Peter, how would this be different from hacking a phone to tap into voice calls or assume the phone’s identity?
With a phone I agree… need some GSM monitoring gear.
Also anybody who gains physical access to your phone for a minute (to receive the confirmation code) can set up a PC version of the app, leave it quietly running, and monitor all your messages 
The way these services work is that each end point has an encryption key which is locally generated and whose authenticity is validated by the server once during setup by means of an SMS with a PIN code. That is a reasonably safe approach.
Is that true for Whatsapp? Telegram’s secret mode is secure end to end.
achimha wrote:
1Password et al are great for the job. You have to trust the app though.
I use 1Password too. It’s great. The only worry that I have is that such a company now becomes a high value target for hackers… because literally all passwords are stored there to get access to someones entire digital (and normal) life!
They say it’s unbreakable because the data is hashed with your master password using some extravagant encryption, but is anything unbreakable these days?
Archie wrote:
I use 1Password too. It’s great. The only worry that I have is that such a company now becomes a high value target for hackers… because literally all passwords are stored there to get access to someones entire digital (and normal) life!
I would assume they don’t have the passwords not the ability to decrypt your database. It is not necessary and it would defeat the purpose.
Archie wrote:
They say it’s unbreakable because the data is hashed with your master password using some extravagant encryption, but is anything unbreakable these days?
AES is still considered to be very good. It’s the worldwide standard and it was not developed by the NSA but by a Belgian researcher in the open. I wouldn’t worry about the algorithm, I would worry about incorrect implementations (the apps are closed source) and about other attacks like social attacks (faking the password input screen, watching you over the shoulder, etc.).
Still, the question is how sensitive your data is. Due to my past professional life, I have some insight into the community that has an interest in your encrypted information and that let’s me stay very much at ease.
With the dozens to hundreds of accounts, there are basically two options:
I personally believe that number 2 is much safer.
They say it’s unbreakable because the data is hashed with your master password using some extravagant encryption, but is anything unbreakable these days?
I would be amazed if AES256 with RSA (1024+) key management is breakable, ever.
Maybe the NSA know how to. The majority of the world’s mathematicians reportedly work there. But it would still be an amazing breakthrough – equivalent to everything done since the ancient Greeks.
Even plain old 56-bit DES has no public back door, and would take an awfully long time for any private enterprise. When I used to do FPGA design, I worked out that for $1M you could build a machine which would do it in minutes (known plaintext!) but who is going to bother? With any “PC” it would take for ever.
Cisco had a big security breach some years ago and mandated 3DES for all employees working off-site. A friend used to work there.
AFAIK none of these “open source” cryptosystems has been found to have an easy back door. Since 1978, the best they have done with DES is reducing the key from 56 to about 30 bits. Plenty of key management holes, sure, in specific software implementations…
If somebody works out how to factorise really large numbers really quickly, we are all finished and the Greeks will be able to generate all the €s they need 
That would be doubly ironic since they made the early discoveries!
Probably the simplest way is to break into your house and plant a keylogger. Any respectable burglar will do that for you, for the price of a new flat screen TV he can sell down the pub
I would be amazed if AES256 with RSA (1024+) key management is breakable, ever.
It doesn’t need to be broken. There are at least two instances where the message is available as plain text: Before encryption and after decryption. During that time it will be handled by the operating system. This was developed by a huge team of people about whom we know nothing and not even their employer does. It’s a lot easier to place a handful of people inside Microsoft or Google or Apple than to decipher encrypted messages…
achimha wrote:
I would assume they don’t have the passwords not the ability to decrypt your database. It is not necessary and it would defeat the purpose.
Well, it’s all in “the cloud”, so my passwords are somewhere on servers, the only thing that isn’t there is the master password, that is used to hash all the passwords.
Peter wrote:
I would be amazed if AES256 with RSA (1024+) key management is breakable, ever.
Not necessary. The master password that is used to generate the encryption key could only be a simple password that one could guess. What people think of as a strong (master) password is often not that strong.
LeSving wrote:
Yes, but I always forget about it, and forget password every time I remember
You should use a password manager. 1Password is highly recommended by cybersecurity experts (I have no affiliation)
For passwords, I highly recommend 1Password (which was recommended by the cybersecurity team at our company)
