How Not to Store Information Online
Note: This is a 2008 post I managed to recover from my archive of Securethoughts.net
There are many online services which aim to provide you with an anytime-anywhere way of accessing personal information. One such service that has gotten some attention recently is PasswordSafe.com.
PasswordSafe.com, recently criticised by Bruce Schneier (probably mainly because he’s the creator of a password storage utility called Password Safe, and is pissed off that they’re using the same name), is an online service which allows you to store your passwords in a convenient accessible-from-anywhere-in-the-world place. This is by no means the only service of its kind. Despite countless claims of client-side encryption, secure databases, or downright promises of “we don’t look at your passwords”, I have to say that the idea of entrusting any of my passwords to Bob in Delaware, or Dmitriy in Moscow, is more than disconcerting. You see, it’s not that we may not trust Bob or Dmitriy (and his friends from the Russian Business Network), but the simple fact of the matter is that you simply lose all control over the information you entrust to others.
A suitable alternative solution would be hard to find. In the end it would come down to you having complete faith in the system hosting your personal information, in my case I would want to have control over the system itself. When it comes to passwords, I wouldn’t store them anywhere, but if I had to I would use a reputable piece of software like Schneier’s Password Safe, or KeePassX. I would then be comfortable enough to maybe upload that into my webmail for recovery at a later date.
Moral of the story is, think very carefully before putting stuff online. This includes personal information that you post on Facebook and other sites, but equally important is your very private information and passwords. Now, if you want to store your shopping list in an encrypted online locker, by all means… go ahead ;)