I just saw a video of a portion of one of Kim Komando's radio shows where a caller was asking about password managers. Kim said she personally didn't use any password managers because of her fears that the password database would be open to cracking by hackers because the database was stored "in the cloud". I was under the impression that Keepass's database was stored on the user's computer and nowhere else. Have I misinterpreted what she said or have I misunderstood how Keepass works?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
It is true that many commercial password managers use cloud based backup, and Kim is right (IMO) to advise against using them (the ones with non-optional cloud backup, that is), but KeePass never sends your data anywhere except into your local file - and anyone with programming knowledge can verify this by examining the source code. This is the advantage of open source.
In my personal experience, all my data breaches have come from trusting data to third parties like this. Clouds (again, IMO) should only be used to store data that absolutely needs to be accessible from multiple locations. Would you trust your valuables to a company that says "We'll keep 'em safe in our vault, but you don't get to see the vault or how secure it is"?
Last edit: T. Bug Reporter 2017-05-13
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
KeePass stores the databaae where you tell it - this may be in the cloud - where it is secure because you have used a strong password and set the time for password iterations to 1 second, File > Database Settings > Advanced.
I think Kim is wrong to advise against password manager use as that results in less secure password use.
cheers, Paul
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The important question to ask is, "if not a password manager, then what?" The answers will probably involve either easy patterns, shared passwords, trivial substitutions, etc. which are FAR worse of a threat to your accounts than any password manager that uses modern encryption on the local machine. Most, if not all, popular password managers do this. Unless Kim is suggesting that everyone memorize 80+ individual, unique passwords with sufficient entropy to survive a dictionary-based attack on a stolen hash...
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
She should know better. Just heard some guy on the PC Radio show (been around for 30 years) talking about password managers and didn't mention Keepass at all.
I think you guys dont hype your product enough ;-)
Last edit: Jim Davis 2017-05-16
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I just saw a video of a portion of one of Kim Komando's radio shows where a caller was asking about password managers. Kim said she personally didn't use any password managers because of her fears that the password database would be open to cracking by hackers because the database was stored "in the cloud". I was under the impression that Keepass's database was stored on the user's computer and nowhere else. Have I misinterpreted what she said or have I misunderstood how Keepass works?
It is true that many commercial password managers use cloud based backup, and Kim is right (IMO) to advise against using them (the ones with non-optional cloud backup, that is), but KeePass never sends your data anywhere except into your local file - and anyone with programming knowledge can verify this by examining the source code. This is the advantage of open source.
In my personal experience, all my data breaches have come from trusting data to third parties like this. Clouds (again, IMO) should only be used to store data that absolutely needs to be accessible from multiple locations. Would you trust your valuables to a company that says "We'll keep 'em safe in our vault, but you don't get to see the vault or how secure it is"?
Last edit: T. Bug Reporter 2017-05-13
KeePass stores the databaae where you tell it - this may be in the cloud - where it is secure because you have used a strong password and set the time for password iterations to 1 second, File > Database Settings > Advanced.
I think Kim is wrong to advise against password manager use as that results in less secure password use.
cheers, Paul
I agree with you there; instead of a blanket condemnation of password managers, she should have made a distinction.
The important question to ask is, "if not a password manager, then what?" The answers will probably involve either easy patterns, shared passwords, trivial substitutions, etc. which are FAR worse of a threat to your accounts than any password manager that uses modern encryption on the local machine. Most, if not all, popular password managers do this. Unless Kim is suggesting that everyone memorize 80+ individual, unique passwords with sufficient entropy to survive a dictionary-based attack on a stolen hash...
She should know better. Just heard some guy on the PC Radio show (been around for 30 years) talking about password managers and didn't mention Keepass at all.
I think you guys dont hype your product enough ;-)
Last edit: Jim Davis 2017-05-16
We don't hype it at all, we let it do the talking. :)
cheers, Paul