Slyguy

Level 43
Guys, are there any decent password managers (with cloud sync) that aren't based in VA. Aren't hacked all of the time. Aren't stored on AWS?

Reviewing the Snowden/Wikileaks documents and other press releases I am inclined to believe AWS isn't to be trusted. I know the NSA blew a gasket when Glenn Greenwald convinced Wikileaks to switch away from AWS (NSA said that kind of advice needs to be disrupted). Also Booz Allen Hamilton 'brags' they have accessed AWS data centers and 'consult' with AWS at a deep, API level. Also apparently OneLogin was compromised at the backend through AWS API.

Roboform = VA.. (no clue about their cloud stuff, but VA? No.. Also they've been implicated in exposing user data)
Lastpass = VA (also, they may use AWS. They've had too many issues)
Dashlane = AWS, and they dump thousands of logs a day to Ireland.
Stickypassword/KasperskyPW = AWS
1Password = AWS
mSecure = AWS

I'm thinking there has to be something out there that doesn't stink, but also isn't overly compromised or sitting on US Intelligence linked servers with NSA API's..
 
Last edited:

Slyguy

Level 43
AWS = Amazon Web Services..

AWS works closely with US Intelligence, and some have noted US Intel has access to AWS API. There are many other reasons one may not want to use AWS but it is often used for extreme reliability. But I rarely hear anyone talk about the potential security issues with AWS. Recently OneLogin was compromised based on some compromised API or server access to OneLogin AWS. (I'd have to look) I just want to avoid AWS as much as possible.

Keepass isn't an option, I need sync and I need reliable auto-fill.
 

Slyguy

Level 43
I need to figure out where PasswordBoss stores theirs, but I found this on the Password Boss site..

Global Storage: Consumers are in control of their security
by choosing where in the world they would like to store their
encrypted data, a feature that is unique to Password Boss.
Consumers can choose to store their data in secure storage
locations in the U.S., Europe, Asia or Australia, and move their
data anytime they like

I want to dig into what firm actually handles their servers before investigating further.
 

kamla5abi

Level 4
hmm this is an interesting topic
i can see why so many companies would use AWS (reliable) and why gov spooks would like access to that data/info too

many of the AV companies also offer some those services too
BD has one (BD wallet) and intel truekey is another I've seen recently (when i tried to install adobe pdf viewer it was autochecked to be bundled/included...annoying...)
 

VeeekTor

Level 5
AWS = Amazon Web Services..

AWS works closely with US Intelligence, and some have noted US Intel has access to AWS API. There are many other reasons one may not want to use AWS but it is often used for extreme reliability. But I rarely hear anyone talk about the potential security issues with AWS. Recently OneLogin was compromised based on some compromised API or server access to OneLogin AWS. (I'd have to look) I just want to avoid AWS as much as possible.

Keepass isn't an option, I need sync and I need reliable auto-fill.

Thanks....Concerning "auto fill" for forms, the only 3 that do it are Sticky password, Dashlane, and Roboform.
 

Slyguy

Level 43
hmm this is an interesting topic
i can see why so many companies would use AWS (reliable) and why gov spooks would like access to that data/info too

many of the AV companies also offer some those services too
BD has one (BD wallet) and intel truekey is another I've seen recently (when i tried to install adobe pdf viewer it was autochecked to be bundled/included...annoying...)
Truekey is a rebrand of PasswordBox. Passwordbox ripped off everyone by selling lifetime subs, then closing down a few months later, then invalidating keys and finally selling off to Intel. Passwordboss doesn't instill confidence in me when my AV triggers off alarms with multiple modules, and VirusTotal detects the installer as malware with 3 engines on it.. Dr. Web blocks the heck out of Passwordboss. Even Heimdal blocks passwordboss from dialing home. Not risking that.

I've confirmed with support that Password Boss uses AWS infrastructure and API. So no go there.
 

mekelek

Level 28
how about Keepass that is local? You could store it's encrypted file on some offshore server of your choosing.
 

Slyguy

Level 43
I'm down to trying bitwarden. Opensource, functions feel like a cross between lastpass and Dashlane.. It's free. I've been in a long conversation with the developer who seems very proactive and open to discussing this. It's encrypted with double cryptos and stored on an Azure environment. The only thing leaving your PC is double encrypted blobs that would be virtually impossible to compromise.

Free Open Source Password Manager | bitwarden

I am going to pick apart the source a bit and run some tests.
 

mekelek

Level 28
I'm down to trying bitwarden. Opensource, functions feel like a cross between lastpass and Dashlane.. It's free. I've been in a long conversation with the developer who seems very proactive and open to discussing this. It's encrypted with double cryptos and stored on an Azure environment. The only thing leaving your PC is double encrypted blobs that would be virtually impossible to compromise.

Free Open Source Password Manager | bitwarden

I am going to pick apart the source a bit and run some tests.
this looks like a solid lastpass replacement.
 

kamla5abi

Level 4
I'm down to trying bitwarden. Opensource, functions feel like a cross between lastpass and Dashlane.. It's free. I've been in a long conversation with the developer who seems very proactive and open to discussing this. It's encrypted with double cryptos and stored on an Azure environment. The only thing leaving your PC is double encrypted blobs that would be virtually impossible to compromise.

Free Open Source Password Manager | bitwarden

I am going to pick apart the source a bit and run some tests.
Just to follow up with this post, have you been using this program ?
How do you like it?
Any things that you don't like about it?

I've used chromes built in form/password remember feature (mostly since it syncs across devices easily), and tried out Bitdefender's Wallet too kinda (dunno if it would work on android phones/tablets yet though)
but if we can find an alternative that is better and/or more secure, and still allows syncing across devices, that would be good.
that way we aren't married/restricted to whatever program we're using in which the password remember feature happens to be a part of
 

Slyguy

Level 43
Just to follow up with this post, have you been using this program ?
How do you like it?
Any things that you don't like about it?

I've used chromes built in form/password remember feature (mostly since it syncs across devices easily), and tried out Bitdefender's Wallet too kinda (dunno if it would work on android phones/tablets yet though)
but if we can find an alternative that is better and/or more secure, and still allows syncing across devices, that would be good.
that way we aren't married/restricted to whatever program we're using in which the password remember feature happens to be a part of
I like it a lot.. Only one feature missing - secure note storage. The developer has told me this is next on the list, possibly within a few weeks.

That will make it perfect for me!
 

DeepWeb

Level 25
Verified
Honestly if the NSA is after your passwords they will get them one way or another and you have FAR bigger problems. :p They don't have the resources to focus on everyone's password vault. You are already in the top 10% of harder to hack people for using one.

LastPass stores your passwords as hashes and every time you change your master password, they get rehashed into something else. Yes, AWS like any good server makes images of what is on their drives in case of failure. That's why you should change your master password on a regular basis.

What I do is I have a very long password for my online password vault which I create from an offline password vault. And that vault has a password stored in brain.exe. Remember even if they had them someone at the NSA would have to sit down and analyze all the data from all of your accounts to come to the conclusion that you are not a threat. They're not gonna bother. They will simply subpoena the domains that you visit to hand over all the information about you. No password required. Go the path of least resistance.

Needless to say I would be more worried about private citizens and companies to get their hands on them and for that, all password managers are still good.:)
 

Slyguy

Level 43
I don't trust the AWS API. The OneLogin API compromise is one example why I do not trust it, but the fact that our govt. and intel contractor infrastructure is hosted on the same AWS framework is most concerning. I'm less inclined to toss up my arms and say 'oh well, they will get it anyway!' and more inclined to assert my absolute right to privacy from a govt. intel(and contractors) that have largely been proven to have gone rogue. It's not so much that I have anything to hide, it's the fact that I believe it is our absolute right to have privacy as provided by the 4th Amendment. Also, we just can't be sure what all of this broad information gathering will amount to in the future and what hands that data could ultimately end up in.

I believe in spreading jurisdiction of product/service usage around the globe to help in privacy. For example my zero-knowledge cloud service is in Canada. My email in Norway. My VPN in Hong Kong. Etc.. So having a non-US jurisdiction is important to me but having a non-AWS service is even more crucial.

I will agree that if the NSA/CIA/DISA whatever did want my data they could get it. But the amount of effort to obtain the important data wouldn't be warranted. That's my goal here, to never make it easy on anyone. It's like having lights, good locks, dog, alarm and some cameras on your home. You make it difficult for the crooks (or anyone else) to even consider your location over someone else. To be honest, I think it's something everyone should do to assert their absolute right to privacy.

If the Snowden, Snowden2 etc dumps taught us anything, it's that these cartels are pretty annoyed by observant, secure and (in their words) paranoid people. I always found this statement from the CIA hilarious: "“Comodo’s user base, paranoid bastards that they are, has apparently caught wind of this and lots of them haven’t upgraded to 6.X [sic],” ..
 
5

509322

Guys, are there any decent password managers (with cloud sync) that aren't based in VA. Aren't hacked all of the time. Aren't stored on AWS?

Reviewing the Snowden/Wikileaks documents and other press releases I am inclined to believe AWS isn't to be trusted. I know the NSA blew a gasket when Glenn Greenwald convinced Wikileaks to switch away from AWS (NSA said that kind of advice needs to be disrupted). Also Booz Allen Hamilton 'brags' they have accessed AWS data centers and 'consult' with AWS at a deep, API level. Also apparently OneLogin was compromised at the backend through AWS API.

Roboform = VA.. (no clue about their cloud stuff, but VA? No.. Also they've been implicated in exposing user data)
Lastpass = VA (also, they may use AWS. They've had too many issues)
Dashlane = AWS, and they dump thousands of logs a day to Ireland.
Stickypassword/KasperskyPW = AWS
1Password = AWS
mSecure = AWS

I'm thinking there has to be something out there that doesn't stink, but also isn't overly compromised or sitting on US Intelligence linked servers with NSA API's..
It doesn't matter what password manager service you use. If it has facilities somewhere in the U.S., then all any U.S. or 14-eyes security agency need to do via U.S. govt channels is to present the password manager service with a National Security letter. They do not need to hack a damn thing.

And National Security letters fly out the Justice Dept back door about every single day...

Hacking is used to gather evidence to build criminal cases - unless you believe in that whole "V is for Vendetta" hood-over-the-head, cracked-in-the-head in the middle of the night conspiracy thing.
 

Slyguy

Level 43
It doesn't matter what password manager service you use. If it has facilities somewhere in the U.S., then all any U.S. or 14-eyes security agency need to do via U.S. govt channels is to present the password manager service with a National Security letter. They do not need to hack a damn thing.

And National Security letters fly out the Justice Dept back door about every single day...

Hacking is used to gather evidence to build criminal cases - unless you believe in that whole "V is for Vendetta" hood-over-the-head, cracked-in-the-head in the middle of the night conspiracy thing.
I'm aware of how all of this works and the nature of NSLs. Which is specifically why I avoid US products/services when possible in relation to privacy/security. (I emphasize, when possible) Also this is why I tend to utilize zero-knowledge based services and when possible, attempt to validate they are true Zero Knowledge. For example when I tested Dashlane and 'pretended' to lose my master password, and pressed them, they offered a 'potential' backdoor provided I still had access to the AppData folder on the specific PC. It's also how I found out Tutanota was able to offer an intercept method to their encrypted email. (and why I do not use either of those services any longer)
 

Glashouse

Level 4
Verified
What do you think of using Keepass and adding cloud capabilties using your own sync solution?

I use it since years syncing with Resilio Sync (former BT Sync) which needs no server and Seafile hosted on my own system.

This way you are always in control...
 

Slyguy

Level 43
What do you think of using Keepass and adding cloud capabilties using your own sync solution?

I use it since years syncing with Resilio Sync (former BT Sync) which needs no server and Seafile hosted on my own system.

This way you are always in control...
Sounds good. Have you ever run into any issues with proper syncing? This is probably ideal, assuming you can adequately secure your network/servers/drives. My concern would be someone syncing to their home behind a Neatgear router, no vlans and potential compromises. Whereas many of the cloud hosted companies I have worked with have robust security in place. I assume your solution would be ideal when properly secured! Thanks for the idea, I will look into this ASAP. I'd prefer to control my own data.

I staged a 'forgot my MP' with Bit Warden and no recovery was available. The only thing the developer could do was wipe my account. So at least that's good to know. I even offered him a few hundred dollars to attempt data recovery, but it wasn't possible regardless of the bounty.
 

Glashouse

Level 4
Verified
No, syncing works very well. If there would be a sync issue in general I don't mind as I have a version of each time I save the password file in my backup.
Also Resilio Sync and Seafile no matter which one you take can have a version history. If you don't want to mess with the server side I would say take a look at Resilio. It does all the syncing between my systems + mobile and works like charme.
 
Top