Online Password Manager
I recently received an e-mail from Marco at Clipperz. He wanted to introduce the service to all you DCoT readers. Here is his e-mail:
Dear Timothy Fehlman,
On your blog you often address security issues. Therefore I thought you could be interested in Clipperz, a newly launched online password manager.Clipperz does solve the password management problem, but it mainly gives a practical demonstration of a new breed of web applications: the “zero-knowledge” web apps.
Applications where the provider is simply in charge of delivering the Ajax code to the user’s browser and then storing user’s data in an encrypted form on its servers.
Do we really need to trust web service providers with our data? Clipperz proves that this is not always necessary.
The “zero-knowledge” paradigm could be used for a wide range of applications: a personal finance manager, a private to-do list, patient records for physicians, a confidential word processor,…
I would be honored to know your opinion, no matter if privately or publicly on your popular and authoritative blog.
Best regardss,
Marco======================
WHAT IS CLIPPERZClipperz is an online password manager. Clipperz can be used to store and freely organize any kind of confidential textual information, such as passwords, confidential notes, burglar alarm codes, credit and debit card details, PINs, software keys, and so on. Clipperz is free and completely anonymous. Nothing to install. Nothing to backup.
FEATURES
- Direct logins
Users can save the details of their online accounts into Clipperz and quickly create a “direct login” link: just one click to authenticate and access the online service without typing any username and password. Highly addictive!A video tutorial to discover “direct logins”
- Offline copy
Users can dump their encrypted data from Clipperz servers to a local hard disk or USB drive and create a read-only version of Clipperz to be used when no Internet connection is available.- Special edition for Firefox sidebar
Clipperz Compact is a stripped down edition designed for the Firefox sidebar. It makes “direct logins” even more addictive!- Sharing (coming soon)
A public key infrastructure is transparently embedded within Clipperz. Users can define “trusted contacts” and policies for sharing secrets with them. Trust mechanism from the real world could be moved within Clipperz without bothering with certificates and authorities. (based on elliptic curve cryptography)ABOUT SECURITY
Clipperz lets you submit confidential information into your browser, but your data are locally encrypted by the browser itself before being uploaded.The key for the encryption process is a passphrase known only to you. Clipperz simply hosts your sensitive data in encrypted form and could never actually access the data in its plain form.
Clipperz does not use homemade cryptographic algorithms but implements standard strong encryption schemes (AES256 for encryption, SHA-256 for hashing, Fortuna as PRNG, SRP authentication protocol, …).
Detailed information about the crypto foundations are available here:
http://www.clipperz.com/learn_more/crypto_foundationsSince Clipperz is a huge Javascript application, you can review the source code anytime you like. The whole source code is downloaded to your browser before you sign-in, so you can easily check if it is a genuine version.
More info about performing a security code review is available here:
http://www.clipperz.com/learn_more/reviewing_the_codeYou can even include the Javascript code of our crypto primitives in your web applications since we packed them into the Clipperz Crypto Library, released under a BSD license.
Download it here: http://code.google.com/p/clipperzFor any further information visit:
- the Clipperz Forum: http://www.clipperz.com/forum
- the Clipperz Blog: http://www.clipperz.com/blog
So, here are the questions that I have for you, the DCoT faithful:
- Would you trust your passwords to an online password manager?
- Does the fact that the program is open source make you more or less concerned about its security?
- Do you see this as a service that you would use yourself or recommend to others?
- Do you feel that your passwords are at greater risk of being compromised because they are being stored online?
- What do you think of this service in general?
I look forward to your feedback in the comments.
If you found this post useful, why don't you buy me a cup of coffee to show your gratitude?
Security Week on Daily Cup of Tech has been a great success. So much so that I am starting to consider having theme weeks on a regular basis. Sorry to those of you who could not get the 
It never ceases to amaze me how much quality freeware/open source software (FOSS) there is out there. In honor of Security Week, I have decided to compile a list of security related FOSS.
When I bought my first real computer, it came with a whopping 20 MB hard drive. This nicely held the operating system, my office applications, and all of the data that I required for regular use. I even got a few games on there.
A couple of years ago, an organization approached me with an interesting dilemma. One of their employees (let’s call him “Steve”) had taken a vehicle and run off. They were desperate to find him to help him out of the trouble that he had gotten himself into.