The result is that the cloud service never actually knows your master password, so even if someone broke into the cloud service and stole everyone's password files, they wouldn't actually get access to anyone's passwords!
Crucially, though, this is not the same key as is used for decryption - though the same master password is used to produce both keys. To retrieve the database, you have to present a key that is also derived from your master password. If the password manager has a cloud sync feature (like LastPass, for instance), the encrypted password database is uploaded to the cloud. You never even need to know your site passwords. When you want to log into a site, you enter your master password, and the password manager decrypts the (unique) password to the site you're logging into. It stores your passwords in a database encrypted with a key that is derived from a "master password" you create and memorize.
How they work is this: the password manager runs locally, in the browser on your computer. Using a password manager is much more secure than having one password shared across multiple sites, or storing passwords in your web browser. Using a password manager is not as secure as using a unique, strong password that's different for every site and keeping them all memorized. They're a security bargain that is almost always a positive. So if you have your password database combined with RFC4226 one-time-password that means even if an attacker got your password, they wouldn't be able to login to the services that also require the one-time generated codes.
Alldatapro passwords that work software#
If the computer you use the database from is safe, and the password safe software isn't buggy, then they give you a relatively strong amount of security with a good amount of usability.Īlso consider that these days many online services offer multi/two-factor authentication. Password managers all more or less rely on the assumption that the computer you are using the password manager from is secure, and that you won't open your password database if the system you are on is not safe. These traits are very difficult to have without a password manager. Well known password managers have been pretty heavily vetted by security professionals, and also let you have strong randomly generated passwords, that are unique for each site. You always have to look at this things in relation to the alternatives, and pick the best method that is relatively secure, but also usable. Sure, there is some risk with password managers, but there is risk with almost every method for passwords, and authentication on the Internet.
0 kommentar(er)
