Comments on: Online Password Manager - Would You Dare Use This Software?

By: Mark

Mark — Wed, 10 Sep 2008 18:34:57 +0000

Hmmm, I was mulling this same question. In fact I even started writing code for it but then I stopped to think some more and started asking questions. My design was identical to yours - without the flash bit. Inspired by passpack and to be designed as a Joomla plugin. There’s really no need to be tied to a Joomla database but it’s an easy framework for a starting point.

I’m currently uploading clipperz CE - if that works, I’ll probably use it and retire my flash drive based Password Safe.

Hmmm, ugly UI colors and the layout doesn’t fit on my eeePC’s tiny screen. I sense some changes here already!
Still might be worth the time spent… We’ll see.

-Cheers and thanks for asking the question!

By: polesen

polesen — Wed, 30 Apr 2008 07:10:16 +0000

@Danielle: This really adds nothing. In my eyes, needmypassword.com is a site just like clipperz (maybe yours are just a little less polished :-), and as such excibits the same pros and cons as discussed above. I wouldn’t use it, like I have decided not to use clipperz or sites like it.

By: Danielle

Danielle — Tue, 29 Apr 2008 20:38:00 +0000

Needmypassword.com is a great way to store all of your usernames, passwords, and urls. Imagine only having to remember one password to gain instant access to all of your log-in needs! Needmypassword.com is safe and secure so you don’t have to worry about anyone seeing your information except for you. It is also free and easy to use, so sign up now!

By: Sudhanshu

Sudhanshu — Mon, 07 Apr 2008 12:51:36 +0000

Some websites such as Citibank avoid the keylogger problem, by providing the user with a screen based keyboard. Users enter characters in a text box by clicking with a mouse on their screen based keyboard - Javascript takes care of the rest.

By: Marco Barulli

Marco Barulli — Wed, 26 Mar 2008 23:33:50 +0000

@ those worried about keyloggers

Clipperz recipe is simple:
1. access your digital vault on Clipperz using a one-time passphrase
2. access your other online services (webmail, bank, …) simply clicking on the “direct login” link within the Clipperz interface

You never enter a password, Clipperz never displays a password.
And it works!

Regards,
Marco

By: Dan

Dan — Wed, 26 Mar 2008 14:27:04 +0000

I thought about this very same thing last week. Spent all day thinking about it and kept coming back to the problem of key loggers circumventing any security that may have been put in place. I decided that unless it is easy to implement using one of these https://idprotect.verisign.com/mainmenu.v , that there is no way I would trust anyone with my data or expect anyone to trust me with their data. The Verisign VIP credential could get rid of the key logger problem as long as you enter your individual site passwords from a known safe system, but I would still be hesitant to store a set of passwords on any system connected to the net. Like Rob W said, it would be a target with information like that. Bottom line, storing all of your passwords in a place were other people store all of their passwords is just asking for trouble. I think hosting your own password safe is better, but then again, why not just use a usb drive with a truecrypt volume. Better still, use an ironkey usb drive. A recent Security Now podcast episode featured the creator?/CEO? of ironkey and he mentioned that you do not even need to have administrative rights in windows to access the contents of it like you need to mount a truecrypt volume.

By: Vesa Kaihlavirta

Vesa Kaihlavirta — Wed, 26 Mar 2008 13:54:57 +0000

There are good alternatives for those people who don’t require every single application to be in the web, such as

- http://nsd.dyndns.org/pwsafe/
- http://bjk.sourceforge.net/pwmd/

By: David Precious

David Precious — Wed, 26 Mar 2008 13:44:03 +0000

You briefly mentioned PasswordMaker, which I find to be an excellent solution to this problem. I use the PasswordMaker Firefox extension, so I only ever have to remember my one, secure master password, which never gets sent anywhere, but is used to generate different passwords for each site based on the hostname and configureable rules.

Yes, I have inspected PasswordMaker’s code myself to ensure there’s nothing nasty hidden there that could be secretly sending the master password off - that was one of my biggest concerns.

It works a treat for me, I have a different secure password for each site I use, and all I have to remember is my master password. The only minor drawback is if you need to log in from someone else’s computer, but there’s an online version (if you trust it) and command line version for that kind of thing.

By: Ben

Ben — Wed, 26 Mar 2008 12:57:04 +0000

If we’re going to go down the ‘cafe has a keylogger’ road then I don’t know if there’s really ANYTHING safe to use there. Aren’t you going to have to type in the password to the other site after you read it, even if it was displayed by something with invincible security? You can go infinitely paranoiac with something like that.

I would be more comfortable hiding a data file like that in my email’s files area, since I have to at least manage to log in with the email password first, and if anyone got into your email account you know you’re hosed anyway because you can change passwords with that access.

By: Marco Barulli

Marco Barulli — Tue, 25 Mar 2008 23:14:11 +0000

@Rob

1. When you are in an Internet cafe’ you can safely access Clipperz using one-time passphrases. And since it also offers 1-click login to other websites, it’s probably the best tactic to be used.
Read more here: http://www.clipperz.com/users/marco/blog/2007/10/10/defeat_keyloggers_one_time_passphrases_plus_one_click_logins

2. As I wrote above, the whole Clipperz code is downloaded to the browser before entering your username and passphrase. Therefore you can verify the code _before_ entering your credentials. Clipperz also provides checksums. I agree that this is not convenient and require good technical skills. Read more here:
http://www.clipperz.com/learn_more/reviewing_the_code
http://www.clipperz.com/learn_more/reviewing_the_code/checksums

@ J. Maxwell
Clipperz also offers an offline version (a single HTML file) that can be moved to your USB stick. Read-only.

@ Everybody interested

Clipperz Community Edition is now available for download!
http://clipperz.googlecode.com

Marco

By: MakkaPakka

MakkaPakka — Tue, 25 Mar 2008 21:07:57 +0000

I recommend using TrueCrypt in traveller mode on your USB stick.

Also take a look at http://world.std.com/~reinhold/diceware.html for generating the passphrase.

By: polesen

polesen — Tue, 25 Mar 2008 19:53:43 +0000

@Tristan: No, I am not voicing that we should all write our own. And yes, you are spot on, about trust. When I cannot trust apps of others myself, how should other trust my app.

@J. Maxwell: An encrypted USB stick with keystore software to run right from it, is a great idea. I might go down that road.

@Rob: More and more, I think you are right. Even though I like the clipperz code mentioned above, there is still nothing keeping someone at my hosting provider from putting some other javascript/html in there.

I believe less and less in the solution sketched in the blog post by me.

Thank you all for the valuable input!

By: Rob W

Rob W — Tue, 25 Mar 2008 18:24:58 +0000

Not a chance. There’s no way to build such a system really safely. Even if the design is wonderful, someone can still hack your server and *alter* that design, so that passwords are also stored cleartext, for example… and there *will* be interest in hacking the server. And would you feel safe accessing this kind of thing in an internet cafe where you know there are probably keyloggers installed? Shall I risk my bank password when I just want to check a temporary gmail account?

People won’t be convinced, and they should not be. Sensitive information is much safer when it’s stored separately — each of us will have our own little applications, memory tricks, and even little slips of paper with reminders, and worst case just ONE person’s passwords are stolen, or ONE website is cracked.

If you centralize it, the risk goes way up, and the benefits simply can’t match that. Think about the security of a slip of paper with cryptic reminders on it — no cracker can get to it no matter how computer-ignorant the person is, and the likelihood of the wallet being stolen by someone who can also figure out the personal clues in the passwords, link those to actual online accounts and profit from that before you *change* the passwords (because you’ll *know* if your wallet got stolen.. you WON’T know if this password site got hacked)… you can’t match that level of safety.

Heck, only bring the piece of paper with you when you’re traveling — if you can keep your passport safe, you can probably keep this safe as well.

So I’ll vote against… interesting to think about, though!

By: J Maxwell

J Maxwell — Tue, 25 Mar 2008 17:55:04 +0000

What is wrong with putting a USB stick on your key chain with your password file? So much more secure and so much simpler. The encryption used in password files may not be good enough to safely allow you to put your password file out in public.

By: Tristan

Tristan — Tue, 25 Mar 2008 17:32:33 +0000

Just curious, when you say that you are not comfortable with using someone elses code are you promoting that we should all wrtie are own solution?

What guarantee do I have that you are not a “bad guy”?(none)

The issue of trust is a serious one, and personally i will likely just use truecrypt on a flash drive.

By: Steve Chaloner

Steve Chaloner — Tue, 25 Mar 2008 14:59:40 +0000

I use this client-side solution: http://supergenpass.com/genpass/mobile.html

I’ve got a copy of the code backed up in GMail, and use a local copy when creating/retrieving passwords. Its approach means nothing needs to be stored on your system, so that gets around persistence security issues.

By: Marco Barulli

Marco Barulli — Mon, 24 Mar 2008 22:48:34 +0000

Great, thanks.

Transparency and co-operation is the way to go! Don’t trust us, trust our code!

Ciao,
Marco

By: polesen

polesen — Mon, 24 Mar 2008 21:28:51 +0000

Ooh yeah, and BTW, I created some issues in the google-code project already

By: polesen

polesen — Mon, 24 Mar 2008 21:28:17 +0000

I downloaded the CE and took it for a spin. It looks nice. Really. I am still not quite comfortable with using someone elses code to do this, even when hosted on my own site. I guess that kind of answers my initial question, as I think many others feel the same.

By: Marco Barulli

Marco Barulli — Mon, 24 Mar 2008 20:30:42 +0000

You can download the Community Edition here:
http://clipperz.googlecode.com (file Clipperz.CE.1165.zip)
Documentation is not complete, but the installation process is trivial.

With regard to code integrity, your objection is very sound.

The whole Clipperz code is downloaded to the browser before entering your username and passphrase. Therefore you can verify the code _before_ entering your credentials. We also provide checksums. I agree that this is not convenient and require good technical skills. Read more here:
http://www.clipperz.com/learn_more/reviewing_the_code
http://www.clipperz.com/learn_more/reviewing_the_code/checksums

Any suggestion for a better and stronger solution is welcome.

Looking forward to hear from you,
Marco