undefined | Better HN

0 pointslolinder3y ago0 comments

Is the added security just that Dropbox is a lower value target (possible) and that attackers won't think to look for password databases in Dropbox accounts if they do compromise Dropbox (less likely)? Or is there something more to it?

EDIT: Given the replies below, I should be clear that I'm not interested in comparing to LastPass, I'm comparing to Bitwarden. LastPass had an obviously bad security model that failed to encrypt everything, but Bitwarden does not have that flaw.

0 comments

dspillett3y ago

Drop box is just the sync mechanism, with keepass' encryption (and their own care to keep the keys safe and not carried on the same medium) being all the protection.

Dropbox is not added security in this setup, it is a natural factor if what is being transferred [the keepass file(s)] is sufficiently secure in itself.

lolinderOP3y ago

I know Dropbox isn't added security, my question is why Dropbox losing the vault wouldn't be just as bad and as likely as Bitwarden losing the vault?

Another reply indicates that the main thing is that you don't have to trust the cloud service to do the encryption and zero-knowledge stuff right.

disillusioned3y ago

No possibility for a MITM attack (except, I suppose, with a keylogger, but then you've got bigger problems), and absolutely NOTHING outside of encryption, whereas whoever has this leak now knows what users have accounts on what websites, which is a veritable treasure trove.

That plus security through obscurity: no one is presuming you're going to come out of a Dropbox hack with millions of password vaults. Even finding them would be... nightmarish. (Though I suppose you could somehow hack a Dropbox file index database?) The value of a target like LastPass is absolutely insanely high: it's a concentrated honeypot of encrypted vaults.

Plus, the Android app makes using a Dropbox synced folder location fairly trivial, so that works pretty well. And you can set your own number of password rotations, which, while annoying when it takes my phone 5-10 seconds to unlock, realllllllly helps ensure no one else is going to crack this vault if they ever got it.

1 more reply

aborsy3y ago

No. When you login to LastPass, your password can be taken if LastPass is compromised. You have to trust that LastPass will not do it. If you login to Dropbox, the master password to your keepass database cannot be stolen. You don’t need to trust Dropbox.

But what you said is also an additional benefit.

lolinderOP3y ago

In theory, the master password is never supposed to leave your device even with the cloud-based password managers. So, yes, you're trusting that their clients do what they say they do, and I suppose an attacker could hijack the client and offload your password.

That said, the same risk applies to any client you use. Someone could have compromised the latest update of KeePassX as readily as they can compromise LastPass's client. If you don't have automatic updates then that's helpful, but I'm not sure it's producing enough security to be worth the extra hassle.

Dylan168073y ago

Having to compromise KeePassX rather than Dropbox, and specifically while you are updating, is not an insignificant difference.

1 more reply

mgsouth3y ago

The database is encrypted when at rest; i.e., no plaintext is stored on Dropbox. Assuming your master password is decent, you could plaster the database on a billboard and it would be safe. LastPass, on the other hand, encrypts some information (the actual passwords). The URLs and other sensitive information is stored in plaintext in the cloud. [Final edit. I swear.] As you note, as long as the entire blob is encrypted it doesn't really matter how it's replicated; BitWarden's one-stop-shopping can certainly be more convienent.

lolinderOP3y ago

But that is the same claim that Bitwarden and 1Password make. Both insist that they don't ever see your master password, which means that your vault security depends entirely on it being good enough. And both encrypt everything.

Assuming that I trust Bitwarden not to lie about their security model, what do I gain by piecing together multiple tools to accomplish the same thing?

mgsouth3y ago

(Sorry, I turned around and made an edit, but not before you replied.) KeePass encrypts the entire database, all fields, as one giant blob. LastPass stores URLs and other fields as plaintext; these too can contain critically sensitive information. [Edit: (See I flagged it)] As far as know it wasn't LastPass's client that was compromised--it was their servers/data store.

2 more replies

dzikimarian3y ago

Their software does see your master password. It may process it locally, it may not. If it's run in web client inside browser, that may change at any second. This may happen due to attack, their mistake, their dependency vulnerability or plain lie on their part. Fundamentally you need to trust them.

In case of keepass and independent sync(doesn't have to be Dropbox), software that sees master password doesn't need access to the internet. Can be even airgapped if you are extra paranoid.

So to sum it up: keepass + sync is better, because there's no single party that is even able to screw up you to the point of leaking your passwords. "Impossible to fail" is better than "they are doing their best, pinkie promise".

Also - why pay recurring fee for yet another cloud storage, when I just need plain encryption software.

1 more reply

roperj3y ago

> Or is there something more to it?

The part where they said they do not store either the key or password on Dropbox.

lolinderOP3y ago

You do not store the password on a password manager either. LastPass swears up and down that they never see your master password, all encryption happens client side. I can see good reasons not to trust LastPass at their word, but Bitwarden?

j / k navigate · click thread line to collapse

0 comments

dspillett3y ago

Drop box is just the sync mechanism, with keepass' encryption (and their own care to keep the keys safe and not carried on the same medium) being all the protection.

Dropbox is not added security in this setup, it is a natural factor if what is being transferred [the keepass file(s)] is sufficiently secure in itself.

lolinderOP3y ago

I know Dropbox isn't added security, my question is why Dropbox losing the vault wouldn't be just as bad and as likely as Bitwarden losing the vault?

Another reply indicates that the main thing is that you don't have to trust the cloud service to do the encryption and zero-knowledge stuff right.

disillusioned3y ago

1 more reply

aborsy3y ago

But what you said is also an additional benefit.

lolinderOP3y ago

Dylan168073y ago

Having to compromise KeePassX rather than Dropbox, and specifically while you are updating, is not an insignificant difference.

1 more reply

mgsouth3y ago

lolinderOP3y ago

Assuming that I trust Bitwarden not to lie about their security model, what do I gain by piecing together multiple tools to accomplish the same thing?

mgsouth3y ago

2 more replies

dzikimarian3y ago

In case of keepass and independent sync(doesn't have to be Dropbox), software that sees master password doesn't need access to the internet. Can be even airgapped if you are extra paranoid.

Also - why pay recurring fee for yet another cloud storage, when I just need plain encryption software.

1 more reply

roperj3y ago

> Or is there something more to it?

The part where they said they do not store either the key or password on Dropbox.

lolinderOP3y ago

j / k navigate · click thread line to collapse