Yellow Sticky of Doom in the Cloud

The password managers we discussed in the last post are a good start. If you only use one system a local password database is all you need.

Most people have multiple “devices” – a PC, a laptop, a smartphone, a tablet, and the number keeps growing. It would be terribly convenient to have access to your passwords on all of your devices, and to have everything automatically updated when you add or change a password.

This is where network – or today CLOUD BASED (highlighted for dramatic emphasis…) – password managers come into play. These networked password managers share, distribute, backup, and replicate your passwords.

Putting your passwords IN THE CLOUD should make you nervous. It is important to do your homework before choosing one – don’t just choose the first one that comes up on a search!

There are several places to look. Wikipedia has a List of Password Managers. Information Week has an article on 10 Top Password Managers. Network World published Best tools for protecting passwords. Mac World produced Mac password managers. At a minimum make sure that the password managers you are considering have at least some public review and feedback. You should also do web searches looking for user experience and any issues with the various password managers.

For cloud based password managers, one of the most important things is to make sure that you retain control of the passwords. This is done by encrypting the password data locally, on your system, and only sending encrypted data to the cloud. Done properly, the master encryption password for the password database never leaves your system – no one, including the company hosting your password manager, can decrypt your password. Of course this also means that if you lose your password manager password you are out of luck; no one can recover it.

As an anecdote, not a recommendation, a thoroughly paranoid colleague who works in the security space and whose opinions I respect recommends LastPass.  I prefer open source password managers that can be audited, like KeePassX, but there don’t seem to be any with good Cloud integration.

About Russell Doty

A technology strategist and product manager at Red Hat, working on the next generation of open source systems.
This entry was posted in Security. Bookmark the permalink.

2 Responses to Yellow Sticky of Doom in the Cloud

  1. I am sort of an ardent LastPass user. I have been a user for many years. But I have recently switched to KeePassX. I have been using it for close to a month. I can’t say I miss anything that would tempt me to go back to LastPass.

    I use both passphrase and keyfile to encrypt my database and sync it across devices using Dropbox. I have manually copied my keyfile to any device I plan to use. I plan to sync the database using ownCloud in future to be completely free of proprietary goods as soon as I can figure out how to make KeePass2Android get working with ownCloud WebDav. Thanks to KeePassX’s Auto-Type feature entering username and password in the browser fields is as hard as hitting Ctrl-V. I have desktop, browser and Android covered.

    LastPass is certainly easier to use and it being host of your database you could easily retrieve passwords off the browser that won’t be possible with KeePassX as you would need keyfile, database, and a tool to extract the password entries. It makes KeePassX much more secure.

    • Russ Doty says:

      Sudhir, thanks for your suggestions.

      I’ve been using KeePassX for several years on Linux. I’ve had limited success with the network synchronization; almost certainly my fault, since I know this works for many people. KeePassX is an excellent tool, and the fact that it is Open Source increases my comfort.

      Can you provide some more details on your setup and how it is working for you?

      The challenge is that I have Linux, Windows, Mac, iOS and Android systems, and would like to have a common synchronized password manager. (My excuse is that I need to learn the current technologies!)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s