Keeping your passwords safe in a safe safe.

Passwords.

Keepass logo

I’m a huge fan of Keepass. Keepass is a free program that will remember your passwords for you.

It is very easy to use and it features ‘auto-type’ so you don’t even have to copy your usernames and passwords, Keepass handles that for you.

Lastpass logo

A little while ago I heard of Lastpass. It basically does the same thing and nicely integrates with your browser, Android and IOS devices. I installed it, imported the Keepass data (which works quite well but not 100% accurately) and I used it. It’s good. It does what you should expect of it.

Then however I started wondering where Lastpass stores its data. With Keepass you have an encrypted file on your computer that holds your passwords. You can synchronise that to all your other devices by sticking it in Dropbox, Google Drive or any other file sharing system you prefer. Not so with Lastpass. I couldn’t find where that file is stored so I went looking.

It turns out that your password file is stored on the Internet, on the Lastpass servers. Each time you connect to the Internet, Lastpass will synchronise the file on the device you’re currently using.

Cloud.

Internet Cloud

So here’s the deal. You use Lastpass and you’re a happy camper. Understand that your passwords are not only on your system (in a spot that’s hard to locate; I tried and didn’t find it) but it’s also on a machine that’s outside your control. I can imagine that’s fine for vacation pictures and your collection of recipes for lasagna and hot tamales, but I didn’t feel very good about that. It’s my collection of usernames and passwords. Of course, you may argue that I’m paranoid, that Lastpass will treat your file with care and loving attention, but…

How many loving, caring systems that contain your files have been hacked lately? Yahoo for instance has a great track record of being hacked. Imagine that a hacker gets access to the file that contains your passwords, slaps some ransomware over it and next time you sync your Lastpass – kazaam, there you are with nothing left to show except a kind note from a hacker to hand over a lot of money for your files. Okay, okay, hackers can also do that to Google Drive and Dropbox (which is why I don’t keep those files there).

Control.

I like to keep things that are mine in my own hands. I’m one of the lucky people with a Synology NAS which gives me my personal cloud system (google ‘Synology Cloud Station‘). There are other ways to set up your personal cloud, I’m sure. Worst case you can always e-mail the file to yourself and download it to your device.

The potential security issue I just described made me go back to Keepass. Because I like my passwords in a safe place, one that I can decide on.

Control freak? Perhaps. But for my entire collection of credentials for online access I am happy with that title.

Keeping your data safe in the cloud the cheap way – part 2

Note: This page was updated on 2016-12-03. Truecrypt is no longer in use as it contained errors. If you want to find some alternatives for your system, have a look here.

A while ago I posted about a cheap way to keep your data safe in “the cloud”. Most people know Dropbox, Skydrive and Google drive, and that none of these systems are encrypted on your end. Because of that I installed Truecrypt and did some experiments.

Let’s set this as a case. You have 5MB of data you want to keep in the cloud. Dropbox gives you 2GB for free, 5MB fits in there easily. But your MBs are only encrypted by Dropbox, any CIA/FBI/NSA/TSA John Doodle can walk in and look at them. Dropbox will hand them the encryption key. Be one step ahead.

Truecrypt interface

Set up Truecrypt and create a 10MB container. (See the previous post on the how-to and such.) Set up the container outside Dropbox is my advice. Stick your 5MB worth of data inside the new drive (which is the truecrypt container) and happily use it. Once in a while copy the 10MB container to Dropbox so it gets saved to the cloud, encrypted by truecrypt. Do NOT copy the files from the container to Dropbox, then Truecrypt will decrypt them first. So if you set up the container in c:\mycrypt\container which you linked to drive T:, copy c:\mycrypt\container to Dropbox, not everything in T:.

Why not create the container directly in a Dropbox folder? Dropbox will the continuously update the entire 10MB to the cloud, which might affect the rest of your internet access. If you’re okay with that, go ahead and put the container directly inside a Dropbox folder.

And why 10MB for 5MB of data? That’s to have some space for when your amount of data grows. You can make it 6MB, but when you get to 6.1MB of data, you’ll need to create a new container in truecrypt and copy things over. It’s just some planning ahead.

Hope this helps someone.