This means that whenever SpiderOak is ordered by the authorities to hand over the keys (or the password), it can (and must).
#Spideroak storage password
If the SpiderOak servers are ever hacked, this brute-forcing can be done by outsiders.Įven worse is that in certain cases the cleartext password is sent to SpiderOak to decrypt the encryption keys on their servers.
This is even the case if you never access your data using browser or a mobile app. If the password-encrypted keys are stored on the server, they can be brute-forced there (one can only hope that the encryption of the keys with a password is such that it is not trivial to see whether a guess of the password is correct because the use to decrypt returns a meaningful result). First of all people pick horrible passwords that are easy to guess. Using this method of encrypting keys with a password leaves several security problems. The keys are themselves encrypted with your password and stored (along with your backup data) on SpiderOak servers in their encrypted form.
#Spideroak storage software
When you first run the SpiderOak software on a computer, a series of strong encryption keys are generated. This means you alone have responsibility for remembering your password or 'Password Hint' (which you can create to help you remember.) If the password is forgotten, there's nothing anyone can do to make the encrypted data readable to you again. The secret that keeps your data accessible to you alone is your SpiderOak password, which is never transmitted to SpiderOak in its original form. It turns out that SpiderOak security works as follows. These were not hard to find (and in all honesty it is laudable that SpiderOak provides this information prominently on its website in simple language). But this is even worse because apparently SpiderOak can provide the content of a file solely based on your password.…
I explained earlier that for web-based sharing with others, many secure cloud services effectively provide a backdoor. To fully retain our 'zero-knowledge' privacy, we recommend you always access your data via the SpiderOak desktop application which downloads your data before decrypting it locally. That said, no one except a select number of SpiderOak employees will ever have access to the SpiderOak servers. The instance above represents the only situation where your data could potentially be readable to someone with access to the SpiderOak servers. The moment your browsing session ends your password is destroyed and no further trace is left. For this amount of time your password is stored in encrypted memory and never written to an unencrypted disk. The password will then exist in the SpiderOak server memory for the duration of your browsing session. Hen accessing your data via the SpiderOak website or on a mobile device you must enter your password. However, after reading the following explanation about how the mobile version works, I started to get worried. One of the options I considered was SpiderOak.
0 kommentar(er)
