hard and it should be plenty safe for most people. Its just not as convenient.
> I think we're in a bit of an age of innocence with everything moving to the cloud, where everyone still believes that all of these services are going to be well meaning, competent, capable stewards for your bits.
> Once any info gets to the cloud, its out of your control forever.
You're propping up a straw man using a hyperbole.
> But for someone not tech savvy, I'd probably recommend a pen and paper with memorable (long) pass phrases before I'd recommend a cloud solution[...]
And then presenting your original assertion without any more evidence.
But that's all nearly beside the point.
The most difficult factor to wrangle is human psychology. Without intervention, phishing attacks just work. People re-use passwords. People switch from redox1 to 1redsox1 when forced to change them. They do this all to avoid having to think about it.
The entire point of password managers is to mitigate this. You need to compete with the psychological ease of re-using the same password repeatedly because that's the only way regular users will use it. Then, you can warn them when they're entering credentials into a site where they don't belong. You can warn users if a service they use was breached. You can warn users that their password is weak or reused or old and give them a quick solution rather than leaving them to figure it out. You're making it easy for them because that's the only way it works. If you draw two barely kissing circles on a sheet of paper, that's the Venn diagram of users who care enough about electronic security to deal with the extra irritation of using strong unique passwords but won't use an automated system to do it.
So maybe the second-weakest link is the credentials themselves, and the third weakest link is the collection of websites users submit their credentials to that don't store the passwords in AES-256 encrypted vaults with no local master password storage, like password managers do, and the fourth is probably the browser, etc.
Everything we know about the actual empirical risk of these components points to password managers, in general, being close to the bottom of that list. Prioritizing anything but the most blatant password manager security flaws over even minor user convenience will have a negative net effect. When it's a risk so obscure that we have no documented instance of it occurring among thousands of documented instances of breaches occurring in other services, I'd argue it's less safe.
If you're going to base your security strategy on intuition about our relationship with cloud services, go for it. Personally, I'll leave the faith to the priests and stick to attack vector analysis and balancing limiting attack surfaces with solutions that work most easily for most people, because that's the only way they'll use them.
Does that mean that you agree that we can't know the extent to which things have been exposed? Cause that's part of my point. Of course you can flip that around and say well you can't prove that nobody compromised your local machine, but one of those things is open to attack from many orders of magnitude more attackers by virtue of being on the open internet and in a physical space that you don't control.
> You're propping up a straw man using a hyperbole.
You're cooking up a tasty word salad there, chef. Can you give me a little more meat here? I don't quite follow. Have you never heard people say that you shouldn't write an email or send a picture that you wouldn't want to see in the newspaper? Its a similar concept. Once you send something out over the wire, your power to make decisions over what's done with it is gone. You have to hope that whatever was listening on the wire is (and will continue to be) benevolent. How do straw men and hyperbole apply here?
> The most difficult factor to wrangle is human psychology. Without intervention, phishing attacks just work. People re-use passwords. People switch from redox1 to 1redsox1 when forced to change them. They do this all to avoid having to think about it.
> The entire point of password managers is to mitigate this.
I agree. That's part of why I use a password manager, and recommend that others do so too. We just disagree on whether or not its advisable to cede control over that kind of tool to a third party.
It feels a lot like the argument that your money is safer in a bank than in your mattress, which is an argument I agree with. Except replace all the banking regulations and security with a ToS that can change anytime and emails about how very deeply we care about your security. I'll keep my cash in my safe at home in that scenario. Maybe there are some people who'd still be better off using that bank. I wouldn't feel good giving that recommendation though.
I know what a straw man is, but you just naming the term doesn't constitute an argument. Maybe a more clever person than myself could have intuited what you believed was an example of one, but I couldn't.
Russell's teapot is a new one to me. It seems you're position (correct me if I've misunderstood, or don't since you don't seem interested in the conversation anymore) that since we don't have definitive proof that we can't trust these third parties, it's wrong to distrust them. I'm too paranoid to buy that. If I can't verify, then I don't trust. Good luck with your better things.
I'm in agreement with parent, I think putting your passwords in the cloud is a wild single point of failure. Even if you can tell a compelling story about how they carefully encrypt everything right now, you're always a silent update away from it all being dumped on the internet.
I think people (in aggregate) just don't care about the risk and will take the path of least resistance. They don't have to draw the line there, but they will.
> My password manager being compromised would indeed be a huge time suck, but I don't think the long-term consequences would be any more severe than a few key individual accounts that are probably even more vulnerable.
Having your main email account compromised seems like an absolute nightmare where you potentially lose control of every single service that you subscribe to (banking, utilities, cell phone (so maybe 2fa is even broken), medical portals, social media, etc).
Having your entire set of passwords compromised is like that on steroids. Rather than your attacker having to use your email to get to each of those services one at a time, they just have them immediately. And who says you'll even know that your stuff was compromised?
I'm a bit of a crank though. I don't do any of the smart home stuff. I see my phone as a necessary evil. If some company shoehorned an app or a WiFi connection into their product, I don't buy it. After being in tech long enough, I just want things that work for me, not for the company I bought them from.