Wednesday, October 22, 2008

Would you trust anyone with your passwords ?

For a while I've been using the Foxmarks Firefox extension. It's an excellent way to keep all your bookmarks in sync on every PC, even on my EeePC with Firofox under Linux. Once installed you can almost forget about it and it just does what it has to do in the background. Great. And then recently there was an automatic upgrade that asked me the following question : 'Do you want to use the Password Sync feature ?'
So I could synchronize my 100+ passwords on all my PC's too ? Great, I thought for a few seconds. Until I realized that this would imply that everytime I log on all my passwords are send to a central server. To a place I have no idea where it is. Controlled by a company I almost know nothing about. The 'About Us' shows some reliable names, including the famous Mitch Kapor, who's known to have so much money that he really couldn't care less about my ample savings on a foreign Iceland bank account. But what about the others ?
Of course Foxmarks says the passwords are safely encrypted. True. But how can I check that ? Well, I could probably check that using some network-spy software and a lot of hard work. But even if I were a hardcore hacker I would do this only a once or twice. Certainly not every time I use the service (then I would be better off by writing all my passwords on the back of my hand every day..).
And a year from now I probably don't even realize that I'm still using this feature. and the plug-in is updated automatically. So if for example a year from now update 30.134 is installed, and by accident this plug-in 'forgets' to encrypt the passwords ? Or it uses some type of encryption that is easy to decode by the Foxmarks programmers. Who may not be the same trustworthy team that founded the company in the first place as Foxmarks by then could have been purchased by a Nigerian Investment Company.

No comments: