For safety’s sake, I use a different, randomly generated password for every Web form I encounter. Since I don’t know any of these passwords, I store them, password-protected, using a password keeper application. But this technique, although it’s pretty secure (unless someone sneaks into my house and bonks me over the head while the password keeper is open), works only if I’m sitting at my own computer. How can I access these passwords safely and securely from any computer?
I first heard about Clipperz on an IT Conversations podcast, and my immediate reaction was, “Why didn’t anyone tell me about this sooner?” Clipperz is a Web application, so you navigate to it in a browser; thus, you have access to your online passwords exactly when you need them, namely, whenever you’re online. When you arrive at the clipperz.com Web site, you enter your username and a master passphrase; the guessability of this combination is the weakest link in the chain, of course, so you should use a rather long and unnatural passphrase. However, the passphrase itself is not sent to clipperz.com during login. In fact, clipperz.com doesn’t know your
username, your master passphrase, or any of your passwords!
apparent weakest link, the initial password-based authentication, uses Secure Remote Password (SRP) authentication, which is itself zero-knowledge (clipperz.com knows only a public key derived from your username and passphrase), and is as secure as password-based authentication can possibly be – probably vastly more secure than any other password-based authentication you ever do on the Internet. Finally, all of Clipperz’s code is open source – since, as you doubtless know, security by secrecy is the worst security of all.
The screenshot shows the simple interface that you see once you’re logged in. It’s a straightforward “rolodex” of information. Down the left side run the names of your “cards”; click the name of a card and you’re shown its “fields.” I’m not afraid to show you this because the password field is always portrayed as six stars, which you can copy (using Command-C, not Control-C as stated in the screenshot) to paste into the password field of a Web form, which is presumably open in another window. (If you’re on a public machine, remember to copy something else onto the clipboard later, so as not to leave your password there in cleartext.) You can also “unscramble” the password, showing it directly in cleartext; this is safe as long as no
enemy spies are sitting behind you.
Naturally, online passwords are not the only data you might store securely this way. You could keep credit card numbers or anything else you might need while online. A card’s fields are customizable, so you can set up a card to display whatever might be appropriate for a particular datum.
Another cute feature is that you can set up “one-time passwords.” These are login passphrases for clipperz.com that are deleted as soon as they are used. As every reader of spy novels knows, a one-time pad is the most secure form of encryption. So if you’re in a public space, use one of your one-time passwords; even if a spy sitting behind you can memorize your finger movements on the keyboard, that knowledge will be useless.
previously! The only thing missing is editability; you’re working with a read-only copy of your data. Pretty slick, eh?
Clipperz isn’t perfect. Copying the scrambled password doesn’t work reliably – but the Clipperz folks are working on a new Web interface, currently called the “gamma,” which solves that problem. The interface for some operations, such as entering multiple cards by importing from a text file, is highly confusing (I succeeded, but only after much experimentation). The overall interface is, alas, clumsy on an iPhone; there is a mobile version of the Web interface, but it doesn’t work for me at all. Finally, there’s a promising feature called “direct login” that lets you click a link and automatically, with no further action on your part, go to the target Web site’s login page, enter your username and password, and submit the form; but it
doesn’t work for all Web sites, and the interface for editing a direct login is somewhere between clumsy and non-existent (though this, too, is nicely solved in the new “gamma” interface).
Quibbles aside, I’ve found Clipperz a tremendous help in my daily Web life. It lets you access your online passwords, online, regardless of what computer you’re using. It’s free, it’s open source, it’s safe and secure, it’s ingenious, and it’s way cool. What more could you ask? Perhaps you’ll give it a try, and you, too, will be wondering why no one told you about this sooner.