How safe is encryption actually?

JustAnotherSaver

Question:

So from this I've gotten the impression from you guys that basically unless you're storing nuclear weapon launch codes then Joe Bloggs doesn't really need to encrypt his stuff. 

I'm sure there's exceptions so I'll ask this question all the same... 

WhatsApp have an encryption feature on its chat backup. 

Would you bother? 

I suspect if you only discuss your cat on WhatsApp then no big deal

But if you're discussing account access details then perhaps a little different? 
Or not? 

Would there be a particular reason NOT to encrypt the chat backup (aside from it presents the possibility of forgetting your password & therefore losing the backup - is there any reason aside from this NOT to make use of the feature or would you use it?) 

[Deleted User]

JustAnotherSaver said:

Question:

So from this I've gotten the impression from you guys that basically unless you're storing nuclear weapon launch codes then Joe Bloggs doesn't really need to encrypt his stuff. 

I'm sure there's exceptions so I'll ask this question all the same... 

WhatsApp have an encryption feature on its chat backup. 

Would you bother? 

I suspect if you only discuss your cat on WhatsApp then no big deal

But if you're discussing account access details then perhaps a little different? 
Or not? 

Would there be a particular reason NOT to encrypt the chat backup (aside from it presents the possibility of forgetting your password & therefore losing the backup - is there any reason aside from this NOT to make use of the feature or would you use it?

Encrypting the backup is probably best suited for the ultra privacy concerned people. 

Your chats are already encrypted in transit by Whatsapp and "at rest" by Google/Apple in your phone and your cloud backup - but if for example you are plotting to overthrow the government in your dictatorship country and are worried that Google or Apple will provide the keys to your cloud backup to the authorities then maybe you need to encrypt your backup as well.

But unless everyone else involved in the chats does the same, there is still a risk you will be compromised.

For ordinary folk in an ordinary country there is probably not much need for it.

Only other downside is deniability - having double-encrypted data in the first place shows you have something to hide, so if you are being tortured by the secret police to obtain details of your plot to overthrow the government, then you are better off having no backup and a self wiping phone / computer triggered by a duress code or password.

goodValue

your security is like a chain. Even one or a few weak links make for a weak chain

Does this rigorous attitude include deleting cookies?

goodValue

Brute force tends to be an offline attack though and it is actually not the most likely way somebody will be hacked. Here's most likely ways:

1. Phishing that somehow gets you to enter credentials into a spoofed website or download malware that captures your passwords. Worst case is you use that password elsewhere and you have just opened up all your other accounts - 67% of people use the same password on different sites.

This is where browser integrated password managers help - they only provide the password for the correct site, so if you are on a spoofed site it will not offer your password.

So a password timing barrier would not work because the attack is offline.

Does the advantage you mentioned for browser integrated password managers make them the most suitable to use, or are
other types better under some circumstances?

[Deleted User]

goodValue said:

Does the advantage you mentioned for browser integrated password managers make them the most suitable to use, or are
other types better under some circumstances?

There isn't a yes/no answer to that but personally I prefer them because:

1.Browser integrated password managers are really convenient and encourage the use of strong passwords because it is just so easy and work on whatever device you log into including phones / multiple computer etc.

2. They also avoid the copy and paste element of other password managers and therefore the risk of you pasting the password into the wrong place / wrong website or other leaks that can come from malware accessing your clipboard.

3. They are never actually shown on screen either and require another security layer if you do want to view them.

But there is an element of risk in terms of the browser security and storing them all "in the cloud" but not significant enough for me to worry about because I'm not aware of any such breaches - password management companies have a reputation to uphold and will go above and beyond the typical website company in terms of keeping them safe.

If you are ultra security focussed then you would host your own password manager.

goodValue said:

your security is like a chain. Even one or a few weak links make for a weak chain

Does this rigorous attitude include deleting cookies?

Can do, but convenience vs privacy comes into play. I don't think there is a security risk generally from cookies, there is a privacy element but I don't bother with that, I'm really not fussed about my digital footprint I leave around the internet.

goodValue

But there is an element of risk in terms of the browser security and storing them all "in the cloud" but not significant enough for me to worry about because I'm not aware of any such breaches - password management companies have a reputation to uphold and will go above and beyond the typical website company in terms of keeping them safe.

If you are ultra security focussed then you would host your own password manager.

As an inexperienced user, I thought it commonsense to initially restrict the number of apps on my laptop.

And also to restrict visiting websites that I had not heard of.

So I'm thinking of searching for a non-cloud manager.

k_man

goodValue said:

But there is an element of risk in terms of the browser security and storing them all "in the cloud" but not significant enough for me to worry about because I'm not aware of any such breaches - password management companies have a reputation to uphold and will go above and beyond the typical website company in terms of keeping them safe.

If you are ultra security focussed then you would host your own password manager.

As an inexperienced user, I thought it commonsense to initially restrict the number of apps on my laptop.

And also to restrict visiting websites that I had not heard of.

So I'm thinking of searching for a non-cloud manager.

Choosing a non-cloud based solution is a little unusual for an inexperienced user.
Most users start with Edge, Chrome (yes, or Firefox), or Apples built in password storage, which are much better than they were, and better than none.
Albeit they are more geared to web/cloud based services.

If you want an offline only manager, make sure you have very robust backup process, as if you lose access to your laptop, the the local password manager goes with it.
Keepass is probably the most used non cloud solution.

And ensure any passwords for the backup process, are not saved solely in the password manager.

FYI, a password manager is the first (and sometimes only) thing I install onto a new laptop/device. As I need access to passwords to access virtually any other system.

Finally, can you explain how the following is influencing your choice, as I think I am missing the reasoning:

And also to restrict visiting websites that I had not heard of.

JustAnotherSaver

goodValue said:

So I'm thinking of searching for a non-cloud manager.

I'm actually going the other way. I've used non-cloud for years but my needs have changed and now I need something to work with both mobile AND desktop.

And before anyone says it, I know KeePass does, BUT then tell me how you can edit/add an entry on one device in KeePass and it automatically updates on the other?!

k_man said:

Choosing a non-cloud based solution is a little unusual for an inexperienced user.

Really? I was inexperienced in password managing and I didn't want cloud to begin with. Didn't trust it. Local based suited my needs for many years.

Most users start with Edge, Chrome (yes, or Firefox), or Apples built in password storage, which are much better than they were, and better than none.
Albeit they are more geared to web/cloud based services.

If you want an offline only manager, make sure you have very robust backup process, as if you lose access to your laptop, the the local password manager goes with it.

*makes sure nobody is glaring at him* Yes, this man is very very right!

Keepass is probably the most used non cloud solution.

Is what I've used for many years. I don't understand why review articles call it difficult because it's really really not.

And ensure any passwords for the backup process, are not saved solely in the password manager.

FYI, a password manager is the first (and sometimes only) thing I install onto a new laptop/device. As I need access to passwords to access virtually any other system.

Finally, can you explain how the following is influencing your choice, as I think I am missing the reasoning:

And also to restrict visiting websites that I had not heard of.

For the record, as of yesterday I have started to make the switch to Bitwarden.

I needed something where if I made an addition or alteration on desktop/mobile then it would update on the other device as I had started finding myself having to make alterations for whatever reason on one device and then having to remember to update on the other device when I got to it/had time.

Bitwarden allows me to do that automatically now.

How safe Bitwarden is, how good Bitwarden is, I can't honestly say. My early readings of it seem to say that it's decent enough.

k_man

JustAnotherSaver said:

goodValue said:

So I'm thinking of searching for a non-cloud manager.

I'm actually going the other way. I've used non-cloud for years but my needs have changed and now I need something to work with both mobile AND desktop.

And before anyone says it, I know KeePass does, BUT then tell me how you can edit/add an entry on one device in KeePass and it automatically updates on the other?!

k_man said:

Choosing a non-cloud based solution is a little unusual for an inexperienced user.

Really? I was inexperienced in password managing and I didn't want cloud to begin with. Didn't trust it. Local based suited my needs for many years.

Most users start with Edge, Chrome (yes, or Firefox), or Apples built in password storage, which are much better than they were, and better than none.
Albeit they are more geared to web/cloud based services.

If you want an offline only manager, make sure you have very robust backup process, as if you lose access to your laptop, the the local password manager goes with it.

*makes sure nobody is glaring at him* Yes, this man is very very right!

Keepass is probably the most used non cloud solution.

Is what I've used for many years. I don't understand why review articles call it difficult because it's really really not.

And ensure any passwords for the backup process, are not saved solely in the password manager.

FYI, a password manager is the first (and sometimes only) thing I install onto a new laptop/device. As I need access to passwords to access virtually any other system.

Finally, can you explain how the following is influencing your choice, as I think I am missing the reasoning:

And also to restrict visiting websites that I had not heard of.

For the record, as of yesterday I have started to make the switch to Bitwarden.

I needed something where if I made an addition or alteration on desktop/mobile then it would update on the other device as I had started finding myself having to make alterations for whatever reason on one device and then having to remember to update on the other device when I got to it/had time.

Bitwarden allows me to do that automatically now.

How safe Bitwarden is, how good Bitwarden is, I can't honestly say. My early readings of it seem to say that it's decent enough.

Really? I was inexperienced in password managing and I didn't want cloud to begin with. Didn't trust it. Local based suited my needs for many years.

Did you choose Keepass (and I used it years ago too), before we really trusted the cloud or browser based options?
I know when I chose it, I don't think I was even aware of cloud based options, but then all programs were local, and the Internet was just emails and web pages!
I think (many of us) have a different attitude to cloud now. And given that most of the details we save in the password manager are for cloud services it makes some sense for the password manager to be one of them

And as you suggest, cloud tends to work much better with multiple devices.

When I did use Keepass, I did use synced via Google drive to a mobile, but it had challenges. So moved to LastPass about 12 years ago.
Keepass has probably moved on too!

JustAnotherSaver

k_man said:

Did you choose Keepass (and I used it years ago too), before we really trusted the cloud or browser based options?

I know when I chose it, I don't think I was even aware of cloud based options, but then all programs were local, and the Internet was just emails and web pages!
I think (many of us) have a different attitude to cloud now. And given that most of the details we save in the password manager are for cloud services it makes some sense for the password manager to be one of them

And as you suggest, cloud tends to work much better with multiple devices.

When I did use Keepass, I did use synced via Google drive to a mobile, but it had challenges. So moved to LastPass about 12 years ago.
Keepass has probably moved on too!

Not sure what you were asking in the opener there. I think you're asking me what drew me to KeePass all those years ago, so that's what I'll answer...

Basically I liked its simple look. That was the main thing. I'd been getting LastPass suggested to me but I felt like there was just 'too much going on' with it in terms of look and operation. I liked how simple KeePass was/looked ... which is why I'm so shocked when articles don't put it near the top and for negative marks they say it's complicated or there's a learning curve.

There really really isn't. You download it, you make some entries, you save it, job done. It can't get much more simple.

I must admit that at the time I did like how it wasn't stored up in the sky so I FELT more secure because of that.

As my use has changed over the years I've been having to take to storing a login entry in my Dropbox.

So what I was having to do is basically edit an entry or create a new one - save it to the KeePass file on my desktop PC then copy that file to my Dropbox so that my Dropbox one stayed current.

But then I was finding myself in situations where I'd need to edit while on my mobile. Maybe I was logging in somewhere that all of a sudden decided it wanted me to change my password there & then. So I'd edit the dropbox file but I'd have to then remember to update the desktop file when I got to my PC

And some times I'd forget.

So it started to make more & more sense to have something that would do both mobile and desktop. That would've been LastPass for me however they shot themselves in the foot (as far as I'm concerned) the moment they started asking for money. I'm a tightwad & you have to be real good for me to give you my money.

Bitwarden got decent enough reviews & ticked the mobile/desktop boxes so the decision was made for me as it's free .... for now.