Are password managers safe from the NSA surveillance?
The NSA is decrypting all things. You might have your passwords stored with a password management tool, such as the popular LastPass or 1Password apps. Should you be worried? Yes and no.
This question was posed on Quora: Is it reasonable to assume that developers of popular password management software (LastPass,...) are/will be forced by law enforcement to install backdoors in their encryption algorithms?
Two employees of AgileBits, the developers of 1Password, chimed in to say they do not have your data nor your master password, and so they don't have the ability to intercept or decrypt your 1Password file. AgileBits posted this blog post when all internet security/privacy hell broke loose.
However, the issue goes a bit beyond whether the government can get at your data. Given the craziness with Lavabit shutting down due to government pressure, it's not outside the realm of reason that the government could compel developers to weaken their systems. Jeffrey Goldberg offers on Quora, however, a few reassurances:
So here are a few things to keep in mind:
- We have developers in four different countries. (CA, US, UK, NL). It would be difficult to gag all of us.
- Lavabit has set a precedent in how to respond. I like to think that we would take the legal and financial consequences of refusing to comply, but of course that is an easy thing to say now. Nobody really knows what kind of pressure governments could put on us or how we would personally respond.
- We are very open about our data design and security architecture. That should make it harder to deliberately weaken it without detection.
- Password managers are not, in general, communication tools. Perhaps that would make us of less interest.
- If the NSA/FBI/TLA is seriously after a particular 1Password user it would probably be easier (and less likely to be detected) to attack the targets operating system than to force us to change 1Password's design. That is, it is easier to go around 1Password instead of through it.
Still I remain cautiously optimistic that we will never be confronted with such a request, largely because of increased public awareness. The risks of the TLAs getting caught doing something like that and there being a public outcry is very substantial. They lost the Crypto Wars back in the 90s. They are not off to a good start in Crypto Wars II.
So could they compel us to sabotage our product and cheat our customers? Not with out a very high risk to that becoming public. Would they try it? I still don't think so.
If you use the cloud sync option (storing the 1Password file on Dropbox so you can use it on different devices), it's more risky, since that data can be easily obtained by US government.
Like 1Password, LastPass also doesn't have your encryption key, but it might be more risky because the (encrypted) data travels back and forth between your computer and LastPass's servers.
And there's that whole thing about the NSA circumventing or cracking encryption. From Pro Publica:
The National Security Agency is winning its long-running secret war on encryption, using supercomputers, technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications in the Internet age, according to newly disclosed documents.
The agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show.
For those concerned, the safest password manager—whether we're talking about the government or hackers--is one that stores your encrypted data locally, bypassing the cloud. KeePass, for example. However, this comes with a convenience cost when you want to keep your data in sync.