iCloud Keychain. Is it secure?

I was reading about OS X Mavericks, due out soon, and one of the features touted is iCloud Keychain, for managing your log-ins and passwords. It uses 256-bit incryption and claims to be secure. It will also generate random sequences for passwords, if you want it to, which presumably are "better" because a random sequence cannot be guessed by someone who knows your sister's birthday, or whatever too many people use. You can have a unique password for every site, without the need to remember random sequences.

They say it's safe.

In another news item, the fellow who owns the email service that was used by whistleblower Snowden has closed down the service rather than give the government the encryption keys to his service, which they were demanding. Apparently, his system encrypts email, so even though the government could listen in, without the keys they would have only gibberish. With the keys, the government could read EVERYBODY's email, and could ALSO impersonate any subscriber to the service.

Putting these two news items together, my question is this: With iCloud Keychain, would the security of a user's passwords depend on the security of the cloud server holding the passwords? If the government were to subpoena the encryption keys, or if a hacker were to hack into the server and steal the encryption keys, would they have access to your passwords? Or does the encryption depend on your own computer so that even total access to the cloud server would not give access to your passwords?

And a separate issue: What if someone had access to your computer, or hacked into it? Would they then have access to all the passwords in your iCloud Keychain? Of course, if someone hacked your computer, they could probably install a keystroke logger and steal your passwords, so maybe this is a moot point.

I don't use any programs to remember my passwords. I have passwords that I feel are complex enough that nobody is going to guess them and I type them in by hand every time. They are not stored anywhere other than whatever sites do so they can recognize me.

Bottom line: Would I be more secure with much more complex passwords, stored in the iCloud Keychain, or with passwords that are complex but less so, which are stored only in my head?

 

When you say you keep important financial data off your computer, does that mean you do not use the computer for banking? Or just that you don't use programs that know your banking information?

I was really wondering whether a system like iCloud Keychain (or other cloud-based or computer-based password-remembering systems) are more or less secure than just remembering your passwords. In the one case, you can have much more complex passwords, while in the other case your passwords are less complex but exist only in your own mind.

P.S. It might be all a moot point for me, because it would depend on getting a new computer. But when Mavericks comes out I might have a look at the latest Macs and consider it.

 

^ Thanks for that information. The owner of Lavabit, in the interview, mentioned SSL keys. So the government was after those keys so they could tap the lines and decrypt the passwords. That makes sense, because he mentioned it would give the government the ability, not only to read all the emails, but to impersonate the user.

Presumably more mainstream providers have already given the government this information.

This also means that no matter whether you remember your passwords or use Password Safe or iCloud Keychain, someone who had those SSL keys and the ability to tap the communication, could get your passwords.

So the only threats you can defend yourself from are hackers who do not have those SSL keys, and who need to trick you into giving up your passwords, or hack your computer to log your keystrokes. Or guess your passwords, which I gather is easier than it should be for many folks, whose passwords are their dog's name. I knew someone who did that. She was smart enough to know it was not secure, but she didn't care. Hopefully, she was more careful with banking sites.

The owner of Lavabit said in the interview he'd have gladly given the government the ability to hack Snowden's account, but they were demanding all the keys, which would have allowed them to hack all his users' accounts. He was asked if he had considered taking his business overseas, and he said that he's not given up on the US and does not want to leave the country, but that he'd probably give the business to someone overseas to operate it, and do something different himself.

 

Yes, I understand. But if someone has the SSL key you are using to send your password to the web site, and the ability to intercept the transmission, then they can decode the password as you are sending it. They do not have access to your computer or your Password Safe, but they now have your password for that one web site, and they can log on as you.

My understanding, which may not be correct, but I think it is:

You want to log onto your account at State Bank of East Dakota (SBED). You go to the web site and get a log-in page. SBED generates a very big number which is the product of two prime numbers. SBED knows the two primes, and only sends you the product of them. You type your password into the web page, or you paste it in from your PWSafe, doesn't matter. Your computer uses the Big Number to encrypt the password, and sends the encrypted password back to SBED. It is not possible within any normal time span, using the most powerful computers available today, to decrypt the password from the Big Number. You need the two primes that made it. And it is not possible to factor the Big Number in a reasonable time frame with computers available today. If you have the two primes you can decrypt it easily. SBED has those primes because it created the Big Number in the first place, so it decrypts the password, and having verified that it's really you, allows you to do your banking. Presumably there's another level of encryption and the passwords are stored encrypted so the night janitor at SBED cannot peek at the list and steal everyone's money.

But now the government decides it wants access to your account, or the Russian Mafia wants your money. They obtain the SSL keys (using a subpoena or by threatening the bank manager's family) and then they intercept the encrypted transmission, use the previously-obtained SSL key (the two prime numbers, I suppose) to decrypt it, and later, after you've logged off, they log into your account.

Nobody's going to come after me. I'm not rich enough to justify the bother for theft, and I'm of no political significance, to be of interest to the government. But when they go after political dissidents they deprive us all of the freedom to hear the full range of political ideas, and when they go after whistle-blowers they deprive us all of the ability to learn of the dirty dealings of the politicians we elected. In the name of "national security," politicians protect themselves from scrutiny for their own crimes.

I think my original question was answered: It really doesn't matter how I store my passwords. But the bigger issue remains, of politicians, in the name of government, using these tactics to get at the people who would expose them as crooks. Of course, politicians have always used whatever means they had available to get at their political opponents, and always in the name of national interest.

 

Sorry, I cannot grasp the grammar of that. Typo?

 

Then how do they know if the password you entered is valid?

 

I had Symantic. When the Symantic anti-virus suite started using more of my computer's resources than my applications, and accessing my hard drive more or less non-stop, that was when I decided it was time to switch away from Windows. I tried Linux, but Linux was not yet ready for a non-tech user, so I switched to Mac.

I have considered using a password program, but it occurred to me that if that program were to malfunction, I'd be unable to access any of my accounts. I'm going to keep doing it the way I do now. I'm confident that nobody's going to guess my passwords, and I don't have that many sites that need secure passwords. For sites like this, nobody's likely to spend much effort trying, because there's no payoff in hacking my Prius Chat account. And having to copy and paste passwords every time I log into my bank is a lot more work than typing a password that I remember. My passwords are less secure than a 25-character random string, but nobody is going to guess them because I have not tied them to anything personal.

Bottom line, it's like the locks on your house. No lock will keep out a sufficiently determined burglar. The door lock only has to be good enough that it would be easier to smash their way in. Passwords only have to be good enough that it would be easier for them to hack their way in without it. Nobody will guess my passwords, so anybody that wants into my accounts would have to do it some other way. I'm not the weak spot, and I have no control over any other part of the system.

Oh, and all those movies where they attach a gadget that runs a million passwords a second until it hits the right one? Web sites that need serious security only allow three wrong tries before they lock you out. It ghasts my flabber that people accept those movies where the genius hacker can get into any system by guessing the password. I think real hacking is mostly exploiting flaws in an operating system, or social engineering, getting people to agree to install a malicious program or to reveal their password. It doesn't matter how good your password is if you're going to type it into a spoofed web site that you opened from a link in a spam email, or if they've used a zero-day exploit to plant a spy program on your computer.

 

I'm not sure I entirely trust those either. All it would take is a bug in the program, or an injury to your finger, and you'd be locked out. Say, you burn your finger on the stove and have to wear a bandage. Bye-bye to all your web accounts. I'd be more inclined to trust a dongle, though they'd have to install a suitable plug in all mobile devices for it.

Then there's this: No matter what the security measure, it's transmitted digitally from your device to the web site. All the hacker has to do is intercept the transmitted signal, and perhaps decode it. Since they'll never guess a reasonably complex password, what have you really gained with a hardware or biometric passkey? The solution for the hacker is the same: Intercept and decode, or slip in a backdoor.

The biometric passkey relieves the user of the need to remember a password, but it leaves you with a single passkey for every site. Once the hacker intercepts and decodes that, he has access to all your accounts. With the old (present) way, at least he has to intercept and decode a separate password for every site.

I think they'd accomplish more if they made the internet more secure. Make it impossible to spoof the From line, so you'd know that email was not from your bank. Make the DNS impossible to hijack. (I have only a vague idea what the DNS is: When you type a site name into the URL line, the browser looks up an IP address, so a hacker who hacks the DNS server can substitute the IP address of a spoofed web site, to grab your password as you type it in? In that case, it does not matter how secure your password is.)

One pet peeve of mine is sites that force you to change your password regularly. I do not believe that accomplishes anything except to make it harder to remember your password, so that you have to write it down. Similarly for sites that require you to include two caps, two lc, two numerals, and two punctuation marks in your password. Then it's IMPOSSIBLE to remember and you HAVE to write it down. I have moved my money out of a bank when they made their password rules too onerous.

 

^ Thanks for that info.

But how does it improve security to make me change a password that nobody has guessed yet? I can memorize a relatively difficult password if I don't have to learn a new one every month or two. When they require frequent changes (to a password that has NOT been breached) they force me to use simpler passwords so I'll be able to memorize them more often.