Saturday, February 20, 2010

One reason why we can't trust online password storage

LastPass.com, Passpack.com and many other sites claim that they can store your sensitive data, like credit card numbers and passwords, in an encrypted form, so they don't have access to it. While the services they offer really save you from a lot of work (password memorization and typing) there is a fundamental flaw.

The problem is that most of the code that decrypts your sensitive data can be updated in few seconds without sending warnings to you. If someone compromises the host, he can modify the code they serve to send the key or the decrypted data back to him, and he can update the code again to behave normally whenever he wants.

To retrieve and decrypt my passwords, I would trust only a tool that:

1. Is open source
and
2. Isn't updated automatically

3 comments:

Francesco Sullo said...

Hello, yesterday I replied to your comment here: http://bit.ly/8LZWxb
Cheers,
Francesco Sullo, Passpack

Anonymous said...

LastPass doesn't work this way, so your flaw isn't valid for LastPass. Not sure about the other service. All encryption/decryption is local PC for LastPass. If you're system is injecting malware on local PC, it won't matter what system you use. And if you're just using memory to remember passwords, that is most likely flawed too.

Caue C M Rego said...

Actually the only fundamental flaw is that once someone gets your master password, they get everything else very easily from the cloud.

Anything else is talking about how well maintained the service is in keeping up with any potential system flaw, that is always possible almost by definition, even if you keep everything within your computer alone or even only in your mind, even supposing your memory is flawless. even even even.