elements (OP)
|
|
August 26, 2011, 05:02:02 PM |
|
Hi Guys (and gals),
since my almost brandnew mac crashed (with my non backuped keepassx-files) I was wondering how safe it is in your opinion to store such a file in dropbox.
(not using a keyfile but only using a master key word)?
Any ideas?
|
»A common mistake that people make when trying to design something completely foolproof was to underestimate the ingenuity of complete fools.« - Douglas Adams Use the trusted German Bitcoin exchange: https://www.bitcoin.de/de/r/5wcwtsTips & donations: BTC : 1MAQYNLp2VJ9wWhPYg5BnrbUGzdhGXopZw | CGB: 5bgQivyHJcSWTgvLfVW87Zj23M7mcFCVBF
|
|
|
Saturn7
|
|
August 26, 2011, 05:11:45 PM |
|
I personally assume that anything I put on dropbox isn't 100% safe. It's just a matter of time until somebody figures out a weakness in the system even if its temporary.
|
First there was Fire, then Electricity, and now Bitcoins
|
|
|
elements (OP)
|
|
August 26, 2011, 05:47:45 PM |
|
I personally assume that anything I put on dropbox isn't 100% safe. It's just a matter of time until somebody figures out a weakness in the system even if its temporary.
I don't assume Dropbox to be secure at all. Just a few hours after the Goxed-incident dropbox let their guard down for full two hours. I consider Dropbox to be extremley UNsafe. What I meant was how secure you guys think the encryption of the keepassx database is? (using an extra safe master-password of course)
|
»A common mistake that people make when trying to design something completely foolproof was to underestimate the ingenuity of complete fools.« - Douglas Adams Use the trusted German Bitcoin exchange: https://www.bitcoin.de/de/r/5wcwtsTips & donations: BTC : 1MAQYNLp2VJ9wWhPYg5BnrbUGzdhGXopZw | CGB: 5bgQivyHJcSWTgvLfVW87Zj23M7mcFCVBF
|
|
|
kwukduck
Legendary
Offline
Activity: 1937
Merit: 1001
|
|
August 26, 2011, 06:14:33 PM |
|
Afaik they use AES-256 standard so it should be safe for a while, maybe there's a bug in the implementation though... check the source if you don't trust it.
|
14b8PdeWLqK3yi3PrNHMmCvSmvDEKEBh3E
|
|
|
|
FlipPro
Legendary
Offline
Activity: 1764
Merit: 1015
|
|
August 26, 2011, 06:45:52 PM |
|
Just keep your damn coins stored offline in a USB. What is so hard about that?
|
|
|
|
|
Gabi
Legendary
Offline
Activity: 1148
Merit: 1008
If you want to walk on water, get out of the boat
|
|
August 26, 2011, 07:36:45 PM |
|
Just keep your damn coins stored offline in a USB. What is so hard about that?
Nice, so if the usb die, you lose everything. An encrypted file is SAFE if you encrypt it in the right way and use a good password. Then you can upload it everywhere, dropbox, email, skydrive or whatelse and then you won't lose it. KeePass encrypted file should be safe if you use a good password, that's the whole point of keepass after all, having an encrypted database. So you should be safe putting it on dropbox, even if someone steal it they won't be able to decrypt it
|
|
|
|
defxor
|
|
August 26, 2011, 07:38:38 PM |
|
That article is positive, not negative, for LastPass Quick architecture explanation: They don't store your passwords. They don't have your passwords.
|
|
|
|
elements (OP)
|
|
August 26, 2011, 07:48:40 PM |
|
how is this positive:
Beyond being susceptible to XSS attacks, LastPass doesn't even use HSTS, which means that man-in-the-middle (MITM) attacks are also rather easy to pull off.
It's very hard for us to recommend LastPass as a password manager when further vulnerabilities will almost certainly be found. For the time being, you should check out KeePass, an offline password manager that, for now, is a lot more secure than LastPass.
|
»A common mistake that people make when trying to design something completely foolproof was to underestimate the ingenuity of complete fools.« - Douglas Adams Use the trusted German Bitcoin exchange: https://www.bitcoin.de/de/r/5wcwtsTips & donations: BTC : 1MAQYNLp2VJ9wWhPYg5BnrbUGzdhGXopZw | CGB: 5bgQivyHJcSWTgvLfVW87Zj23M7mcFCVBF
|
|
|
FlipPro
Legendary
Offline
Activity: 1764
Merit: 1015
|
|
August 26, 2011, 08:00:52 PM |
|
Just keep your damn coins stored offline in a USB. What is so hard about that?
Nice, so if the usb die, you lose everything. An encrypted file is SAFE if you encrypt it in the right way and use a good password. Then you can upload it everywhere, dropbox, email, skydrive or whatelse and then you won't lose it. KeePass encrypted file should be safe if you use a good password, that's the whole point of keepass after all, having an encrypted database. So you should be safe putting it on dropbox, even if someone steal it they won't be able to decrypt it You can save it to 2 different USB'S if you are superstitious about it breaking. Sure good encryption is important, but you are only setting yourself up for failure when you are putting your money in the hands of other people... Just my honest opinion...
|
|
|
|
defxor
|
|
August 26, 2011, 08:05:01 PM |
|
how is this positive:
Beyond being susceptible to XSS attacks, LastPass doesn't even use HSTS, which means that man-in-the-middle (MITM) attacks are also rather easy to pull off.
It's very hard for us to recommend LastPass as a password manager when further vulnerabilities will almost certainly be found. For the time being, you should check out KeePass, an offline password manager that, for now, is a lot more secure than LastPass.
Sorry, I kind of assume that people read the whole articles. Update: LastPass has now implemented HSTS and a few other features to make their website and browser add-ons a lot harder to attack in the future. Hooray! ... which is still irrelevant, since the attack would not compromise your passwords. Read up on the LastPass security model, a lot of security researchers have already. The article author isn't one
|
|
|
|
Gabi
Legendary
Offline
Activity: 1148
Merit: 1008
If you want to walk on water, get out of the boat
|
|
August 26, 2011, 08:17:07 PM |
|
Just keep your damn coins stored offline in a USB. What is so hard about that?
Nice, so if the usb die, you lose everything. An encrypted file is SAFE if you encrypt it in the right way and use a good password. Then you can upload it everywhere, dropbox, email, skydrive or whatelse and then you won't lose it. KeePass encrypted file should be safe if you use a good password, that's the whole point of keepass after all, having an encrypted database. So you should be safe putting it on dropbox, even if someone steal it they won't be able to decrypt it You can save it to 2 different USB'S if you are superstitious about it breaking. Sure good encryption is important, but you are only setting yourself up for failure when you are putting your money in the hands of other people... Just my honest opinion... Good encryption+good password=other people have an useless file
|
|
|
|
Exonumia
|
|
August 26, 2011, 11:17:17 PM |
|
since my almost brandnew mac crashed (with my non backuped keepassx-files) I was wondering how safe it is in your opinion to store such a file in dropbox.
Well... I am not sure that the KeePassX author follows the same implementation as the KeePass authors... if he does then it should be rather secure (assuming a hard to guess and long keyphrase). http://keepass.info/help/base/security.htmlI maintain my main KeePass on a windows machine (using the 2.0 database style) then I export out a 1.x database style to use with my mac (and KeePassX). You *can* run KeePass (the actual .net application) on mac with mono... but it is not as elegant as KeePassX in normal usage. If you are really worried you can always store the KeePassX data base in an encrypted image, then store that image on dropbox! http://support.apple.com/kb/ht1578
|
|
|
|
tnkflx
|
|
August 28, 2011, 10:34:28 AM |
|
I actually switched from Dropbox to https://spideroak.com/ when the multiple security issues with Dropbox came to light.
|
| Operating electrum.be & us.electrum.be |
|
|
|
ctoon6
|
|
August 28, 2011, 04:14:36 PM |
|
as far as security goes, dropbox is a joke, one time for like an hour, you could literally log on to the website without a password. not only that, but your files are not really "encrypted" so you only can access them. the dropbox staff is able to access them, if there were really secure, that would not be possible.
|
|
|
|
Gabi
Legendary
Offline
Activity: 1148
Merit: 1008
If you want to walk on water, get out of the boat
|
|
August 28, 2011, 04:25:50 PM |
|
When you put something online, expect everyone accessing it, especially if you put online your wallet! That's why if you put online something you MUST encrypt it.
So incase dropbox is hacked or there is a bug or whatelse, the hackers just get an encrypted file.
|
|
|
|
defxor
|
|
August 28, 2011, 04:38:36 PM |
|
When you put something online, expect everyone accessing it, especially if you put online your wallet! That's why if you put online something you MUST encrypt it.
Just to reiterate though; Wuala and LastPass use client side encryption. It's the same as if you first encrypt your files manually and then put them on Dropbox. You just skip the manual part of it.
|
|
|
|
Gabi
Legendary
Offline
Activity: 1148
Merit: 1008
If you want to walk on water, get out of the boat
|
|
August 28, 2011, 04:40:18 PM |
|
Yes you are right. But i was speaking in general, in case someone decide to put the wallet.dat in dropbox
|
|
|
|
|