[makeitsuckless]

A centralized store is however unavoidable if you want to share and manage passwords inside an organization.

Although I share you discomfort, looking at it rationally I prefer to trust a specialized service, who's very existence and reputation depends on it, more than the alternatives.

The other alternative for sharing is stuff like 1Password over Dropbox, which is imho the worst of both worlds.

[jlev]

Why is 1Password over Dropbox the "worst of both worlds"? Seems like it's potentially safer, because it's encrypted with your passphrase and also your dropbox credentials. Sure, the NSA can probably get it, but J Random Hacker can't.

[quonn]

I'm not even convinced the NSA can get it. There are no side-channels to exploit here (which we know the NSA is good at) and cooperation from online services won't work either. The protocols used to encrypt this are fairly simple and well-understood and we should not assume that the NSA is capable of breaking the underlying (strong) primitives.

[avn2109]

The NSA will just get your data off Dropbox by having a judge ask them nicely. That much is undeniable.

Whether or not they can break the Keepass encryption after getting your data is debatable but strikes me as "probably yes."

[Freaky]

Anyone else remember that time Dropbox accidentally turned off authentication and you could log in as anyone?

https://nakedsecurity.sophos.com/2011/06/21/dropbox-lets-any...

[radicalbyte]

I'm not sure how encryption will stand up when you have a set of all deltas from V1... Vn of the encrypted file.

From my admittedly small knowledge of encryption I would assume that such a set of data could be used to greatly decrease the size of the search-space for the decryption key.

There are a few people experts who post here, anyone care to comment?

[tptacek]

I'm not sure whether I'm an "expert", but I can't think of a competently designed cryptosystem falls to that particular attack.

[quonn]

1Password actually stores new data in new files, presumably to make synchronisation work properly. For example, I have approximately 600 such files in my Dropbox. Interestingly, some metadata such as the login URL and the creation date is not encrypted, so it would be possible to build a list of the sites I have stored passwords for.

Formally, if your cipher would weaken in a way that makes practical attacks possible as more data is encrypted, it would be considered broken. Furthermore, it is possible to work around this by rotating keys and just encrypting the keys in a master file. 1Password definitely uses encryption keys that are fully independent from your master password, although I don't know if they periodically use new keys for new data.

[TheSwordsman]

Dropbox doesn't encrypt files, AFAIK.

[maccam94]

- Dropbox files at rest are encrypted using 256-bit Advanced Encryption Standard (AES).

- Dropbox uses Secure Sockets Layer (SSL)/Transport Layer Security (TLS) to protect data in transit between Dropbox apps and our servers; it's designed to create a secure tunnel protected by 128-bit or higher Advanced Encryption Standard (AES) encryption.

Source: https://www.dropbox.com/help/27

[hawkes]

But don't they provide the "I forgot my password" option?? Doesn't that mean tjey have enough info to decrypt your data whenever thy want to, let you change your password, and encrypt it again with that new one??? Looks like the same problem to me in the fact that any Dropbox worker can take anything you upload. Moreover, Condoleza Rice hired??! Wtf.

[quonn]

I think Dropbox encrypts data before storing it with 3rd-party providers (Amazon). At least I think they used to.

[quonn]

1Password only stores encrypted files in Dropbox. The encryption is done offline. Assuming the encryption is done properly, it is difficult to conceive of a way to attack it even assuming that Dropbox is compromised.

[Someone1234]

Actually that's how LastPass works (they move around an AES-256 encrypted database, and decrypt it on the client/browser).

The problem LastPass has, is that they re-use the same master password for two distinct things:

- Authenticating to login to your account.

- Encrypt your password database.

So in situations like this the loss of the authentication hash is relevant. I'd prefer to have a different password for the account than the database, but they don't offer that as far as I know.

In general I am broadly happy with LastPass's security. But it could be a little better for power users.

[tptacek]

I find this design kind of baffling. Why go through the trouble of storing data encrypted only to snatch defeat from the jaws of victory by demanding that the client provide a secret derived from the encryption key just to log in?

[eric_the_read]

I finally managed to convince my mother to start using LastPass recently; if I'd had to convince her to use two "master" passwords-- one for the encryption key, one for the service-- I'm fairly sure she'd still be using Google Contacts to store her secrets. :-\

[Someone1234]

Exactly. Why is why I entirely understand LastPass's reasoning for not doing that by default. But it would be a nice "advanced user" option (like 2F and all the other toys hidden in the account settings advanced tab).

[harshreality]

I suppose they need to ensure that the person logging into the site, or interacting with the site via the browser extension, actually created the encrypted archive. Without a passphrase-derived authentication token (which they say is something like pbkdf2(encryption_key + passphrase), where encryption_key itself is pbkdf2(email + passphrase)), how could they ensure that?

Without that connection, if they had a totally separate secret S for web logins, anyone with S (and your 2-factor token if you have it enabled) could change your server-stored archive with no knowledge of how to decrypt it. Wouldn't that be a denial of service attack, if the next time you login to lastpass your local encrypted password archive is overwritten? You'd then have to rely on whatever other backup solution you (hopefully) use, to get an old local copy of the encrypted password archive.

[aptwebapps]

That's true, but you have a local copy by default. I'm not sure what happens if the local and the server copy get radically out of sync - I don't know if it would purge your local copy or not.