Any time we discuss password managers, the ensuing commentary can sometimes get a little heated. People really love their password managers (and we love to hear that!)
One of the biggest, if not THE biggest, point of contention, however, is the cloud. Specifically, the cloud as a place to store your password vault, the cache of your credentials that your password manager absolutely needs to keep safe at all costs.
This is a clear dividing line for many password manager aficionados. Do you trust third-party cloud storage as a place to store your vault – dozens upon dozens, if not hundreds of credentials – or do you choose to keep your vault in places that are exclusively owned and maintained by you?
Let’s break it down.
Arguments for the Cloud
Synchronisation across devices
If you use credentials across multiple browsers, devices and locations, the ability to keep all that data in one central location means that, no matter the device you are on, you know you are always using the most up-to-date credentials.
There’s no work needed in version-managing a password vault file, as there’s only one vault and it’s always current. If you change your password using one device, the moment you access that service on another device your credentials have already been synced.
Yes, there’s encryption
The encryption measures used to secure password vaults in the cloud can get an unfair rap. Most cloud-based password managers encrypt your password data on your device, before it gets sent anywhere on the internet, and that encrypted data is sent to and from cloud storage using an encrypted connection.
For many of the services I’ve looked into, the keys to encrypt and decrypt your password data are generated and kept locally on your device and never touch the internet at all.
This should mean that you, and only you, can decrypt your passwords. The makers of the password manager can’t read your passwords and if their cloud storage is breached – which, while unlikely, has happened in the past – the treasure trove of encrypted password vaults it contains is useless without the individual keys to unlock each and every vault. There’s nothing the crooks can do, and no data can be extracted, without your keys.
(The time it would take to decrypt just one of these vaults with even the most advanced tech we have now would measure, conservatively, in many multiples of the age of the Universe. I know your Facebook password is valuable, but it’s not that valuable.)
Ease of use for the non-technical
This might not seem like a big deal for those of you who don’t mind a few rough edges, but you can’t discount the impact of good usability and design. Many of the cloud-based password managers are proprietary software designed to make money for their creators (so that’s a plus or minus depending on how you feel), which means they have budget for things like design expertise, user testing, and customer support.
They try to make their tools as easy to understand and as easy to use as possible. You don’t have to be a security nerd, or even a security neophyte, to get up and running. The tools work and work quite well.
Arguments against the cloud
Trusting a third party
For many people, the idea of handing over private credentials to a third party is sacrilege. These credentials are the keys to your kingdom – your finances, your social life, your email, everything – and you’re handing them over to another company.
That company (and everyone in it) might have your best interests in mind but the danger of the so-called “insider threat” is real, software has vulnerabilities and companies make mistakes, so you’d be sensible to behave as if they don’t.
Your passwords move through a chain of infrastructure that encrypts your data and connects your devices to the cloud, and you are relying on all of that to be well maintained and free from security vulnerabilities. As I mentioned above, cloud-based password managers like LastPass have had some security troubles in the past (since fixed), including some nasty flaws in its two-factor authentication protocols.
All eggs in one big basket
While some people are just philosophically opposed to entrusting their information to anyone else, no matter what level of encryption is used, others see cloud-based password storage as a single point of failure.
That concern is only multiplied by the idea of putting your entire password vault out of reach, in a place that you don’t own and can’t directly configure or control. You could take every possible precaution to secure your account but ultimately, keeping your passwords safe relies on the encryption employed by cloud-based password managers that I mentioned earlier working as advertised.
Needless to say, password vaults stored en masse by vendors are a much bigger target, offering a much bigger potential pay off for criminal hackers, than just a single password vault stored by one person.
Sometimes the features you really want in a third-party password manager come with a price, either one-time or subscription based. Generally, these are for features and not the base password manager itself, though if your budget is zero any cost is prohibitive.
If you find yourself leaning towards keeping your data close to your chest, a password manager that gives you full control over where you store your password vault, like KeePass, is likely the best fit for you.
If you find the convenience of cloud solutions to be more your style, a cloud-based password manager may be more your speed. Many NakedSecurity readers have commented that LastPass and 1Password are their choices for cloud-based password managers, but there are many many others in the market, including Google’s Smart Lock and Apple’s iCloud Keychain. Sophos’s mobile security apps Sophos Mobile Security and Sophos Secure Workspace can both use local KeePass vaults, and Sophos Secure Workspace can work with multiple local or cloud-based vaults.
If you’re not sure where you fall on this debate, you’re not the only one. There’s something to be said for healthy skepticism about either “side,” especially if someone declares that something is the best solution for everyone in every situation.
As with most decisions around what’s best for your privacy and security, there are a number of risk/reward calculations that you need to make to determine what’s right for you.