Online Password Manager – Would You Dare Use This Software?
If have a rough sketch of an online password manager application in my head, but I want to hear your opinion about it beforehand. Especially about security, which I guess can be measured by letting you answer this question for me: Would you (dare) use the online password manager described here?
Why an Online Password Manager?
Is this not obvious? I for one, have serious problems remembering logins to the myriad of accounts I have on various online services. In addition to this, my work environment add another serious bunch of passwords, PINs and other codes for me to remember. It is overwhelming.
But, I cannot find any good applications out there, designed for my needs.
What I want is this:
- Something online, accessible from anywhere with a browser: This requirement cuts of all the existing native applications, that are installed and keep the data in a secured file on your machine.
- Something easily hosted by anyone with a cheap hosting account: I want to hold the data myself. I do not want to use an application-service-provider solution, where “they” are storing my passwords “somewhere”.
- Something simple to use, with really good organization and searching abilities (I am thinking “tagging”)
- Something that can hold many kinds of information, as in, not just username-password pairs, but also, PINs, bank account numbers, …
Are there any such existing solutions? Well, next comes the rough sketch I have done, of one I could implement.
Rough Sketch of The Application
To the right, I have sketched the application as I see it done. Basically, it consists of two parts:
- A flash application, which is the user-interface that is presented to the user
- A simple PHP script, which only works to move the encrypted file back and forth between the server and the client (the flash application)
And here are some important implementation notes, which states some of what can be seen in the sketch too:
- Traffic (of encrypted file) between client and server is standard (and cleartext) HTTP. This is needed, if this is to to be easily hosted. Far from all cheap hosting offers server certificates, and even if they did, you would have to go through getting a certificate, installing it, renewing it, …
- Encyption and decryption is done inside the flash application. I am thinking symmetric key algorithms like AES or Blowfish. The user would then only have to enter one key, and the file can be encrypted and decrypted inside the client. The key needs not travel anywhere.
Hosting this solution would be dead easy. You could sign up for some simple, cheap web hosting, upload the flash application and PHP script, and you would be ready to go.
Nice, But What To Consider Then?
For me, my main concern is placing the encrypted-data.dat file in a public place, even though it is encrypted. It can be hidden, a little bit, but it should pose no real problem, for someone to get access to it. Even if it could be hidden pretty well, it would still not be hidden from the personel working the machines at your hosting provider.
I guess this boils down to: Do I trust the encryption of the file to be “secure enough”? I do not know enough about cryptography, to answer this myself, but I assume there is no simple answer. Even though the cipher can be proved to be “secure enough”, there can be weaknesses in the implementation of the algorithm I end up using, or the password I choose can be weak and too easily guessed.
Slowly, I am working myself backwards to the question in the beginning of this blog post: Would you (dare) use the online password manager described here?
But also, are you already using some other solution to solve the same problem? Something that you find helpful and good enough?
Existing Solutions
Here are some other solutions, but none that meets the criteria above.
There are plugins in the browser, most notably I have written about Google Browser Sync, but there are other plugins too. In addition, browsers contain their own password managers, but this is mostly for passwords related to web application services, and most store data offline.
Then there are all the programs like KeePass, that you can install locally, and let them store (locally) in an encrypted file. Fine, but not when moving between machines often.
One solution I found interesting was PasswordMaker. It fulfills some of the same requirements like my sketched application above does. Actually, it even does not require the encrypted file. But it generates password that are impossible to remember, so I will have to stop by PasswordMaker each and every time I need a password. Maybe I could do something with greasemonkey, but I dunno.
KeyVault.org looked promising for a very short period, before I read the text on the site. It seems dead in development, it is not open-source (something I would require, for such an application), it is a .exe file, …
So then, should I start coding it or what? 
March 21, 2008
Tags: cryptography, password manager Posted in: Design, Programming, Tools
23 Responses
Hi,
you should definitely try Clipperz! (http://www.clipperz.com)
It has all the features you ask for, the same architecture (more robust).
It’s built using Javascript not Flash. (It lacks tagging, but it’s coming very soon)
You can host it by downloading the Community Edition (launches next week, but you can already get it, just send me an email). It just requires PHP and MySQL.
You can also run an offline version (read only) from a single HTML file!.
You can think of Clipperz as your web Rolodex, a card index where you can enter any sort of confidential data. Each card consists of a set of fields. You can add as many fields as you need to every card. Each field can be labeled and typified accordingly to the kind of information it has to accommodate.
Perfect for storing passwords, but also confidential notes, burglar alarm codes, credit and debit card details, PINs, software keys, …
The Community Edition is open source and with an AGPLv3 license. So don’t start a new project, but join our effort to promote a world of “zero-knowledge web applications”!
http://www.clipperz.com/users/marco/blog/2007/08/24/anatomy_zero_knowledge_web_application
Thanks for your stimulating post,
Marco
Clipperz
Co-founder
Interesting, indeed. It does seem to cover a lot of what I want. Even though data is encrypted and all, I still would not like to have it hosted at your (someones) site. I would then have to use the community edition then (?) and host it myself? And this would have the extra need of mysql, but I could live with that.
One thing in this scenario, I had not thought about, was the possibility of someone in control of the hosting site, to put in some other code, than the app I have (or your javascript code), and then grab my codes that way. Like, put up another application, which does not encrypt, before shipping to server.
I would like to try the community edition when it comes out.
You can download the Community Edition here:
http://clipperz.googlecode.com (file Clipperz.CE.1165.zip)
Documentation is not complete, but the installation process is trivial.
With regard to code integrity, your objection is very sound.
The whole Clipperz code is downloaded to the browser before entering your username and passphrase. Therefore you can verify the code _before_ entering your credentials. We also provide checksums. I agree that this is not convenient and require good technical skills. Read more here:
http://www.clipperz.com/learn_more/reviewing_the_code
http://www.clipperz.com/learn_more/reviewing_the_code/checksums
Any suggestion for a better and stronger solution is welcome.
Looking forward to hear from you,
Marco
I downloaded the CE and took it for a spin. It looks nice. Really. I am still not quite comfortable with using someone elses code to do this, even when hosted on my own site. I guess that kind of answers my initial question, as I think many others feel the same.
Ooh yeah, and BTW, I created some issues in the google-code project already
Great, thanks.
Transparency and co-operation is the way to go! Don’t trust us, trust our code!
Ciao,
Marco
I use this client-side solution: http://supergenpass.com/genpass/mobile.html
I’ve got a copy of the code backed up in GMail, and use a local copy when creating/retrieving passwords. Its approach means nothing needs to be stored on your system, so that gets around persistence security issues.
Just curious, when you say that you are not comfortable with using someone elses code are you promoting that we should all wrtie are own solution?
What guarantee do I have that you are not a “bad guy”?(none)
The issue of trust is a serious one, and personally i will likely just use truecrypt on a flash drive.
What is wrong with putting a USB stick on your key chain with your password file? So much more secure and so much simpler. The encryption used in password files may not be good enough to safely allow you to put your password file out in public.
Not a chance. There’s no way to build such a system really safely. Even if the design is wonderful, someone can still hack your server and *alter* that design, so that passwords are also stored cleartext, for example… and there *will* be interest in hacking the server. And would you feel safe accessing this kind of thing in an internet cafe where you know there are probably keyloggers installed? Shall I risk my bank password when I just want to check a temporary gmail account?
People won’t be convinced, and they should not be. Sensitive information is much safer when it’s stored separately — each of us will have our own little applications, memory tricks, and even little slips of paper with reminders, and worst case just ONE person’s passwords are stolen, or ONE website is cracked.
If you centralize it, the risk goes way up, and the benefits simply can’t match that. Think about the security of a slip of paper with cryptic reminders on it — no cracker can get to it no matter how computer-ignorant the person is, and the likelihood of the wallet being stolen by someone who can also figure out the personal clues in the passwords, link those to actual online accounts and profit from that before you *change* the passwords (because you’ll *know* if your wallet got stolen.. you WON’T know if this password site got hacked)… you can’t match that level of safety.
Heck, only bring the piece of paper with you when you’re traveling — if you can keep your passport safe, you can probably keep this safe as well.
So I’ll vote against… interesting to think about, though!
@Tristan: No, I am not voicing that we should all write our own. And yes, you are spot on, about trust. When I cannot trust apps of others myself, how should other trust my app.
@J. Maxwell: An encrypted USB stick with keystore software to run right from it, is a great idea. I might go down that road.
@Rob: More and more, I think you are right. Even though I like the clipperz code mentioned above, there is still nothing keeping someone at my hosting provider from putting some other javascript/html in there.
I believe less and less in the solution sketched in the blog post by me.
Thank you all for the valuable input!
I recommend using TrueCrypt in traveller mode on your USB stick.
Also take a look at http://world.std.com/~reinhold/diceware.html for generating the passphrase.
@Rob
1. When you are in an Internet cafe’ you can safely access Clipperz using one-time passphrases. And since it also offers 1-click login to other websites, it’s probably the best tactic to be used.
Read more here: http://www.clipperz.com/users/marco/blog/2007/10/10/defeat_keyloggers_one_time_passphrases_plus_one_click_logins
2. As I wrote above, the whole Clipperz code is downloaded to the browser before entering your username and passphrase. Therefore you can verify the code _before_ entering your credentials. Clipperz also provides checksums. I agree that this is not convenient and require good technical skills. Read more here:
http://www.clipperz.com/learn_more/reviewing_the_code
http://www.clipperz.com/learn_more/reviewing_the_code/checksums
@ J. Maxwell
Clipperz also offers an offline version (a single HTML file) that can be moved to your USB stick. Read-only.
@ Everybody interested
Clipperz Community Edition is now available for download!
http://clipperz.googlecode.com
Marco
If we’re going to go down the ‘cafe has a keylogger’ road then I don’t know if there’s really ANYTHING safe to use there. Aren’t you going to have to type in the password to the other site after you read it, even if it was displayed by something with invincible security? You can go infinitely paranoiac with something like that.
I would be more comfortable hiding a data file like that in my email’s files area, since I have to at least manage to log in with the email password first, and if anyone got into your email account you know you’re hosed anyway because you can change passwords with that access.
You briefly mentioned PasswordMaker, which I find to be an excellent solution to this problem. I use the PasswordMaker Firefox extension, so I only ever have to remember my one, secure master password, which never gets sent anywhere, but is used to generate different passwords for each site based on the hostname and configureable rules.
Yes, I have inspected PasswordMaker’s code myself to ensure there’s nothing nasty hidden there that could be secretly sending the master password off – that was one of my biggest concerns.
It works a treat for me, I have a different secure password for each site I use, and all I have to remember is my master password. The only minor drawback is if you need to log in from someone else’s computer, but there’s an online version (if you trust it) and command line version for that kind of thing.
There are good alternatives for those people who don’t require every single application to be in the web, such as
- http://nsd.dyndns.org/pwsafe/
- http://bjk.sourceforge.net/pwmd/
I thought about this very same thing last week. Spent all day thinking about it and kept coming back to the problem of key loggers circumventing any security that may have been put in place. I decided that unless it is easy to implement using one of these https://idprotect.verisign.com/mainmenu.v , that there is no way I would trust anyone with my data or expect anyone to trust me with their data. The Verisign VIP credential could get rid of the key logger problem as long as you enter your individual site passwords from a known safe system, but I would still be hesitant to store a set of passwords on any system connected to the net. Like Rob W said, it would be a target with information like that. Bottom line, storing all of your passwords in a place were other people store all of their passwords is just asking for trouble. I think hosting your own password safe is better, but then again, why not just use a usb drive with a truecrypt volume. Better still, use an ironkey usb drive. A recent Security Now podcast episode featured the creator?/CEO? of ironkey and he mentioned that you do not even need to have administrative rights in windows to access the contents of it like you need to mount a truecrypt volume.
@ those worried about keyloggers
Clipperz recipe is simple:
1. access your digital vault on Clipperz using a one-time passphrase
2. access your other online services (webmail, bank, …) simply clicking on the “direct login” link within the Clipperz interface
You never enter a password, Clipperz never displays a password.
And it works!
Regards,
Marco
Some websites such as Citibank avoid the keylogger problem, by providing the user with a screen based keyboard. Users enter characters in a text box by clicking with a mouse on their screen based keyboard – Javascript takes care of the rest.
Needmypassword.com is a great way to store all of your usernames, passwords, and urls. Imagine only having to remember one password to gain instant access to all of your log-in needs! Needmypassword.com is safe and secure so you don’t have to worry about anyone seeing your information except for you. It is also free and easy to use, so sign up now!
@Danielle: This really adds nothing. In my eyes, needmypassword.com is a site just like clipperz (maybe yours are just a little less polished
, and as such excibits the same pros and cons as discussed above. I wouldn’t use it, like I have decided not to use clipperz or sites like it.
Hmmm, I was mulling this same question. In fact I even started writing code for it but then I stopped to think some more and started asking questions. My design was identical to yours – without the flash bit. Inspired by passpack and to be designed as a Joomla plugin. There’s really no need to be tied to a Joomla database but it’s an easy framework for a starting point.
I’m currently uploading clipperz CE – if that works, I’ll probably use it and retire my flash drive based Password Safe.
Hmmm, ugly UI colors and the layout doesn’t fit on my eeePC’s tiny screen. I sense some changes here already!
Still might be worth the time spent… We’ll see.
-Cheers and thanks for asking the question!
i vote against… trucrypt + thumbdrive is secure and easy and already works…
Leave a Reply