Can online password managers be used for storing and managing passwords? I mean from the security point of view. I understand that those systems can be different and some deserves more trust than the other, but what I mean is the whole idea of public service for storing personal passwords. Is it viable in its essence?

About a year ago I signed up for one such service (Passpack). It seems reliable and professional, but I am still afraid to start really using it and upload my numerous passwords there. And it's not because I'm not willing to upgrade to paid account; I'm just very careful and doubtful. Am I wrong?

  • 2,786
  • 17
  • 23
  • 2,127
  • 2
  • 19
  • 28

6 Answers6


If you're asking in theory, can such a system be built securely?
My answer would be yes, absolutely, but it's not trivial work - and most likely would be done wrong (depending on who designed and built it).

If you're asking about existing services, while I'm not familiar with the one you mentioned, in general I don't know of any good, reliable, secure systems for this.

If you're asking, how can I tell if a specific system is secure and reliable?, well, ya can't.
Unless you (or an expert you trust, and is proficient enough in the given technology) performed an in-depth code review, penetration test, and other security reviews. And periodic deployment and server examinations. And so forth...

And no, getting a 3rd party certification such as HackerSafe (not even PCI:DSS) is not good enough, not for you to entrust the keys to your most sensitive data. (Unless its a service you know well enough to trust).

  • 73,317
  • 24
  • 140
  • 221

I would recommend switching to Keepass or KeepassX for linux and put all your passwords in the one encrypted keepass database, (locked with a password or a key file) and then putting the database file into the cloud like S3 from Amazon Web Services or Dropbox. By doing this...you have a portable database file which can downloaded to any computer from the cloud and opened only by the keepass software with your decryption key/password.

Eric Warriner
  • 3,361
  • 3
  • 27
  • 20
  • 1
    I always wondered how is this different than other synced password managers? The attack vector seems to be application/plugin security, and I do not see Keepass as higher quality than other proprietary (but open source) solutions - they have money at stake, so I would guess they invest more manpower. That said Keepass is very good free solution (provided you arrange the sync by yopurself). – Petar Donchev May 03 '17 at 07:16

In my opinion using a service like passpack could add another "weak ring" to your chain.

Your passwords are safe as how much paranoid you are about them (think about all the password best-practices), using a service like passpack make your passwords safe also as the whole passpack service itself (are their servers secure? the front-end? and so on..)

You should evaluate which one of these security sides you consider safer and which one you trust more. Are your password policies safe and trusty more than the security of a random password manager app? If yes, then this service may not be for you.

  • 2,020
  • 1
  • 17
  • 22

I'm using lastpass.com for quite long time. Passwords are encrypted with 256-bit AES with master password as key. Decrypting process starts in your browser. Although passwords are encrypted, getting password from server is over SSL which makes double encryption. They have 2 data center, and one backup server which is one more time encrypted. If you are scared of keyloggers (should be on public computers), there is a in-site virtual keyboard for logging with master password. One time password are also options.

Also, there is sharing accounts with other users without giving them your password.. Check it.

I'm not working for lastpass.com, just satisfied :).

  • 229
  • 1
  • 4
  • 4
    The lastpass servers never get your password, they get the data encrypted with a password only you know. I pulled it apart here: http://blog.tinisles.com/2010/01/should-you-trust-lastpass-com/ – russau Nov 18 '10 at 22:14
  • 2
    It seems like people always brag about these products. Honestly the on-screen keyboard thing is a joke. Any half decent malware will still pick up the password on submission or with GetWindowText(). Also the ability to share a password without revealing it is cryptographically impossible. Most of the time this is a software restriction that can be exploited (has already been done to both RoboForm and LastPass). This isnt to say I am against password managers (I use 1Password), I am just against advertising them by bragging about there most useless features. – Chris Frazier Apr 24 '12 at 16:13

Some points to be considered.

What are the alternatives ? IMHO using a online password manager is less risky than the following

  • using the same password for all your accounts
  • using a static spreadsheet that is not encrypted for storing your passwords

Collaboration. Must you share passwords ?

  • Online password managers are designed to facilitate password sharing, if you're sharing passwords you must be able to easily update passwords whilst insuring that everyone sees the latest version immediately.

On the other hand Kneepass is a good solution, the problem being that you're taking on more responsibility for backups etc, whilst even though its open source there is no guarantee that there are no vulnerabilities in the code.

Mark McDonagh
  • 419
  • 3
  • 4

I would not consider storing my password online. Atleast I cant trust them that much .

If you are interested, roboform for windows (used it quite a time back), is good, and its newer feature comes with Online sync also. Keepassx for linux is a good tool too.

Novice User
  • 2,108
  • 7
  • 27
  • 40