Isn’t local storage better for password database security? | Ask an expert

Q: I saw PCWorld’s lists for the best password managers, and your top picks were for cloud-based services. Wouldn’t a locally stored password database be more secure?

A: One of our top password managers is Bitwarden, which supports the setup of a locally stored database as a paid feature. It’s not the default way to use the service, so it takes a bit more elbow grease and vigilance to maintain, but it’s an option. That said, let’s dig into the security of local files versus cloud-stored files.

In a vacuum, a locally stored password database generally carries less risk of being discovered and then potentially shared or cracked. Compared to a set of passwords living on a cloud-based server, local storage gives you full control over where the file is stored and how it’s backed up, plus the devices that access it.

But once you take into account the real world, locally stored password databases have their own weaknesses. Devices get stolen or lost. Shared gadgets only remain as secure as each person who uses them. People have human moments (even the most careful folks!) and can fall for a bad link that opens up remote access by malicious third-parties.

Other dangers exist for locally stored password databases as well. You can’t fall back on a password recovery system if you forget your master password, and you must be vigilant with backups lest you lose the file through accidental deletion or drive failure. Should you need to access your password file remotely, you’ll face even greater problems—opening up your home network to the wider internet comes with its own can of security-related worms.

You can strike a middle ground between the two camps—basically concoct a quasi homebrew version of a cloud-based password manager. You’d use KeePass, a password manager that relies upon a local database and offers multi-device support, then store that database file in a cloud storage account you trust. The idea is that a company like Google, Microsoft, or even Dropbox has more resources to ward off unauthorized access. Provided that you have a strong password to protect that account and enable two-factor authentication, the likelihood of someone then also coming across your KeePass password database remains much lower. You can also move that file around much more easily, so if Google changes its privacy policy or storage encryption methodology, you can immediately hop on over to a different service.

In the end, no bulletproof solution exists for protecting sensitive information. Most people need to just start using a password manager, period—all too many friends and family still create weak passwords, reuse existing passwords, and store them in plain text documents. Don’t let perfect be the enemy of good.

Welcome to Ask an Expert, where we tackle your questions about PC building. Have your own burning concern? Shoot us an email at thefullnerd@pcworld.com.