PWSAFE VS LASTPASS PASSWORD
I've been looking into the security issues of several password managers on a number of occasions. So again, this comes back to the question of how that data is encrypted.ĭisclaimer: I created PfP: Pain-free Passwords as a hobby, it could be considered a LastPass competitor. How do the vendors deal with security bugs as they are discovered? How much of the product's behavior and design is independently verifiable? Do the creators understand the crypto that they are using?įor systems, like 1Password, that don't have any data from users, there is very little reason for us to even be approached by government agencies (and we haven't been.) At the same time, you should assume that governments do have access to your data stored on sync systems. The other questions about trusting the suppliers of the password management system come down to trusting our competence and trusting that we haven't been coerced/bribed/"persuaded" to allow for a back door into the system. This then goes back to how well your data is encrypted, which is something to look at carefully. You should always assume that there is a non-negligible possibility that your encrypted data will be captured. So your encrypted data may be stolen from Dropbox as well as be stolen from your own computer if you use Dropbox to sync data. However, to synchronize data across systems, we do rely on third party synching systems. We never see how anyone is using 1Password. The math just doesn't work for anyone whose livelihood comes from selling password management tools.Īs as already been mentioned, in some schemes the data never goes to the vendor in any format. Banking credentials are about five times as much. Stolen credit card details sell for little more than one USD each when purchased in bulk on black markets.
Even if we were crooks at heart, that would just be bad business, as the mere suspicion of such a scheme would put the vendor out of business. I do think that it is safe to say that anyone who is has been in the password management business for a while wouldn't risk trying to make an extra buck off of banking credentials or credit cards. The same password was also used for her Dropbox account, which was also taken over and is how we presume the attacker obtained the 1Password data.Īs for trusting the people behind a password manager, that is a trickier question. The only confirmed case of a 1Password data breach that I've seen is when someone used the same master password as she used for her unencrypted POP3/HTTP Road Runner email. Although we make heavy use of PBKDF2, it is very important that people choose a good master password. With 1Password you can read the details of how the data is stored. It is extremely important to look at how that basket is protected. But ultimately it is a choice that each individual needs to make for themselves.
I, obviously, think that a well-designed password manager is the right choice. You are keeping all of your eggs in one basket. Password managers create a single point of failure. whether it's at greater risk of loss/theft is an interesting question. This notebook is obviously much safer against malware. I know someone who won't use Password Safe and instead has a physical notebook with his passwords in obfuscated form. But I wouldn't store every password in there make an effort to memorize your most important ones, like online banking. Now, for most people these risks are acceptable, and I would suggest that the approach of using a password manager like LastPass for most of your passwords is better than using the same password everywhere - which seems to be the main alternative.
Partly that the online database could be breached (whether by hacking, court order, malicious insider, etc.) Also because LastPass integrates with browsers, it has a larger attack surface, so there could be technical vulnerabilities (which are unlikely with a standalone app like Password Safe). Online password managers have the significant benefit that your passwords are available on anyone's computer, but they also carry somewhat more risk. I feel comfortable trusting widely used password managers, like Password Safe. But then, who cares about the ones you never use? It is theoretically possible that the password manager could be trojaned, or have a back door - but this is true with any software. With a password manager, it's slightly worse, because once the malware has captured the master password, it gets all your passwords. Without a password manager, malware can quietly sit and capture all the passwords you use. The most likely cause of a breach is getting malware on your computer. But then, your computer is a single point of failure too. It is true that the saved passwords are a single point of failure.
PWSAFE VS LASTPASS OFFLINE
Offline password managers carry relatively little risk. We should distinguish between offline password managers (like Password Safe) and online password managers (like LastPass).
0 kommentar(er)
