Should You Store Passwords in the Cloud?

Monday, November 07, 2011

Robert Siciliano


It seems that almost every site on the web requires a password.

At least twice a week, I get an email from someone who wants me to join yet another network, which requires yet another username and password. You can cop out and use the same username and password combination, but that’s just asking for trouble.

The key to surviving password management going forward is to make a small investment in a password management service that stores your passwords in the cloud and also on your computer.

The best thing about a password manager is that you ultimately have just the one master password to remember, which gets you access to all the different passwords for each site.

What to look for:

  • A password generator tool that makes strong passwords that cannot be cracked, and that you never really need to remember, because they are all stored in the password manager.
  • One that works across multiple browsers and can sync multiple PCs.
  • Smartphone application syncing with the cloud.
  • Security of password managers is pretty much a nonissue at this point, since most have levels of encryption that can’t be easily cracked.

The real security vulnerability is with your own computer and any existing or future malware that can log your keystrokes or take screenshots. Run virus scans and the most updated version of your antivirus software to prevent any infections.

Another layer of protection is to add your computer’s built-in onscreen keyboard to your task bar and use it to enter your master password.

Cloud-based password managers:

  • Keepass is free. This is a free open-source password manager, which helps to securely manage your passwords. You can store all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish). For more information, see their features page.
  • LastPass is also another good free option.
  • For $39.35, 1Password can create strong, unique passwords, remember them, and restore them, all directly in your web browser.
  • RoboForm is my favorite. It’s $9.95 for the first year and $19.95 every year after that. Install RoboForm on as many computers and mobile devices as you wish, all with the same license. Seamlessly keep your passwords and other data in sync. Always have a backup copy of your passwords and other information. It’s also extremely secure and easy to use.

Using a password management tool like those listed above is easier:

  • Never forget a password again and log into your sites with a single mouse click.
  • It’s everywhere: the program automatically synchronizes your password data, so you can access it from anywhere at anytime.
  • It’s safer: protect yourself from phishing scams, online fraud, and malware.
  • It’s secure: all of your data is encrypted locally on your PC, so only you can unlock it.

Robert Siciliano, personal security expert contributor to Just Ask GemaltoDisclosures

Possibly Related Articles:
Information Security
Passwords Access Control Cloud Computing Managed Services Password Management secure Password Storage
Post Rating I Like this!
Bruce Fraser Good article, helpful advice, but...
I don't think KeePass works in the cloud. The data is stored with you: on your computer, smartphone, USB stick -- but NOT in the cloud.

The workaround to that is to use a cloud storage site, like the famous DropBox. That means several extra steps to accessing and using one's password.

Still, it's free, and that beats all the others.
Robert Siciliano Bruce, ya right. Thanks.
Bruce Fraser Then again, I may be wrong.
I've been reading the KeePass menu and the help page on the website. It talks about "synchronize," but there is no tutorial or description how to do it.
It sounds like the user has to supply their own website on which to store the password file. However, once that is set up, it MIGHT be possible to synchronize all one's devices with that file.
Ross Gerring We're a small company with 3 offices - two in Australia, one in the UK. Currently we all use a local/LAN copy of KeePass in individual offices. The challenges are:

1. There's no syncing between the 3 different copies of the KeePass dbs.
2. KeePass is very nice/good for what it does, but it doesn't support user groups/permissions. So access to it supplies all our passwords, and not just the ones pertinent to ones role or (informal) "security clearance".

I should hasten to add that we're not a security company. The majority of this info is relatively benign info such as usernames and passwords to various websites (like this one), discussion forums, etc.

So naturally we're in the market that for some software that solves 1+2 above.

With regard to the cloud - at this point in time I'd probably err on the side of NOT wanting to permanently store our passwords in the cloud in terms of some sort of "central repository". Rather I'd prefer that the databases stored on the LANS of each offices are securely synced via - not stored in - the cloud/Internet.

Any guidance from anyone in this regard would be much appreciated. I imagine that there are many thousands of companies worldwide with similar challenges. Googling isn't bringing back satisfying results - it's all very single-user and/or browser focussed.
Robert Siciliano Roboform works in the cloud, otherwise check it out. I'm very happy with it.
Max Payne I use Intuitive Password. It supports all major browsers and mobile devices, you don't need to manually sync your data, the system does it automatically. The user interface is very nice too. Your data is securely stored on their cloud data center. It is completely free of charge, worth to have a try.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked