Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the TidBITS Content Network for Apple consultants.

Clipperz Does the Impossible: A Safe Online Password Manager

For safety's sake, I use a different, randomly generated password for every Web form I encounter. Since I don't know any of these passwords, I store them, password-protected, using a password keeper application. But this technique, although it's pretty secure (unless someone sneaks into my house and bonks me over the head while the password keeper is open), works only if I'm sitting at my own computer. How can I access these passwords safely and securely from any computer?

Enter Clipperz.

I first heard about Clipperz on an IT Conversations podcast, and my immediate reaction was, "Why didn't anyone tell me about this sooner?" Clipperz is a Web application, so you navigate to it in a browser; thus, you have access to your online passwords exactly when you need them, namely, whenever you're online. When you arrive at the Web site, you enter your username and a master passphrase; the guessability of this combination is the weakest link in the chain, of course, so you should use a rather long and unnatural passphrase. However, the passphrase itself is not sent to during login. In fact, doesn't know your username, your master passphrase, or any of your passwords!

How can this be? Well, is what's called a "zero-knowledge database." It doesn't store anything in cleartext; everything is encrypted, and doesn't have the key. All of the stored data is encrypted; communication with Clipperz is also encrypted (doubly so, since it also is transmitted using SSL). All the encryption and decryption happens at your end - in the browser. This is possible because of the speed of modern computers and JavaScript implementations (JavaScript data is lost when you change Web pages, so Clipperz uses AJAX to refresh screens while keeping you on the same page). Moreover, the apparent weakest link, the initial password-based authentication, uses Secure Remote Password (SRP) authentication, which is itself zero-knowledge ( knows only a public key derived from your username and passphrase), and is as secure as password-based authentication can possibly be - probably vastly more secure than any other password-based authentication you ever do on the Internet. Finally, all of Clipperz's code is open source - since, as you doubtless know, security by secrecy is the worst security of all.

The screenshot shows the simple interface that you see once you're logged in. It's a straightforward "rolodex" of information. Down the left side run the names of your "cards"; click the name of a card and you're shown its "fields." I'm not afraid to show you this because the password field is always portrayed as six stars, which you can copy (using Command-C, not Control-C as stated in the screenshot) to paste into the password field of a Web form, which is presumably open in another window. (If you're on a public machine, remember to copy something else onto the clipboard later, so as not to leave your password there in cleartext.) You can also "unscramble" the password, showing it directly in cleartext; this is safe as long as no enemy spies are sitting behind you.

Naturally, online passwords are not the only data you might store securely this way. You could keep credit card numbers or anything else you might need while online. A card's fields are customizable, so you can set up a card to display whatever might be appropriate for a particular datum.

Another cute feature is that you can set up "one-time passwords." These are login passphrases for that are deleted as soon as they are used. As every reader of spy novels knows, a one-time pad is the most secure form of encryption. So if you're in a public space, use one of your one-time passwords; even if a spy sitting behind you can memorize your finger movements on the keyboard, that knowledge will be useless.

And here's the icing on the cake. I've said that the encryption and decryption happens in the browser; I've also said that the data stored at is encrypted. Hence, there is no loss of security if you store the data from on your machine. And that is just what Clipperz allows you to do. You can download a (very large) Web page containing the encrypted data and all the JavaScript. When you open that Web page with your browser, it's exactly like talking to - you still have to log in with your username and passphrase - but you're not talking to; you're working offline. So this one downloaded Web page is doing for me everything that my password keeper application was doing previously! The only thing missing is editability; you're working with a read-only copy of your data. Pretty slick, eh?

Clipperz isn't perfect. Copying the scrambled password doesn't work reliably - but the Clipperz folks are working on a new Web interface, currently called the "gamma," which solves that problem. The interface for some operations, such as entering multiple cards by importing from a text file, is highly confusing (I succeeded, but only after much experimentation). The overall interface is, alas, clumsy on an iPhone; there is a mobile version of the Web interface, but it doesn't work for me at all. Finally, there's a promising feature called "direct login" that lets you click a link and automatically, with no further action on your part, go to the target Web site's login page, enter your username and password, and submit the form; but it doesn't work for all Web sites, and the interface for editing a direct login is somewhere between clumsy and non-existent (though this, too, is nicely solved in the new "gamma" interface).

Quibbles aside, I've found Clipperz a tremendous help in my daily Web life. It lets you access your online passwords, online, regardless of what computer you're using. It's free, it's open source, it's safe and secure, it's ingenious, and it's way cool. What more could you ask? Perhaps you'll give it a try, and you, too, will be wondering why no one told you about this sooner.


Try productivity tools from Smile that will make your job easier!
PDFpen: PDF toolkit for busy pros on Mac, iPhone, and iPad.
TextExpander: Your shortcut to accurate writing on Mac, Windows,
and iOS. Free trials and friendly support. <>

Comments about Clipperz Does the Impossible: A Safe Online Password Manager
(Comments are closed.)

Jonathan  2010-02-23 11:10
Matt, have you considered LastPass? It seems to be at least as secure as Clipperz, and the user interface seems more polished. If you think Clipperz is better than LastPass, why?
This seems like something similar to What I like about SGP is that there is NO database, no info about you is kept, encrypted or otherwise. It's just a teeny bit of JavaScript, and generates random passwords based on your passphrase + the base URL of the site you're on. Works on all browsers, + iPhone. Really nice.
Matt Neuburg  An apple icon for a TidBITS Staffer 2010-02-23 12:51
Hey, if there are other possibilities I could try, that's great! I just didn't know about them; Clipperz is the one I stumbled on, and the underlying technology seems really brilliant.
Dave Polaschek  2010-02-23 16:33
Password Wallet can also generate a password-protected bookmarklet you can put on your iPhone or on the web. It's what I've been using for a while.
Ethan Schoonover  2010-02-23 14:13
I'm still on 1password but if I was going to go for web-based password management, it would be lastpass (i've been testing it out, UI not as nice as native 1password, but it's got some super features).

Lastpass is also host-proof-hosting based (client side encrypt). Plus supports some very nice multifactor authentication methods including yubikey.

And if you're in a shared password situation (i.e. server management) lastpass has some nice facilities for that, as well as device management (e.g. demand multifactor from desktop, lock iPhone login to single device ID).
Patrick Houlihan  2010-02-23 15:55
I've been using LastPass for a couple of weeks. I've been happy with the UI and I've highly recommended it to several friends.
Ashley Jones  2010-02-23 19:35
It seems like folks are discussing other options already, but my two cents is to use KeePass + DropBox. KeePass is a great, open source password keeper that works on *all* platforms (os x, linux, windows, android, iphone, palm etc.) and DropBox works on just about everything as well. Here's my little blog post I wrote on the KeePass/DropBox Combo:
You know, I though 1password+Dropbox was about as cool as it got. is pretty amazing though. I just love the idea of it. Completely self-contained secure passwords. Wow.
Tim Crawford  2010-02-24 04:32
Thanks for the reminder, I too heard the ITConversions podcast. I also like all the comments mentioning other services (now I have more to read and learn though). One question about supergenpass. Couldn't someone reverse engineer the algorithm, making the whole thing only as secure as the master password?
What do you mean? Of course it is only as secure as the master password. That's true of everything. The thing is, it is impossible to get from the ENCODED password to the master password. This is true of all modern encryption schemes.

And there is no 'reverse engineering' the code is completely open source.
Tom Hawkins  2010-02-25 02:57
Clipperz and the alternatives suggested here sound very nifty and I'm going to check them out, but isn't copying your password in clear text via the clipboard a bit of a security hole? Any other application can read it while it's there, and how securely are the previous contents deleted when you Copy something else? Not to mention what if you happen to use a computer that has some kind of clipboard enhancer installed that lets you keep multiple copied items.

I don't know if there's a neat solution that avoids displaying the password in clear text - maybe allowing copy/paste in several chunks in random order (e.g. copy chunk 1 and paste it, then copy chunk 2 and paste it before chunk 1, then copy chunk 3 and paste it at the end, etc)
David Magnuson  2010-03-01 15:39
I use and like LastPass. It offers a number of tools to prevent key-logging: a virtual keyboard you "type" on by clicking with a mouse; one-time passwords, which won't compromise your "vault" if revealed during a log-in, since they won't work a second time; an option to require additional measures, such as the presence of a program on a USB drive, or a challenge-and-response set of characters from a preprinted grid you keep with you.
LastPass lets you customize your preferences by computer: at your home desktop, you may want to stay logged-on as long as the browser is open; on a laptop, you may want to automatically log-off after a couple minutes of keyboard inactivity.
LastPass also has a well thought-out form-filling function, for completing addresses, account numbers, and so on.
One shortcoming of the web-based programs, however, is that they can only log-in via the browser; you can't automatically supply the password to an encrypted local file or folder, for example.
Actually, LastPass for Applications is in beta now... so passwords outside the browser is almost there. :)
Joe Kissell  An apple icon for a TidBITS Staffer 2010-03-01 10:28
It's also worth noting that the top password keeper on the Mac, 1Password, has long had exactly the same capability. Choose File > Export All > Encrypted Web Page, and that's what you get - a Web page with all your data encrypted, plus decryption code in JavaScript, just like in Clipperz. You can just put this HTML page in your iDisk or Dropbox or whatever, and that's that. Plus, 1Password addresses some of your other complaints about Clipperz (fantastic iPhone interface, etc). It's not free or open-source, but I find it to be the most flexible current option, and the one that's easiest to use under the circumstances in which I typically need my passwords.
Seth Elgart  2010-03-02 06:08
In fact, you don't even need to do the export step. I keep my 1Password keychain in my Dropbox folder. Any changes to 1Password are (almost) instantly available, and if I go to someone else's computer I can simply log in to my Dropbox and open up my 1Password keychain. There's a password protected html file there which will open in any browser and which resembles the native 1Password experience.
Way too complicated. I will stick with 1Password on the MAC and Roboform, Roboform to Go on the PC. They also have Roboform Online and the capability to sync your passwords with multiple computers. All of this syncs so perfectly and available anywhere, even on a MAC using the online version. No MAC desktop version yet, but I suspect they are working on it. Did I mention an iPhone version is also available for free.
Simple-minded question: How much risk am I taking in letting Firefox keep my passwords? (Granted, it's less convenient than web-based solutions since I don't have access from other computers; I'm just wondering about security.) Also, what are the chances that any of the web-based password keepers discussed would decide one day to start charging or do something else to hold your passwords for "ransom"?
Quentin North  2010-03-02 10:15
My concern about any of these web based solutions that require javascript decryption is that they will mostly not work in countries where the internet is not fast or the pcs are not very performant.
I did find one problem with these JS based password generators. If your site uses HTTP AUTH (if a sheet drops down in the browser or a window opens instead of getting a login/password field) then you cannot activate the javascript to regenerate the password.