How Not to Store Information Online

Note: This is a 2008 post I managed to recover from my archive of Securethoughts.net

There are many online services which aim to provide you with an anytime-anywhere way of accessing personal information. One such service that has gotten some attention recently is PasswordSafe.com.

PasswordSafe.com, recently criticised by Bruce Schneier (probably mainly because he’s the creator of a password storage utility called Password Safe, and is pissed off that they’re using the same name), is an online service which allows you to store your passwords in a convenient accessible-from-anywhere-in-the-world place. This is by no means the only service of its kind. Despite countless claims of client-side encryption, secure databases, or downright promises of “we don’t look at your passwords”, I have to say that the idea of entrusting any of my passwords to Bob in Delaware, or Dmitriy in Moscow, is more than disconcerting. You see, it’s not that we may not trust Bob or Dmitriy (and his friends from the Russian Business Network), but the simple fact of the matter is that you simply lose all control over the information you entrust to others.

iLocker.org works very much in a similar way, but allowing you to store text in an encrypted ‘locker’. They claim security by performing AES encryption on the client-side using Javascript. Now although I’m sure the Javascript implementation of AES is lovely, again you’re trusting that one developer’s code is valid, but also that your browser isn’t being compromised at the same time.

A suitable alternative solution would be hard to find. In the end it would come down to you having complete faith in the system hosting your personal information, in my case I would want to have control over the system itself. When it comes to passwords, I wouldn’t store them anywhere, but if I had to I would use a reputable piece of software like Schneier’s Password Safe, or KeePassX. I would then be comfortable enough to maybe upload that into my webmail for recovery at a later date.

Moral of the story is, think very carefully before putting stuff online. This includes personal information that you post on Facebook and other sites, but equally important is your very private information and passwords. Now, if you want to store your shopping list in an encrypted online locker, by all means… go ahead ;)