

Ask HN: Should I trust online password management services like passpack.com? - nomatteus

I've recently been looking for a good password management system. Key features being cross-platform and cross-browser implementation.<p>I started using Passpack.com a few weeks ago and it seems to be a pretty good solution. My only issues are how exactly they store your password database and how much can I really trust this service? Storing any sensitive data online always raises flags so I'm wondering if it's safe to use an online password service such as this? Are there any security tests I can perform to help ensure the security of this app?<p>The other option is to use something like Keepass--the advantage being that the password database is stored locally and is in my control. Though it might be a bit more complicated to get all my computers synced to use this.<p>So basically, can I trust <i>any</i> online password-storing site, and if not, should I switch to using only desktop apps like Keepass, where I'm in control of where the encrypted password database file lives?
======
swolchok
They _can_ grab all your passwords, because you're going to type them into
their service, and because it's a web service, they can switch the
implementation as they please. If it's implemented as they seem to imply
(server just sends you an AES-crypted blob of passwords, JavaScript AES
implementation decrypts the blob client-side using the packing key), then what
happens if the bad guys root them and "enhance" their JavaScript to send the
packing key back to the server?

I think that you are going to have to trust such a service with your plaintext
passwords, because you need to recover the plaintext passwords from it. The
problem is aggravated by it being a web service whose implementation can be
switched at any time.

------
Vandy_Travis
Ignoring the concerns about AES256 cyphers for this response...

The site that I use for my passwords is called Clipperz.
(www.clipperz.com/beta). They encrypt everything in JS like the others, but
they've fully released their source code for inspection. I know JS, and it
looks legit, although I can't speak to their encryption technique (although
they did everything else so well, I use that as a proxy for their competence).

The other cool thing is that they allow you to download an html/js/css file so
you can open your passwords even when offline (big file, 1.5MB or so, but
handy to keep your encrypted passwords around offline).

------
niyazpk
From their website:

 _Your data is encrypted on-the-fly before leaving your browser. Passpack uses
the AES-256 encryption algorithm...only you can decrypt it with your secret
Packing Key._

If the technology works as they say, it is secure. Now the problem becomes how
to verify whether it works as they say. It is almost impossible to verify
claims like these. Theoretically, they can read your password anytime they
want just by modifying the JavaScript (or whatever they are using ) and you
will never know.

Personally I would not trust them with my really passwords.

~~~
jodrellblank
Indeed, just see here:

[http://www.h-online.com/security/news/item/NIST-certified-
US...](http://www.h-online.com/security/news/item/NIST-certified-USB-Flash-
drives-with-hardware-encryption-cracked-895308.html)

To see some NIST certified "AES-256 encryption" which turns out to be easily
sidestepped - an example of the difficulty of verifying whether it works as
they say.

------
ScottWhigham
Egads that is crazy to me. What happens when/if they go down for several
hours/days? What happens when their web host gets knocked offline? What
happens when they get DDOSed? What happens when/if they get acquired?

Wow - I can't imagine using a web company of individuals I know nothing about
to store something so important.

And besides, I wouldn't post what password solution I use on the internet
anyway.

------
cjg
I use KeePass on a memory stick. When I need a password I can just plug it
into whichever computer I happen to be using.

------
sebastian
I been using 1password for a couple months and I love it.

