• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

Cloud Vault questions

Hello Community

Topic may belong in Forum Feedback or Tech Outpost.  So, if it's moved I'll follow it.

I've been running NIS for years and have become comfortable with my Local Vault.

I was reading about LastPass and it's encryption protocol.

That got me thinking.  Are Norton Cloud Vault creds stored encrypted. 

I like the sort of double authentication to access Norton Cloud Vault.

I have to be logged in to my Norton account and supply my password. 

LastPass offers multi-factor authentication.

What intrigues me is all sensitive data is encrypted and decrypted locally before syncing with LastPass. Your key never leaves your device, and is never shared with LastPass. Your data stays accessible only to you. 

I'm wondering how Norton Cloud Vault compares to LastPass

Obviously, these questions are directed at those familiar with Norton Cloud Vault and / or LastPass.

At the end of the day.  How secure the Cloud server is would be most critical.

I'm thinking Norton server would be more secure by virtue of Symantec resources.

But, that does not hold up as it appears all server's are vulnerable.

So, does storing my creds encrypted via LastPass make my data more secure with the encryption key held locally on my device.

I'm thinking Norton Cloud has my creds and my password.  That gives me pause.

My Norton Local Vault is stronger than my browser's password manager.

Is Norton Cloud Vault any stronger than my Norton Local Vault or just more convenient.

Respectfully submitted

Replies

Kudos1 Stats

Re: Cloud Vault questions

bjm_,

Look at one of your most recent Exports (in .dat format) of your Identity Safe Data from your Local Vault.  You can open it using Notepad - can you read it?  Of course not - it is encrypted.  Now do the same with an export in the .csv format - readable?  Of course it is.

Wouldn't you think if it is encrypted on your system, then it would be when sent in the same format to the cloud?

I have never used Last Pass, so I can not comment on that, and I am sure those more knowledgeable in this area than I am will also chime in.

Kudos0

Re: Cloud Vault questions

Hello yank

I have looked at DAT and CSV in Notepad.   Guess, I never made the connection dat format with encryption.

Funny, when I save a CSV and DAT backup.  I encrypt them with local utility.

Just never made the connection dat = encryption.

I wonder since Norton is everywhere.  DAT encryption is readily available for bad guys to hack. 

But, bad guys hack gov't servers.  So, what's a body to do?

Thanks for taking the time to point out the obvious to me.

Kudos1 Stats

Re: Cloud Vault questions

Hi, bjm_. We only have the word of cloud sourced providers that our data is safe. I remain unconvinced.

It's the future as well as the now, and we really have few choices. 

Windows 10 Home X 64 Norton Security Premium Current
Kudos2 Stats

Re: Cloud Vault questions

Comparing to lastpass I think Norton cloud id safe has name, trust and cross platform availablity.
But looking at last pass, its rated more than id safe[not a current statistical data].
Also last pass offers multi factor authentication (already mentioned) in multiple ways like letter grid, hard ware device (yubi key), app authentication (google) etc etc.
Also the last pass gives you a lot free (I dont know how they manage to give it to free version, but more people subscribe to them @ $12 than using free version)
You can use their 'security check' to go online with their servers and scan your decrypted data.
By this facility, you can check your password strengths of all accounts (which you have saved to your account)
check for similar passwords
check for vulnerable sites
check for weak passwords
check if any of your email addresses (if present in your account) is registered with any database which keeps track of breaches (like that of Adobe)
Gives you an over view of each password length.

Another feature is that you will have plenty of options in settings (only the draw back is that no settings or database in your local system will get synced to your online vault unless you login)

And if you need a mobile version, you need to pay them or loginto your account via their website and copy your password. (Ah! The logging to website will make you tired of entering same password 3 or more times on each attempt to read data.)
The encrypted data is downloaded and reencrypted upon each change in password.
Your password is encrypted using some technique called PBKDF2-SHA256 with minimum 5k rounds. [ https://lastpass.com/whylastpass_technology.php , https://lastpass.com/how-it-works/ ]
You can set various options in your settings to define how long should your vault be open [like timeout in hours, browser shutdown, system shutdown etc]
Note that your each change or adding of username and password will be logged back to you if you choose.
The password generator(offline) is not awsome but a good one above the mark.
You can also use any of 10 OTPs which are predefined and saved to your system explicitly by yourself.
The local vault is in folder - tree structure, which I think is more easy to browse through.
You can set custom folders.
Your each generated password is saved, such that if you forgot which password you choose from the multiple passwords generated, you can say a revisit or delete them.
Last but not least noone or nothing is perfect, so do a thorough research on it (or generally saying, ANYTHING) before taking a leap.
Its a bit lengthy post. May be because I am a user who use and like their service but prefers user education before suggestion in every situation.
(I will do the same way if some one asks me which is better Norton or X for system security?)
regards, CV | There is no ONE TOUCH KEY to security . Be alert and vigilant. . | Always have a Backup Plan!
Kudos0

Re: Cloud Vault questions

Hi Nikhil_CV
Such a detailed post requires a personal Thank You.
Curious now since I didn't think of it before.
Okay, my ID Safe creds are stored in dat format locally and in the cloud.
But, what about csv format.   Locally, csv is not encrypted.  
Is csv encrypted in the cloud.

When I login to the ID Safe Cloud am I seeing my csv format or am I seeing my de-crypted dat format.
Thanks again Nikhil.  
I will have to do more research.

I don't know how Norton's Cloud works as they don't publish info like Lastpass does.
I was intrigued by Lastpass because I hold the encryption key locally.
With Norton Cloud Vault.  Norton knows my password (encryption key).

With Norton Cloud Vault I have to open my Norton account which may have credit card info.

I always delete credit card info from my Norton account after a renewal. 

Credit card info magically populates to my Norton account even if I make my renewal over the phone w Support.

I wish Norton would published info re how the Online vault works (csv dat format)

All I'm told is that it's just as safe as my Local vault. 

I only started thinking about all this because of the users posting issues w the ID Safe

I never had a problem with my Local vault.  Just the FF update conflicts and Norton seems to have that under control for the most part.  I imagine Lastpass doesn't have to deal with browser variants.

Thanks to all that took the time to reply

Kudos0

Re: Cloud Vault questions

@bjm_,
You are always welcome.:)

As I mentioned in some other thread, I had to migrate away from Norton ID safe as soon as I found I was tricked to cloud only version with all those tagging system. (I am thinking to come back to local id safe on my next system image restore, but is waiting to see whats in Norton Security final release)
...
I agree upon the point Norton should say something about the cloud vault ie, give some transparency to the system, like its encryption and storage, which users will be eager to know.
But its all corporate policies.
Since the connection to Norton servers are encrypted, I can only belive what they tell me.

Yeah! You are right. LP has plugin/addon version which will only work with the browser to which its installed. (ie, if you enable it in FF, only its accessible in FF.)
In its system based version (an installable setup file) you can get it on the browsers you choose and they all will be in sync locally.
I havent found much (actually no) issues with browser version support.
I wont recommend you to go to LP if your are satisfied with what-you-got-is-what-we-provide Identity Safe and you need free mobile platform support.
Else you can give a try to lastpass. (They provide an offer to recommend it to a friend and get premium for free. Recommendation is not enough, your friend must use the link in the recommendation email to setup the vault)
Eventhough I store my online data including bank user login in the passwod managers, its my golden rule to keep my financial data private to me, my bank and intended private circle.
And I suggest that to anyone asking me advise on that matter.
Even if I store such data it will be in 'only I can understand what I saved' form.
So I may be out of comment about your credit card issue you mentioned.:(
regards, CV | There is no ONE TOUCH KEY to security . Be alert and vigilant. . | Always have a Backup Plan!
Kudos0

Re: Cloud Vault questions

Hi Nikhil_CV

re: So I may be out of comment about your credit card issue you mentioned.

No, not at all.

I was only commenting how with Online Vault I have to open my Norton Account which contains personal Account & Profile info.   Or, is it just that I have to sign in to my Norton account.  The account is not opened?

See, I have no idea how the Online Vault works

Just that it's supposed to be as safe as my Local Vault

Kudos2 Stats

Re: Cloud Vault questions

FWIW...

This concern came up back during the early beta testing of v20, when Symantec Reps first hinted that the ability to create a local vault was going to be removed - That's right; there was at least one (maybe more) early-on v20 beta releases that still retained the capability to create a local vault...

Anyway, the very long-winded, very heated beta forum postings that immediately ensued (at the time) covered this topic "from soup to nuts", so to speak - one of the sub-topics was about the security of the Symantec cloud-stored vault data. The Symantec Reps essentially guaranteed the "fitness to purpose" of the encryption quality of the cloud-stored content.

This eventually lead to Norton Emps posting a "Norton Protection" blog, located here:

http://community.norton.com/t5/Norton-Protection-Blog/What-are-the-changes-to-the-Norton-Toolbar/ba-p/808740

which basically summarizes Symantec's standing on this matter ...

To my recollection, Symantec has never stated that the local .DAT (backup format) is one-and-the-same that is used on their cloud servers.  But I can say that (according to Symantec) the on-cloud data is definitely "HARD" encrypted and that the encryption/decryption process occurs locally, not on their server systems - Note too that Symantec's official-stated standing on accessing the cloud-stored vault content is that if you lose (can't remember) your on-line vault's PW, then even they (Symantec /  Norton) cannot recover it (and the cloud data that it protects).

Kind regards,

John

Kudos0

Re: Cloud Vault questions

Hello avjohnnie

Double Kudos for you.

Thanks so much for chiming in and pointing me to the blog.

A most interesting / informative read as is your post.

Not sure I understand

<< We understand the importance of the data being available when you cannot access the online vault.  The vault data is cached locally and is always available whether you have access to the online vault or not. >>

Cached locally similar to a Local Vault ?    In what format is it cached?

And the requirement for my Norton account password.  That is just for double verification.  My Norton account does not actually open up for anyone to view contents?

Those that are prompting to bring back the Local Vault may be well served by more info readily available re Online Vault eg: Norton Protection blog.  As I have never seen it.  Or, would have not seen it. 

Had I not thought to ask for help from the Community. 

Thank you Community!

Edit  Reading the Symantec, Please Explain Topic is a very interesting read. 

Sorry, I missed it back in 2012

Ya snooze Ya loose

Accepted Solution
Kudos1 Stats

Re: Cloud Vault questions


bjm_ wrote:

Hello avjohnnie

Double Kudos for you.

Thanks so much for chiming in and pointing me to the blog.

A most interesting / informative read as is your post.

Not sure I understand

<< We understand the importance of the data being available when you cannot access the online vault.  The vault data is cached locally and is always available whether you have access to the online vault or not. >>

Cached locally similar to a Local Vault ?    In what format is it cached?

This aspect was also "Hotly" debated to some degree in those early v20 beta threads.  Though little of that information made it to official blog postings and (for understandable security reasons) the actual process method (mechanism) was never (and again, to my recollection) fully divulged - I think it was finally agreed upon that the data continues to remain hard-encrypted on the local system and is "somehow" only decoded for-and-during its actual application to purpose (usage) - be that for transmittal to the remote website requiring it, or for purpose of locally viewing and/or editing it.

And the requirement for my Norton account password.  That is just for double verification.  My Norton account does not actually open up for anyone to view contents?

Correct - Not even for Symantec / Norton (other than by your invitation and authorization to allow Support Techs remote access to your local system for purpose of support assistance - and then only in the same manner that the information is available for own viewing, as I previously stated).

Those that are prompting to bring back the Local Vault may be well served by more info readily available re Online Vault eg: Norton Protection blog.  As I have never seen it.  Or, would have not seen it. Had I not thought to ask for help from the Community.

FWIW; My personal concerns regarding Symantec's cloud security were alleviated quite some ago after being made to "better" understand the "security part" of the mechanism -

My primary remaining concern is over the issues which can ensue if (and when) access to the remote cloud servers is inhibited (for whatever reason).  That's what the local cache is primarily supposed to be about - to deal with those occasions when that communication is inhibited.

To this day (years later) I still see occasions when the local cache (for whatever reason) fails to fully/properly sync with the remote cloud hosted storage. It can usually be corrected by closing the cloud vault then signing out of, and back into your Norton User account (via the main app's UI), followed by re-opening your cloud vault --- but I don't think the user should have to do all that - it should be auto-negotiated - transparently so -  all on its own.

There can also be occasions (though I've not had it happen in while) when communications with the remote cloud servers is disrupted in such a way that it causes a corruption of the local cached data "vault" in combination with a prolonged period of nonfunctional communication with the remote hosting servers --- at which point you have neither a locally usable data set, nor access to the remote storage set.  Those are occasions I find myself reverting to my (hard-fought-for, and very carefully-guarded) local vault.

I think these rare-occasion "total shutout condition" failures was one of the primary reasons for their adding / implementing the automatic / periodic local backup vault sets (now in v21).

Thank you Community!

Edit  Reading the Symantec, Please Explain Topic is a very interesting read. 

Sorry, I missed it back in 2012

Ya snooze Ya loose


Kind regards,

John

Kudos0

Re: Cloud Vault questions

Hello avjohnnie
Again, Double Kudos
Reading through the 2012 Blog and related Topic and this Topic
I am reminded how...
I remain in awe of the invaluable contribution via time, effort, commitment and knowledge that volunteers make to this Community

Respectfully submitted

This thread is closed from further comment. Please visit the forum to start a new thread.