Saturday, February 20, 2010

One reason why we can't trust online password storage, and many other sites claim that they can store your sensitive data, like credit card numbers and passwords, in an encrypted form, so they don't have access to it. While the services they offer really save you from a lot of work (password memorization and typing) there is a fundamental flaw.

The problem is that most of the code that decrypts your sensitive data can be updated in few seconds without sending warnings to you. If someone compromises the host, he can modify the code they serve to send the key or the decrypted data back to him, and he can update the code again to behave normally whenever he wants.

To retrieve and decrypt my passwords, I would trust only a tool that:

1. Is open source
2. Isn't updated automatically