Daily Cup of Tech

I recently received an e-mail from Marco at Clipperz. He wanted to introduce the service to all you DCoT readers. Here is his e-mail:

Dear Timothy Fehlman,
On your blog you often address security issues. Therefore I thought you could be interested in Clipperz, a newly launched online password manager.

Clipperz does solve the password management problem, but it mainly gives a practical demonstration of a new breed of web applications: the “zero-knowledge” web apps.

Applications where the provider is simply in charge of delivering the Ajax code to the user’s browser and then storing user’s data in an encrypted form on its servers.

Do we really need to trust web service providers with our data? Clipperz proves that this is not always necessary.

The “zero-knowledge” paradigm could be used for a wide range of applications: a personal finance manager, a private to-do list, patient records for physicians, a confidential word processor,…

I would be honored to know your opinion, no matter if privately or publicly on your popular and authoritative blog.

Best regardss,
Marco

======================
WHAT IS CLIPPERZ

Clipperz is an online password manager. Clipperz can be used to store and freely organize any kind of confidential textual information, such as passwords, confidential notes, burglar alarm codes, credit and debit card details, PINs, software keys, and so on. Clipperz is free and completely anonymous. Nothing to install. Nothing to backup.

FEATURES

- Direct logins
Users can save the details of their online accounts into Clipperz and quickly create a “direct login” link: just one click to authenticate and access the online service without typing any username and password. Highly addictive!

A video tutorial to discover “direct logins”

- Offline copy
Users can dump their encrypted data from Clipperz servers to a local hard disk or USB drive and create a read-only version of Clipperz to be used when no Internet connection is available.

- Special edition for Firefox sidebar
Clipperz Compact is a stripped down edition designed for the Firefox sidebar. It makes “direct logins” even more addictive!

- Sharing (coming soon)
A public key infrastructure is transparently embedded within Clipperz. Users can define “trusted contacts” and policies for sharing secrets with them. Trust mechanism from the real world could be moved within Clipperz without bothering with certificates and authorities. (based on elliptic curve cryptography)

ABOUT SECURITY
Clipperz lets you submit confidential information into your browser, but your data are locally encrypted by the browser itself before being uploaded.

The key for the encryption process is a passphrase known only to you. Clipperz simply hosts your sensitive data in encrypted form and could never actually access the data in its plain form.

Clipperz does not use homemade cryptographic algorithms but implements standard strong encryption schemes (AES256 for encryption, SHA-256 for hashing, Fortuna as PRNG, SRP authentication protocol, …).

Detailed information about the crypto foundations are available here:
http://www.clipperz.com/learn_more/crypto_foundations

Since Clipperz is a huge Javascript application, you can review the source code anytime you like. The whole source code is downloaded to your browser before you sign-in, so you can easily check if it is a genuine version.

More info about performing a security code review is available here:
http://www.clipperz.com/learn_more/reviewing_the_code

You can even include the Javascript code of our crypto primitives in your web applications since we packed them into the Clipperz Crypto Library, released under a BSD license.
Download it here: http://code.google.com/p/clipperz

For any further information visit:
- the Clipperz Forum: http://www.clipperz.com/forum
- the Clipperz Blog: http://www.clipperz.com/blog

So, here are the questions that I have for you, the DCoT faithful:

1. Would you trust your passwords to an online password manager?
2. Does the fact that the program is open source make you more or less concerned about its security?
3. Do you see this as a service that you would use yourself or recommend to others?
4. Do you feel that your passwords are at greater risk of being compromised because they are being stored online?
5. What do you think of this service in general?

I look forward to your feedback in the comments.

Similar Posts:

• Web Based Password Management
• Tech Blog of the Week: Schneier on Security
• Freebie 10 of 24 in 24: DTM ODBC Manager
• Online Web Form Builder
• Quit Begging People To Steal Your Twitter Account!

If you found this post useful, why don't you buy me a cup of coffee to show your gratitude?

Trackback link - http://www.dailycupoftech.com/2007/06/20/online-password-manager/trackback/

 

20 Responses to “Online Password Manager”

1. ShanKri-la Says:
   November 30th, 1999 at 12:00 am

   Here is my promised review of the online password manager I started using last week - Clipperz. I had originally come across Clipperz in a post at Daily Cup of Tech where Tim asked his readers if they would use an online password manager. If you’d like you can see my reply in the comments there. [IMG] Like you, I’m security conscious when it comes to storing sensitive passwords online. But, I feel more

2. Series at Enthousiasmeren Says:
   November 30th, 1999 at 12:00 am

   PassPack. Hier wordt duidelijk afgevraagd waarom een online opslag van wachtwoorden als je steeds meer gebruik gaat maken van OpenID (of de NL variant mijnOpenID) en wachtwoorden opslaan in je browser. Daily Cup of Tech vraagt aan zijn lezer wat zij van de dienst vinden: Would you trust your passwords to an online password manager? Does the fact that the program is open source make you more or less concerned about its security?

3. MarketingFeeds » Enthousiasmeren Says:
   November 30th, 1999 at 12:00 am

   PassPack. Hier wordt duidelijk afgevraagd waarom een online opslag van wachtwoorden als je steeds meer gebruik gaat maken van OpenID (of de NL variant mijnOpenID) en wachtwoorden opslaan in je browser. Daily Cup of Tech vraagt aan zijn lezer wat zij van de dienst vinden: Would you trust your passwords to an online password manager? Does the fact that the program is open source make you more or less concerned about its security?

4. Tripp Says:
   June 20th, 2007 at 9:57 am

   I think that while this sounds all good, it’s too good to be true. Personally, the only password manager I use is the one built into Firefox, which I place on it a strong password. Besides that, the only “security flaw” I present with my passwords, is the face that I use Google Browser Sync. This little nifty plugin keeps all of my copies of Firefox (home computer, Portable Edition, work, etc.) all kept up to date with my passwords, bookmarks, history, and cookies. But then again, even THAT has a password on it, and a PIN if I add it to another copy of Firefox.

   So while Clipperz sounds like an excellent idea, I think I’ll stick with the tried and true methods I have; strong passwords, and a company I can point the finger to should my passwords get leaked or hacked. For the program being open source… it’s a double edged sword really. While yes, programmers can develop add-ons and whatnot for it, it is a great security risk, in that hackers can develop their own plugins that say, forward them a copy of all your passwords. That just scares me too much, and so I would not even try using Clipperz.

5. Dave Says:
   June 20th, 2007 at 11:06 am

   I would never trust an online password manager. The idea that someone could get ALL my passwords at once is totally abhorrent to me.

   I use KeePass on a USB stick, it goes where I go, and it works just fine.

6. Jennifer Says:
   June 20th, 2007 at 11:27 am

   For online backup news, information and articles, there is an excellent website:

   http://www.BackupReview.info

   This site lists more than 400 online backup companies and ranks the top 25 on a monthly basis.

   Any one can add their company in the directory. Just click on the “Search” button found at the top.

   Cheers,

7. Aaron Says:
   June 20th, 2007 at 11:51 am

   This is a case where Web Apps is taken too far IMO. Using Zoho is one thing but transmitting your passwords via “secure” methods is another. Also, it seems kid of open source what with them giving out the crypto-code and all. “Clipperz Crypto Library
   Download our Javascript library of cryptographic functions: AES, SHA, SRP, … It’s free!:” I’ll never use it. KeePass all the way Dave!!

8. Robb Says:
   June 20th, 2007 at 11:58 am

   It sounds like a great idea, but it is not for me. My concerns are two: 1. What if the website is down (or blocked, as my company will sometimes do), and 2. (an extension of #1) what if Clipperz bites the dust? I imagine I would lose a record of all of my passwords. Instead, like commenter #2, I prefer to use FF’s built-in PW manager. I am also keen on passwordchart.com.

9. Robb Says:
   June 20th, 2007 at 12:00 pm

   CORRECTION: My original comment referred to comment #2 - should be comment #1.

10. John May Says:
    June 20th, 2007 at 12:24 pm

    I’m not sure Clipperz is such a great idea. The people that would have so many passwords that they would need to keep the information in a safe place are also the ones that are savvy enough to use KeePass or another password manager on their local computer or USB drive so they don’t have to rely on a website for their sensitive information. As for mom or dad using the service, my parents don’t even shop online for fear of losing information, much less give it out willingly, encryption or no encryption.

11. Tom Gleeson Says:
    June 20th, 2007 at 12:31 pm

    Open source is the key. It’s the reason I trust KeePass. But as with all password safes it depends on a strong password to secure the other passwords. That’s what I like about KeePass, the option to use a keyfile and/or a password. Maybe if they incorporated Google Gears technology into the product a key file could be client-side injected into the local SQLite database as a means of restricting access to the service to a single physical PC at any moment in time.

    Tom

12. Marco Barulli Says:
    June 20th, 2007 at 12:43 pm

    @ Robb

    If Clipperz is down or goes out of business, you can still access your data via the “offline copy”, i.e. a read-only version of Clipperz that you can download to your local hard drive or bring with you on a USB drive.
    (see the link in Tim’s post)

    @ Aaron

    There’s been a lot of debate by security practitioners about the impact of open source approaches on security. We stay on the side of security expert Bruce Schneier when he says: “In the cryptography world, we consider open source necessary for good security; we have for decades. Public security is always more secure than proprietary security. For us, open source isn’t just a business model; it’s smart engineering practice.”

    —-
    Thanks to everybody for your thoughts.

    An invitation to the skeptics: why don’t you just try Clipperz out using fake or unimportant data? If you are not convinced by the security architecture just forget about it.

    But if you get used to one-click login, ubiquitous access to your data, not worrying about backups, …

    Regards,
    Marco

13. Joe Says:
    June 20th, 2007 at 1:03 pm

    Why is Linux generally considered more secure than Windows? Sure, it may in part be due to market share and the fact that less sophisticated users are much more likely to be using Windows, but open source development plays a large role. Why is Firefox more secure than IE? Type “server software” into Google and what do you get at the top of the list? The open source Apache Software foundation, the basis for a WAMP or LAMP server. I could go on and on.

    Open source is more secure, because you enlist everyone’s help in making it so. “Here’s my code. If you find any flaws, help me fix them.” If only the most interested parties try to foil your security - and must violate the license agreement to do so, then only lawbreakers will find out if there are exploitable flaws.

    That said, I’m still leery of storing all of my passwords in a single online location. KeePass for me as well.

    Oh, and I’d never set up single click login bookmarks on my laptop, and probably wouldn’t do it on my desktop, either. At least Firefox lets me password protect the logins it saves.

14. Marco Barulli Says:
    June 20th, 2007 at 1:16 pm

    @Joe

    Clipperz does not enable the creation of “single click login” on your PC, the “direct login” link are accessible only from within Clipperz web app.

    Clipperz is a “zero knowledge” web application, it doesn’t know anything about your data. All the encryption/decryption processes take place within the browser.

    Please note: not a line of Javascript code is downloaded to your browser after you have loaded the login page. All the Clipperz code is there, before you submit the Clipperz credentials.

    Regards,
    Marco

15. Zac Garrett Says:
    June 20th, 2007 at 2:06 pm

    1. Would you trust your passwords to an online password manager?
    No.

    2. Does the fact that the program is open source make you more or less concerned about its security?
    How does one know that the version running on the server is the same exact version as the open source? You dont.

    3. Do you see this as a service that you would use yourself or recommend to others?
    Far from.

    4. Do you feel that your passwords are at greater risk of being compromised because they are being stored online?
    Very much so.

    5. What do you think of this service in general?
    The service uses javascript and requests passwords. Those two things should be as far away from each other as possibly. Javascript is a security risk in and of itself and should be avoided whenever possible. When a password is introduced into the mix someone could easily break the system.

    Storing passwords online should never happen unless you create a script yourself and it is not stored in a public location. This is what I do and I believe that anyone who is able to get to my stored information is more than welcome to it. After the sheer amount of work they did to find the info they deserve to get on my accounts.

16. Curious Says:
    June 21st, 2007 at 12:29 pm

    1.) No
    2.) No
    3.) No
    4.) Yes
    5.) We can do without something like this.

    Software from another country is a good thing.

    When they ask thet we use their service to store important things, we should really think about that. As previously mentiond, there are alot of reasons why we shouldn’t use this, and a few as to why we could.

    Passwords should be thought of as one of the most important things we posses, even if we change them regularly. Unfortunately, most of us don’t.

    The best method for storing small amounts of important information is still being used in our schools and around the world today:

    Paper, Pencil, in Pocket (P-Cubed)

    Just because someone says it a good thing, does that neccessarily make it so?

    “… If I’m wrong, then someone else is right but not necessarily You …”

17. K-IntheHouse Says:
    June 21st, 2007 at 1:05 pm

    1. Would you trust your passwords to an online password manager?
    No. I use KeePass and for sensitive stuff like my bank accounts only my memory is the witness. I am waiting for the 3-factor authentication to become the norm in the banking sector. It is way too important!
    2. Does the fact that the program is open source make you more or less concerned about its security?
    I agree with Joe, that open source means more secure. His arguments are totally valid.
    3. Do you see this as a service that you would use yourself or recommend to others?
    Yes, I plan on using thise service for non-sensitive logins. This is going to be essential to me I try out a dozen web services a week before I blog about them and I would like to keep track of them in one place even if I forget my USB stick or misplace it or lose it.
    4. Do you feel that your passwords are at greater risk of being compromised because they are being stored online?
    So far yes. But, Clipperz is definitely on to something and I wouldn’t cry wolf without giving it a fair shot.
    5. What do you think of this service in general?
    I think it is an excellent idea and I am going to try it for my day to day logins for different webservices. The sidebar feature for Firefox is great but I would love the pop-out/pop-in functionality of Google Notebook for this service.

    I am definitely recommending to my readers if their usage pattern matches mine.

18. Christoph Says:
    June 22nd, 2007 at 8:13 am

    I would never trust an online password manager. The idea that someone could get ALL my passwords at once is totally abhorrent to me.

    Isn’t this pretty much your email. If you use webmail and someone gets your email password, they can recover most of your other passwords (by doing the “I forgot my password”).

    Unfortunate, yes. I think I should make my password stronger now…

19. Mark Says:
    June 25th, 2007 at 2:48 pm

    I need to store passwords for many things so Firefox only gets me halfway. I use both Windows and Linux so the web sounds like a great place to keep my stuff. Hmm, I may have to move in for a closer look.

    After having started using PasswordSafe about six months ago, I will never be without some kind of a password manager ever again. Just be sure to keep backup copies - When my password database corrupted from a poorly timed USB ejection the whole thing was gone except an xml dump to paper that was a few weeks old.

20. Danielle Says:
    April 29th, 2008 at 3:06 pm

    To all of those who would like to try an online password manager, NeedMyPassword.com is a great one.
    Needmypassword.com is a great way to store all of your usernames, passwords, and urls. Imagine only having to remember one password to gain instant access to all of your log-in needs! Needmypassword.com is safe and secure so you don’t have to worry about anyone seeing your information except for you. It is also free and easy to use, so sign up now!

Leave a Reply