Sophos Cloud Optix
Any time we discuss password managers, the ensuing commentary can sometimes get a little heated. People really love their password managers (and we love to hear that!)
One of the biggest, if not THE biggest, point of contention, however, is the cloud. Specifically, the cloud as a place to store your password vault, the cache of your credentials that your password manager absolutely needs to keep safe at all costs.
This is a clear dividing line for many password manager aficionados. Do you trust third-party cloud storage as a place to store your vault – dozens upon dozens, if not hundreds of credentials – or do you choose to keep your vault in places that are exclusively owned and maintained by you?
Let’s break it down.
Arguments for the Cloud
Synchronisation across devices
If you use credentials across multiple browsers, devices and locations, the ability to keep all that data in one central location means that, no matter the device you are on, you know you are always using the most up-to-date credentials.
There’s no work needed in version-managing a password vault file, as there’s only one vault and it’s always current. If you change your password using one device, the moment you access that service on another device your credentials have already been synced.
Yes, there’s encryption
The encryption measures used to secure password vaults in the cloud can get an unfair rap. Most cloud-based password managers encrypt your password data on your device, before it gets sent anywhere on the internet, and that encrypted data is sent to and from cloud storage using an encrypted connection.
For many of the services I’ve looked into, the keys to encrypt and decrypt your password data are generated and kept locally on your device and never touch the internet at all.
This should mean that you, and only you, can decrypt your passwords. The makers of the password manager can’t read your passwords and if their cloud storage is breached – which, while unlikely, has happened in the past – the treasure trove of encrypted password vaults it contains is useless without the individual keys to unlock each and every vault. There’s nothing the crooks can do, and no data can be extracted, without your keys.
(The time it would take to decrypt just one of these vaults with even the most advanced tech we have now would measure, conservatively, in many multiples of the age of the Universe. I know your Facebook password is valuable, but it’s not that valuable.)
Ease of use for the non-technical
This might not seem like a big deal for those of you who don’t mind a few rough edges, but you can’t discount the impact of good usability and design. Many of the cloud-based password managers are proprietary software designed to make money for their creators (so that’s a plus or minus depending on how you feel), which means they have budget for things like design expertise, user testing, and customer support.
They try to make their tools as easy to understand and as easy to use as possible. You don’t have to be a security nerd, or even a security neophyte, to get up and running. The tools work and work quite well.
Arguments against the cloud
Trusting a third party
For many people, the idea of handing over private credentials to a third party is sacrilege. These credentials are the keys to your kingdom – your finances, your social life, your email, everything – and you’re handing them over to another company.
That company (and everyone in it) might have your best interests in mind but the danger of the so-called “insider threat” is real, software has vulnerabilities and companies make mistakes, so you’d be sensible to behave as if they don’t.
Your passwords move through a chain of infrastructure that encrypts your data and connects your devices to the cloud, and you are relying on all of that to be well maintained and free from security vulnerabilities. As I mentioned above, cloud-based password managers like LastPass have had some security troubles in the past (since fixed), including some nasty flaws in its two-factor authentication protocols.
All eggs in one big basket
While some people are just philosophically opposed to entrusting their information to anyone else, no matter what level of encryption is used, others see cloud-based password storage as a single point of failure.
That concern is only multiplied by the idea of putting your entire password vault out of reach, in a place that you don’t own and can’t directly configure or control. You could take every possible precaution to secure your account but ultimately, keeping your passwords safe relies on the encryption employed by cloud-based password managers that I mentioned earlier working as advertised.
Needless to say, password vaults stored en masse by vendors are a much bigger target, offering a much bigger potential pay off for criminal hackers, than just a single password vault stored by one person.
Cost
Sometimes the features you really want in a third-party password manager come with a price, either one-time or subscription based. Generally, these are for features and not the base password manager itself, though if your budget is zero any cost is prohibitive.
Decisions, decisions…
If you find yourself leaning towards keeping your data close to your chest, a password manager that gives you full control over where you store your password vault, like KeePass, is likely the best fit for you.
If you find the convenience of cloud solutions to be more your style, a cloud-based password manager may be more your speed. Many NakedSecurity readers have commented that LastPass and 1Password are their choices for cloud-based password managers, but there are many many others in the market, including Google’s Smart Lock and Apple’s iCloud Keychain. Sophos’s mobile security apps Sophos Mobile Security and Sophos Secure Workspace can both use local KeePass vaults, and Sophos Secure Workspace can work with multiple local or cloud-based vaults.
If you’re not sure where you fall on this debate, you’re not the only one. There’s something to be said for healthy skepticism about either “side,” especially if someone declares that something is the best solution for everyone in every situation.
As with most decisions around what’s best for your privacy and security, there are a number of risk/reward calculations that you need to make to determine what’s right for you.
Keepass gives you the best of both worlds as you can sync it to a cloud service and maintain synchronisation that way, while still retaining complete control – especially if you use 2FA.
Been using KeePass together with Dropbox protected with a strong password and 2 factor authentication, besides that, the database is protected with a long password and a key file. If i ever want to change the Cloud service, i can do it with no hassle. I don’t see any reason to trust one party with all of this.
Your points are all well taken.
I like KeePass as I am very comfortable with maintaining the sync and safety of my systems. I also do not use cloud backups. I want to know where and how my data is and take responsibility for it. If I screw up, I know where to lay the blame, and I think that makes me more conscientious.
Why is LastPass hyperlinked but not 1Password? Did LastPass pay an ad fee and AgileBits didn’t?
Also, the cons are all fear-based. Not a rational fact in the bunch. Especially cost is dumb. So, something supposedly as important as your entire security database and you *don’t* want to pay for it? Yet in the same section you talk about the fear of trusting a third party. Who’d trust a third party with such a responsibility and *not* pay them? You get what you pay for.
Really, all you’ve shown is that anyone *not* using a cloud-based service is being irrational and making a poor decision.
Do you mean the two links to Naked Security stories about LastPass security issues? No, they didn’t pay us a dime for those.
Snarky, but funny!
I am using 1Password. My passwords stored in the cloud, using a very strong masterpassword (diceware).
2FA is another layer of protection and if you have any doubt you can have a common beginning, middle or end that is NOT in the manager that you manually type in each time. As simple as if the password manager thinks your password is biGtruk99goZ00M but it is really MbiGtruk99goZ00my. All I have to remember is to add M at the beginning and y at the end. Your password even if compromised is incomplete with you (ok My lol)!
Add me to the ones that use KeePass on a Dropbox account. As well, for what little extra work is involved, I keep a copy in another encrypted folder in my system. I also have a printed hard copy I keep hidden away just in case. Might be overkill, but I don’t mind.
given the right programming nothing is secure on the net, the best way to keep passwords is in your head, I use a series of them and change them each and every month, it’s a pain in the bum, but I do not get hit and never have, I also use an incoming and out going email system, I cannot send from the incoming so if the email is compromised it get deleted and a new one replaces it, having all your eggs in one basket is a recipe for disaster
you keep all your passwords in your head? Blimey. I just checked my LastPass account, I have over 100 different passwords, all random mixes of letters, numbers and characters, all at least 12 characters long…that’s an impressive memory.
I use iCloud Keychain and 2FA, unique iCloud password, devices that are required for 2FA protected by my Face or Fingerprint. I trust it, perfect balance of security and convenience.
I use KeePass on one computer which is the only device I use to access personal accounts, so no personal email or shopping at work.
I would never, ever, leave sensitive data like this in the hands of a company which has links with the US, where user privacy is a joke.
Therefore, I use KeePass with severals ways to share among different computers
Typo: “This should me that you” –> “This should mean that you”
Fixed, thanks!
I use 1Password with Dropbox storage – but nowadays they’ll steer you towards their cloud-based version if you don’t know exactly what you’re doing.
I’m most concerned about the cloud-only version’s in-browser client; it’s JavaScript which is apparently downloaded every session. I feel this is a big hole which is much more likely to be compromised, either by compromising that download, or after 1Password is forced by the TLAs to give up your information.
Using a password manager is okay if a number of ‘rules’ (my rules) are followed:
1) vendor/manufacturer/company (ie KeePass/LastPass/etc) must have a security policy
2) vendor/manufacturer/company must have a third party audit, especially if web/cloud based
3) must have a mechanism to erase data from clipboard or other temporary storage that password may appear in. (KeePass does have this – I am uninformed about others). Personally (again I am ignorant) I’d have grave security concerns about using a browser based password manager and using browser functions to supply the password to sites, especially using Windows as a platform and ,pick your poison, Edge or IE….!
I had a bitter discussion with an internal group regarding the centralized use of a web based, but locally hosted password manager. The vendor (not one of the common ones mentioned in the article) did not have any third party audits, not did they offer any standard to which they audited themselves – just a ‘we take security seriously and patch real good’ type of response. Fail.
KeePass was last audited by a third party in Oct 2016 (EU-FOSSA).
LastPass was under the deep probo-scope of Google Project Zero’s Tavis Ormandy in the March/April 2017 timeframe. So its security may well have improved significantly.
I prefer to have the private key/password to encrypt/decrypt the master-password file locally, then store the encrypted file in the cloud. That way, nobody but me has reasonable access to decrypted information, but I benefit from the availability and backup provided by cloud services. Keepass is a great example. This solution does require more effort on my part, but that is the acceptable cost to manage the risks.
Nobody ever mentions Roboform, but it’s my favorite.
LastPass and Abine are my favorites for sure. Password managers are a must these days. Thanks for the post.
After trying and testing several password managers, I now use KeePass. My master passphrase is ~25 characters, part Leet, part English and part Spanish. To sync between devices, I encrypt the file with a different passcode approximately the same size and using the same combination of languages, then upload it to my OneDrive, pull it down to where I need it, and delete it from OneDrive. There is a way to programmatically sync devices within KeePass, but to be honest, I haven’t been successful at that, and since my workaround is pretty secure, I haven’t pursued figuring it out.