Clipperz Does the Impossible: A Safe Online Password Manager
For safety’s sake, I use a different, randomly generated password for every Web form I encounter. Since I don’t know any of these passwords, I store them, password-protected, using a password keeper application. But this technique, although it’s pretty secure (unless someone sneaks into my house and bonks me over the head while the password keeper is open), works only if I’m sitting at my own computer. How can I access these passwords safely and securely from any computer?
I first heard about Clipperz on an IT Conversations podcast, and my immediate reaction was, “Why didn’t anyone tell me about this sooner?” Clipperz is a Web application, so you navigate to it in a browser; thus, you have access to your online passwords exactly when you need them, namely, whenever you’re online. When you arrive at the clipperz.com Web site, you enter your username and a master passphrase; the guessability of this combination is the weakest link in the chain, of course, so you should use a rather long and unnatural passphrase. However, the passphrase itself is not sent to clipperz.com during login. In fact, clipperz.com doesn’t know your
username, your master passphrase, or any of your passwords!
apparent weakest link, the initial password-based authentication, uses Secure Remote Password (SRP) authentication, which is itself zero-knowledge (clipperz.com knows only a public key derived from your username and passphrase), and is as secure as password-based authentication can possibly be – probably vastly more secure than any other password-based authentication you ever do on the Internet. Finally, all of Clipperz’s code is open source – since, as you doubtless know, security by secrecy is the worst security of all.
The screenshot shows the simple interface that you see once you’re logged in. It’s a straightforward “rolodex” of information. Down the left side run the names of your “cards”; click the name of a card and you’re shown its “fields.” I’m not afraid to show you this because the password field is always portrayed as six stars, which you can copy (using Command-C, not Control-C as stated in the screenshot) to paste into the password field of a Web form, which is presumably open in another window. (If you’re on a public machine, remember to copy something else onto the clipboard later, so as not to leave your password there in cleartext.) You can also “unscramble” the password, showing it directly in cleartext; this is safe as long as no
enemy spies are sitting behind you.
Naturally, online passwords are not the only data you might store securely this way. You could keep credit card numbers or anything else you might need while online. A card’s fields are customizable, so you can set up a card to display whatever might be appropriate for a particular datum.
Another cute feature is that you can set up “one-time passwords.” These are login passphrases for clipperz.com that are deleted as soon as they are used. As every reader of spy novels knows, a one-time pad is the most secure form of encryption. So if you’re in a public space, use one of your one-time passwords; even if a spy sitting behind you can memorize your finger movements on the keyboard, that knowledge will be useless.
previously! The only thing missing is editability; you’re working with a read-only copy of your data. Pretty slick, eh?
Clipperz isn’t perfect. Copying the scrambled password doesn’t work reliably – but the Clipperz folks are working on a new Web interface, currently called the “gamma,” which solves that problem. The interface for some operations, such as entering multiple cards by importing from a text file, is highly confusing (I succeeded, but only after much experimentation). The overall interface is, alas, clumsy on an iPhone; there is a mobile version of the Web interface, but it doesn’t work for me at all. Finally, there’s a promising feature called “direct login” that lets you click a link and automatically, with no further action on your part, go to the target Web site’s login page, enter your username and password, and submit the form; but it
doesn’t work for all Web sites, and the interface for editing a direct login is somewhere between clumsy and non-existent (though this, too, is nicely solved in the new “gamma” interface).
Quibbles aside, I’ve found Clipperz a tremendous help in my daily Web life. It lets you access your online passwords, online, regardless of what computer you’re using. It’s free, it’s open source, it’s safe and secure, it’s ingenious, and it’s way cool. What more could you ask? Perhaps you’ll give it a try, and you, too, will be wondering why no one told you about this sooner.
Matt, have you considered LastPass? It seems to be at least as secure as Clipperz, and the user interface seems more polished. If you think Clipperz is better than LastPass, why?
Hey, if there are other possibilities I could try, that's great! I just didn't know about them; Clipperz is the one I stumbled on, and the underlying technology seems really brilliant.
Password Wallet can also generate a password-protected bookmarklet you can put on your iPhone or on the web. It's what I've been using for a while.
I'm still on 1password but if I was going to go for web-based password management, it would be lastpass (i've been testing it out, UI not as nice as native 1password, but it's got some super features).
Lastpass is also host-proof-hosting based (client side encrypt). Plus supports some very nice multifactor authentication methods including yubikey.
And if you're in a shared password situation (i.e. server management) lastpass has some nice facilities for that, as well as device management (e.g. demand multifactor from desktop, lock iPhone login to single device ID).
I've been using LastPass for a couple of weeks. I've been happy with the UI and I've highly recommended it to several friends.
It seems like folks are discussing other options already, but my two cents is to use KeePass + DropBox. KeePass is a great, open source password keeper that works on *all* platforms (os x, linux, windows, android, iphone, palm etc.) and DropBox works on just about everything as well. Here's my little blog post I wrote on the KeePass/DropBox Combo: http://plip.com/blog/keep-those-passwords-safe/.
You know, I though 1password+Dropbox was about as cool as it got. supergenpass.com is pretty amazing though. I just love the idea of it. Completely self-contained secure passwords. Wow.
Thanks for the reminder, I too heard the ITConversions podcast. I also like all the comments mentioning other services (now I have more to read and learn though). One question about supergenpass. Couldn't someone reverse engineer the algorithm, making the whole thing only as secure as the master password?
What do you mean? Of course it is only as secure as the master password. That's true of everything. The thing is, it is impossible to get from the ENCODED password to the master password. This is true of all modern encryption schemes.
And there is no 'reverse engineering' the code is completely open source.
Clipperz and the alternatives suggested here sound very nifty and I'm going to check them out, but isn't copying your password in clear text via the clipboard a bit of a security hole? Any other application can read it while it's there, and how securely are the previous contents deleted when you Copy something else? Not to mention what if you happen to use a computer that has some kind of clipboard enhancer installed that lets you keep multiple copied items.
I don't know if there's a neat solution that avoids displaying the password in clear text - maybe allowing copy/paste in several chunks in random order (e.g. copy chunk 1 and paste it, then copy chunk 2 and paste it before chunk 1, then copy chunk 3 and paste it at the end, etc)
I use and like LastPass. It offers a number of tools to prevent key-logging: a virtual keyboard you "type" on by clicking with a mouse; one-time passwords, which won't compromise your "vault" if revealed during a log-in, since they won't work a second time; an option to require additional measures, such as the presence of a program on a USB drive, or a challenge-and-response set of characters from a preprinted grid you keep with you.
LastPass lets you customize your preferences by computer: at your home desktop, you may want to stay logged-on as long as the browser is open; on a laptop, you may want to automatically log-off after a couple minutes of keyboard inactivity.
LastPass also has a well thought-out form-filling function, for completing addresses, account numbers, and so on.
One shortcoming of the web-based programs, however, is that they can only log-in via the browser; you can't automatically supply the password to an encrypted local file or folder, for example.
Actually, LastPass for Applications is in beta now... so passwords outside the browser is almost there. :)
In fact, you don't even need to do the export step. I keep my 1Password keychain in my Dropbox folder. Any changes to 1Password are (almost) instantly available, and if I go to someone else's computer I can simply log in to my Dropbox and open up my 1Password keychain. There's a password protected html file there which will open in any browser and which resembles the native 1Password experience.
Way too complicated. I will stick with 1Password on the MAC and Roboform, Roboform to Go on the PC. They also have Roboform Online and the capability to sync your passwords with multiple computers. All of this syncs so perfectly and available anywhere, even on a MAC using the online version. No MAC desktop version yet, but I suspect they are working on it. Did I mention an iPhone version is also available for free.
Simple-minded question: How much risk am I taking in letting Firefox keep my passwords? (Granted, it's less convenient than web-based solutions since I don't have access from other computers; I'm just wondering about security.) Also, what are the chances that any of the web-based password keepers discussed would decide one day to start charging or do something else to hold your passwords for "ransom"?