In the ever changing world of IT, everything is being pushed into the cloud, including things we’d normally wouldn’t even consider sharing with any other party. As is the case with nifty software designed to remember our passwords for us. I think a LOT of IT-folks know what KeePass is, but for those who don’t: It’s a password safe in which you can store all your passwords, generate complex ones, make remarks and memo’s etc. etc, all written in a encrypted file on a location of your bidding and protected by a master password. Keepass is free and open source, so it;s harder for entities like, let’s say the US government, to demand to surrender vital decryption information. To be more specific: Because Keepass is an offline password storing program and open source, it means the FISC court can’t compel a company to push a backdoor update to a specific user, through the use of National Security Letters. Thus making it a very safe option to store your passwords. But offline.
Now, let’s take a look at online approaches to the same problem: people forgetting their passwords or having a hard time maintaining them (even harder if you want to keep them really different). The first thing that comes to mind is the above: if it is a company with US roots, your data is NOT safe at all for it can be seized and decrypted with a court order. That rules out all US-based companies, with popular names like Dashlane, Lastpass and Roboform amongst them. But what is a viable alternative? After some consideration and (quite the bit of) reading, I narrowed it down to these three, non-US password managers with online functionality, as seen on the right.
I decided to give Sticky Password a go, as it fulfills my basic needs on the security side + has a lot of really usable features like Offline data sync via WiFi, so you can actually sync passwords between devices without having to use cloudservers at all. This means encrypted data can stay local of you assign it to be that way, so your really sensitive stuff never gets out on a cloudserver. It just stays on your PC or device and you can sync it to other devices using your own WiFi.
For example sake: If the code to your home alarm system was stored in Lastpass, it would be in the cloud and suspect to FISC rulings, thus readable by US authorities. It means they could use this data to enter your house. Or provide the data to local authorities. But you’ve got nothing to hide, right? Right.
The “Nothing to hide” argument
One thing I do hear a lot when it comes to authorities and storing personal data, is the “I got nothing to hide” argument. There are a couple of points to think about (kindly translated and freely interpreted from the Bits of Freedom organization):
- It’s not about if you got something to hide or not. It’s not even about trusting a company or your government. It is about your freedom. People who know to be watched mostly act different than groups who are left to be. Conformity towards approved behavior stimulates the confinement of thought and creativity, which results in undermining a truly free thinking and acting society.
- Identity fraude is THE most rapid growing and evolving form of cybercrime.
- Everyone has something to hide. Would you let your lover, employer or insurance company read all your Whatsapp messages? Do you show pictures of your kids to every stranger? Do you give acces to your medical files to anyone? You do not have to be a bad person to want to hide something!
- The question is not if you have got something to hide. The question is what someone else wants to do with the information acquired or given.
- Your personal information is worth a lot of money to others, are you giving it away for free?
- Your personal information is recorded and used over and over. Does a government or company never make mistakes? When they do, you have to prove you’re right, which can be really tough. This could be problematic when you cannot get a mortgage or you’re placed on a no-fly list.
So, I’ll be testdriving Sticky Password, but to be honest I have a healthy distrust of cloud linked applications. Some information should stay right where it is and only be available to me or my girlfriend. The final bit of info that pushed me towards Sticky Password is that security vendors like Kaspersky and VIPRE actually integrate it in their own products + it has the most complete support for new methods, like stand-alone biometric passwords or combined with other forms of authentication per piece of information.
What would you recommend? Or what’s your take on having nothing to hide? Please feel free to drop a line below!
Small addition: @HermanRonk mentioned a viable combination of KeePass + Owncloud as well. So you have a traditional password manager + encrypted file, which can be hosted on your OwnCloud environment for access. Thanks Herman!