Hacker News new | past | comments | ask | show | jobs | submit login

That's no different to how LastPass stores your vault on its servers, isn't it? They're just using their own cloud instead of Google's.



There actually might be a difference in favor of LP. LastPass knows, semantically, what encrypted password archives are, and can monitor for statistically unusual traffic related to an attacker downloading them.

Google has no no way to know, if 10k people are storing their encrypted keepassx archives in gdrive, and if those 10k archives are accessed in rapid succession, that it's an attack. It's lost in the noise of gdrive traffic.


That blade cuts both ways: the keepassx archives would be lost in the noise of all the other files on Google Drive/Dropbox/etc. On Lastpass, you know you're getting password archives. To me: advantage KeePass.


When thinking about security who has more resources and expertise? LastPass or Google?


It depends on your threat model. If you are more afraid of the government than of a random script kiddie, the vastly bigger resources of Google do not matter as your (encrypted) database is just a NSL away.

And then the NSA is trying to crack it </tinfoil hat mode>


Well if I put on my tinfoil hat, then there is no protection from the NSA. So, now I'm only trying to protect my password/identity from criminal elements, I tend to side with Google as knowing what they are doing. It doesn't mean they will also be mistake free, but it is something they deal with and have been dealing with before LastPass was even an idea.


When you've put your passwordfile in the cloud, you should assume it's fallen into the wrong hands (NSA) already.

I've put my keepass file in the cloud for extra backup, and I know I can only rely on its cryptographic strength to keep it safe.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: