Agreed, those are already risks, and ones that are a lot harder to mitigate (though I do try where I can). Does that mean I should add another one that I can easily avoid?
There are risks in both local and cloud password managers. Maybe those risks seem equivalent to some folks, and the cloud features are useful enough for it to be a no brainer for them. For me, I don't at all mind manually backing up and manually copy/pasting credentials, and I don't miss the convenience of the cloud features.
> Let's say they did compromise your email account ...
This seems focused on the case of a dedicated attacker focused on you specifically. Id think each of us is more likely to be affected by various automated attacks that are backed by large dumps of account credentials.
In any case, I agree risks already exist in other places. For me in my specific set of circumstances this just seems like an easy one to skip.
Hey— whatever works for your setup. Especially for those who don't use a smart phone and have one machine, it's probably a minimal loss in functionality.
> Does that mean I should add another one that I can easily avoid?
All other things being equal? Avoid it, of course. I firmly oppose letting perfect be the enemy of good in the sense that more secure is better than less secure even if it's not perfectly secure. But I also oppose it in the sense that rejecting beneficial functionality because it's not perfectly secure, especially when it's not close to the biggest or most attractive attack surface, doesn't make sense. Even when password managers' servers were compromised— LastPass, for example— I don't think anybody ever got ahold of passwords. KeePass OTOH was broken with KeeFarce and RATs are a lot more common than cloud service server breaches.
> This seems focused on the case of a dedicated attacker focused on you specifically. Id think each of us is more likely to be affected by various automated attacks that are backed by large dumps of account credentials.
Nope— If it was automated the distinction is even less significant. A script would only need to search your email for whatever specific types of logins it supported and fire off password resets. Non-email 2FA becomes even more of a hurdle without the option of social engineering it or some other human-touch fix.
Consider this. (very) Roughly, this is the market penetration for these products:
* computer: 90%+
* smart phone: 85%
* tablet: 50%
* computer, smart phone and tablet: 40%
Most people (in this country, at least,) have multiple devices. Most people have internet access. Most people aren't going to be able to manage storing and sharing passwords among their devices at all, let alone more securely than cloud storage would do it. So for most people's use cases, it would be like citing health when refusing to put a teaspoon of sugar into the cup of tea they're having with cake and ice cream.
So like I said, avoid it if it doesn't improve your life— I have no stake in your password management choice— but I will actively butt in to qualify the sentiments expressed in this thread because, a) many users, even on this site, aren't sophisticated enough to engage in the sort of cost/benefit analysis that we are, and b) to them, this conversation is unintentional FUD. Cloud-based password management is vastly superior to regular folks' existing methods. If they're put off by technically savvy people saying they're fundamentally insecure, that is the embodiment of perfect defeating good.
> I don't think anybody ever got ahold of passwords. KeePass OTOH was broken with KeeFarce and RATs are a lot more common than cloud service server breaches.
Can we actually know this? We only know about the breaches that we're told about, or that are found and disclosed by researchers. I'm not familiar with KeeFarce, but presumably attackers need local access, in which case you're boned anyway.
> ... many users, even on this site, aren't sophisticated enough to engage in the sort of cost/benefit analysis that we are, and b) to them, this conversation is unintentional FUD
So this is the part that I worry about. I think we're in a bit of an age of innocence with everything moving to the cloud, where everyone still believes that all of these services are going to be well meaning, competent, capable stewards for your bits. I'd love to be proven wrong, but I imagine in 10 or 20 years we're going to have a very different attitude about these things, sorta like people who were using xray machines to size shoes before they learned about the effects.
Once any info gets to the cloud, its out of your control forever, and its in a place where it can be attacked by the current ~8 billion people on the planet, and all the new people coming along after that. Its an impossible task to defend against that. Not to mention as someone like lastpass grows, what could be a juicier target than that? Why try to pwn individual services when you can just get all of the legit credentials at once from one place?
If the options are only use the same 6 character dictionary word for every account, or use a cloud subscription password manager, I'd probably recommend the latter. But for someone not tech savvy, I'd probably recommend a pen and paper with memorable (long) pass phrases before I'd recommend a cloud solution.
In the past I've recommended a local password manager with generated passwords on your one machine that you do anything sensitive with. Back it up on a thumb drive once in a while. For your most used accounts (e.g. email) that you really want to use on multiple devices, use long memorable pass phrases and just enter them in. Some people might think this is primitive, but its not that hard and it should be plenty safe for most people. Its just not as convenient.
> I think we're in a bit of an age of innocence with everything moving to the cloud, where everyone still believes that all of these services are going to be well meaning, competent, capable stewards for your bits.
> Once any info gets to the cloud, its out of your control forever.
You're propping up a straw man using a hyperbole.
> But for someone not tech savvy, I'd probably recommend a pen and paper with memorable (long) pass phrases before I'd recommend a cloud solution[...]
And then presenting your original assertion without any more evidence.
But that's all nearly beside the point.
The most difficult factor to wrangle is human psychology. Without intervention, phishing attacks just work. People re-use passwords. People switch from redox1 to 1redsox1 when forced to change them. They do this all to avoid having to think about it.
The entire point of password managers is to mitigate this. You need to compete with the psychological ease of re-using the same password repeatedly because that's the only way regular users will use it. Then, you can warn them when they're entering credentials into a site where they don't belong. You can warn users if a service they use was breached. You can warn users that their password is weak or reused or old and give them a quick solution rather than leaving them to figure it out. You're making it easy for them because that's the only way it works. If you draw two barely kissing circles on a sheet of paper, that's the Venn diagram of users who care enough about electronic security to deal with the extra irritation of using strong unique passwords but won't use an automated system to do it.
So maybe the second-weakest link is the credentials themselves, and the third weakest link is the collection of websites users submit their credentials to that don't store the passwords in AES-256 encrypted vaults with no local master password storage, like password managers do, and the fourth is probably the browser, etc.
Everything we know about the actual empirical risk of these components points to password managers, in general, being close to the bottom of that list. Prioritizing anything but the most blatant password manager security flaws over even minor user convenience will have a negative net effect. When it's a risk so obscure that we have no documented instance of it occurring among thousands of documented instances of breaches occurring in other services, I'd argue it's less safe.
If you're going to base your security strategy on intuition about our relationship with cloud services, go for it. Personally, I'll leave the faith to the priests and stick to attack vector analysis and balancing limiting attack surfaces with solutions that work most easily for most people, because that's the only way they'll use them.
Does that mean that you agree that we can't know the extent to which things have been exposed? Cause that's part of my point. Of course you can flip that around and say well you can't prove that nobody compromised your local machine, but one of those things is open to attack from many orders of magnitude more attackers by virtue of being on the open internet and in a physical space that you don't control.
> You're propping up a straw man using a hyperbole.
You're cooking up a tasty word salad there, chef. Can you give me a little more meat here? I don't quite follow. Have you never heard people say that you shouldn't write an email or send a picture that you wouldn't want to see in the newspaper? Its a similar concept. Once you send something out over the wire, your power to make decisions over what's done with it is gone. You have to hope that whatever was listening on the wire is (and will continue to be) benevolent. How do straw men and hyperbole apply here?
> The most difficult factor to wrangle is human psychology. Without intervention, phishing attacks just work. People re-use passwords. People switch from redox1 to 1redsox1 when forced to change them. They do this all to avoid having to think about it.
> The entire point of password managers is to mitigate this.
I agree. That's part of why I use a password manager, and recommend that others do so too. We just disagree on whether or not its advisable to cede control over that kind of tool to a third party.
It feels a lot like the argument that your money is safer in a bank than in your mattress, which is an argument I agree with. Except replace all the banking regulations and security with a ToS that can change anytime and emails about how very deeply we care about your security. I'll keep my cash in my safe at home in that scenario. Maybe there are some people who'd still be better off using that bank. I wouldn't feel good giving that recommendation though.
I know what a straw man is, but you just naming the term doesn't constitute an argument. Maybe a more clever person than myself could have intuited what you believed was an example of one, but I couldn't.
Russell's teapot is a new one to me. It seems you're position (correct me if I've misunderstood, or don't since you don't seem interested in the conversation anymore) that since we don't have definitive proof that we can't trust these third parties, it's wrong to distrust them. I'm too paranoid to buy that. If I can't verify, then I don't trust. Good luck with your better things.
Agreed, those are already risks, and ones that are a lot harder to mitigate (though I do try where I can). Does that mean I should add another one that I can easily avoid?
There are risks in both local and cloud password managers. Maybe those risks seem equivalent to some folks, and the cloud features are useful enough for it to be a no brainer for them. For me, I don't at all mind manually backing up and manually copy/pasting credentials, and I don't miss the convenience of the cloud features.
> Let's say they did compromise your email account ...
This seems focused on the case of a dedicated attacker focused on you specifically. Id think each of us is more likely to be affected by various automated attacks that are backed by large dumps of account credentials.
In any case, I agree risks already exist in other places. For me in my specific set of circumstances this just seems like an easy one to skip.