Thursday, August 23, 2012

Passwords in the Cloud

So I have been generally paranoid about keeping my passwords in the cloud. However, over the last few days I have figured a way to keep them in the cloud in a relatively safer way. Mind you, its relatively safe. Relative to what you ask? Well, relative to keeping them in clear text on an excel spread sheet on your computer, or better still, relatively safer to having the same password (or a slightly varied password) for all your accounts. If you haven’t been scared about how insecure your passwords really are, or have been lazy enough to commit the two cardinal sins of managing passwords – reusing them, storing them/ writing them; its high time you do something serious about it. How about, you take a 10 minute break from whatever you are doing now, and follow what I say in this blog post. For once? Please?

Why do I need passwords in the cloud?

For a very long time, the primary computer from where I accessed the internet was my home PC. So I have been using Keepass for more than 6 years now and it has been really good. My passwords were securely encrypted in Keepass on my computer and that's about it.

Then came a time that I had to have passwords to access multiple sites and servers in office. So it became imperative that I have Keepass in office to store my passwords. Now having two copies of anything leads to inconsistencies. So I devised a way to sync my passwords every week. The solution was deceptively simple but cumbersome. I setup SyncToy on my home PC and I carried Keepass on a SD card in my office Laptop. So each time that I had to sync, I removed the SD card from my office Laptop and plugged it into my Home PC and synced them together. Synctoy is a very nifty and free Windows utility to delta sync two hard drives. If you are not using it to backup your PC, may be you should.

Now I have reached a stage that I need my passwords on my Smartphone, my Office PC and my Home PC. Now I can no longer do the SD Card thingie. So the easiest solution was to go cloud.

Having a Cloud based pure play password manager would be too big a risk. For all hackers out there, it would be a treasure trove of information waiting to be hacked into. Maybe that's why a pure cloud based password manager never came into being (till now).

How do I cloud-enable my password manager?

These days there are a lot of cloud-based storage options available. There is the SkyDrive by Windows, Apple iCloud, Google Drive and of course Dropbox. All these solutions let you store files in the cloud. They have been relatively secure. Yeah I know Dropbox got breached last month, but well it was not really a breach on their servers. And the beauty of this solution is that – the vulnerability is not on the cloud, but its on your Keepass encryption (or its distributed across your device, the cloud, your passkey and your master password). Getting access to just one of the things mentioned will not compromise your password security.

Here is the solution step-by-step:

  1. Download Keepass on all your computers (I use the portable version, but that's just me)
  2. Signup for and download one of the cloud-storage options like Dropbox on all your computers
  3. Create a private folder on the cloud-storage provider
  4. Create a new password database (or copy your existing database) onto the private folder in the cloud
  5. Point Keepass to access that database on the cloud on all your computers(as long as your cloud-storage app is visible in Windows Explorer, Keepass can access it)
  6. Create a Key File in Keepass and physically copy it to all your computers (this is a one time activity). Mind you, do not keep your Key File on the cloud.
  7. Choose a strong password for Keepass (And here are tips for it)

And you are ready to rock!

How secure is the solution?

So the security of the solution really depends on how safe is Keepass and how complex is your master password. Keepass is relatively very safe. As of now, it has military grade encryption capabilities and its open source (so everyone can see vulnerabilities in its code). If you are worried, you should read this and this.

Breaches can occur at 2 places – in the cloud and on your computer.

A cloud breach occurs when someone gets access to your cloud-drive. Even if they get access to your password database on the cloud, it will be computationally impossible for them (as of 2012) to hack into it without your master password (which is in your brain) and the Key File (which is physically located on your computer).

A bigger breach is when someone accesses Keepass on your computer. In that case, they can theoretically access your cloud-drive and your Key File. But still the master password remains in your brain. It is computationally very difficult (provided you are not a spy or a government agent) for them to break your Keepass database as long as you had chosen a strong master password. Of course if they tie you to a pole and make you confess your password by unmentionable means then you are compromised. But I am sure if you reach that stage, you will have other things to worry about (like your life) than your passwords.

That's it from me. I would like you to comment on this one if – you have doubts or you feel there is a big gap in my logic.

No comments:

Post a Comment