Thoughts on master password in conjunction with icloud vault

[david rinnan]

Due to my work, my computer and other icloud devices, are encrypted and always require login and are automatically logged out on screen saver etc etc. 

I was previously using 1password when you bought a lifetime license and were able to use icloud for your vault. At that time I had a very simple pin to unlock. They they changed to using their own web-based storage outside of my control which resulted in needing a fairly string master password. 

Due to this, and many other reasons, such as having to pay lots of money for something you have already bought..... I did research and found Enpass, which is great. 

They offer the ability to put my vault at icloud. From a security standpoint this means that I only have to trust one vendor, Apple iCloud. In order for someone to get access to my passwords they would have to breach Apple icloud, or my account there, which has 2fa etc etc. 

 

So I guess this is my question.......... given that I feel that my computer is secure and does not exist in an environment where people could grab my computer in the timeframe before the screen saver kicks in. I wonder if there is actually a need for a complicated master password? 

I need some help with my thinking here but these are my thoughts on the matter. 

1. The master password is only relevant if someone actually has access to my vault. 

2. The only way to get hold of my vault is to get access to my icloud account 

3. Lets assume it would be totally impossible to breach my icloud account, which it of course isnt... in that case I wouldnt even need master password for my vault? 

 

Currently I have the configuration where I am asked for my master password if Enpass is restarted (update or computer restart) otherwise I use a simple pin code. 

But I have been considering changing the master password to the same as the pin, if possible, if it allows such a simple password, due to the above considerations. 

i.e. are we entirely sure that enpass does not backup/store my vault anywhere else but my local devices (for use) and icloud (main database). 

 

thanks 

 

 

[Abhishek Dewan]

Hi @david rinnan

The master password holds a paramount significance within a password management application.This singular password acts as a bulwark against unauthorized access, ensuring that all other passwords and confidential data remain safely encrypted and impervious to cyber threats. Given its critical role, selecting a robust and unique master password becomes a pivotal step in fortifying the integrity of the entire password management ecosystem, thereby reinforcing a user's resilience against the ever-evolving landscape of online vulnerabilities. Hence, it is important to create a strong but memorable master password that you do not store anywhere that it could be discovered.

Moreover, when you synchronize via any cloud service, an encrypted copy of your vault data is stored on the cloud. Your cloud always contains a copy of same encrypted data as on your device. A copy of your encrypted data is downloaded on your device where is gets decrypted (locally) for real sync operation to merge changes. Afterwards, it gets encrypted again and uploaded back to the cloud. In a nutshell, your cloud works only as a storage medium and no cryptographic operation (encryption or decryption) is performed there. All such operations are performed locally on your device and your data never leaves your device in unencrypted format. So somehow, if an attacker gains access to your iCloud Account/Enpass data file, he will find it protected with your Master Password and thus making it unuseful for him.

[Bachsau]

Apple's systems are not secure, especialy not with a simple PIN. I order to securely encrypt data, you need a secure algorithm and a long and complex key. Apple circumvents this by using hardware security devices, which of course can AND will be broken some day. If someone finds a way to get inside Apple's systems, no matter if a criminal, law enforcement or an intelligence agency, your PIN and 2FA won't save you. Don't be one of those guys using "password" for a password and don't fall for the misapprehension that complex passwords can't be remembered. Generate yourself a totally random password, write it on a piece of paper and type it in several times a day, and I promise you will remember it in no time, at which point you can discard the piece of paper.