Do We Need Password Management Services Like Clipperz and PassPack?
Co-founder of Clipperz, Marco Barulli, recently contacted Read/WriteWeb to let us know about their recently launched online password manager - available in both english and Japanese. In this age of social networks, the Web Office and Best of Breed web apps, it can get tricky to keep track of all your usernames and passwords. I tend to rely on Firefox to store these, but even then I find myself cursing at the computer more often than I should, due to a forgotten username/password that got cleared out of the cache (or I'm testing out a new browser, etc). This is where services like Clipperz, and its direct competitor PassPack, come in.
But is managing your passwords enough of a 'value add' service, given that browsers do much of it already and OpenID is also solving some of those issues in the web 2.0 world? I wouldn't think so, and perhaps this is why Clipperz markets itself as being able "to store and freely organize any kind of confidential textual information" - not only passwords, but also "confidential notes, burglar alarm codes, credit and debit card details, PINs, software keys, and so on."
Clipperz also has an answer to the obvious question: can I trust you with my personal data? Clipperz says that user data is encrypted by the browser before being uploaded. In other words, Clipperz doesn't hold your personal data in its original form. It is encrypted first, using a "passphrase" that is known only to the user.
PassPack is a similar service, styling itself as a "Online Privacy Manager". With PassPack you can "organize and store passwords, private notes, links and much more to come".
But there is still the over-riding question: why use another web app for password management when a) your browser handles this; and b) OpenID is increasingly being used for this function too? Allen Stern wrote about Clipperz a couple of months ago and an interesting back and forth ensued in the comments between representatives from Clipperz and PassPack, which addressed these issues. Tara Kelly from PassPack said in the comments that both Firefox and Internet Explorer have security holes in their password storage, hence you should use Clipperz or PassPack. Tara also said that OpenID and Password Managers solve two different problems:
"OpenID = authentication (no security implied)
Password Manager = secure storage (no authentication implied)"
These are good points, but probably not sufficient to convince me to use Clipperz or PassPack.
Zero-knowledge Web Apps to the rescue?
I don't think I need a service like Clipperz or PassPack, although both seem very sophisticated apps. Perhaps their real use will be as an intermediary service that enables more private third party web apps. Indeed Marco has a term for this - "zero-knowledge" web apps, which he says is a new breed of web application. Basically zero-knowledge web apps are ones that don't store your private data as plain text, but encrypt it before it reaches their server. And this is where Clipperz comes in, as it does the encryption part on the browser. It sounds complicated, but Marco says that "the "zero-knowledge" paradigm could be used for a wide range of applications: a personal finance manager, a confidential to-do list, patient records for physicians, etc".
So while I don't necessarily see a need for Clipperz and PassPack as another web service for me to sign up for, I can see such services being useful for other web apps. I was actually thinking of a use case for this today - online accounting services. Now I am definitely in need of an online accounting service, because I have had problems with my current desktop accounting software. But I am hesitant about uploading my financial data to someone else's server. But what if I could be assured that my data is encrypted before it is uploaded? Well that might be the tipping point for people like me to 'trust' web apps with their personal and sensitive data.
What do you think about services like Clipperz and PassPack? Do you see a need for them, now and in the near future?
1 TrackBacks
TrackBack URL for this entry: http://www.readwriteweb.com/cgi-bin/mt/mt-tb.cgi/2270
FOLLOW RWW ON TWITTER
RECENT JOBS
Comments
Subscribe to comments for this post OR Subscribe to comments for all ReadWriteWeb posts
Richard,
your analysis goes right to the real point: do we really need to trust web service providers with our data? Clipperz proves that this is not always true.
A password manager is just a small example, but I would love to develop a complete suite of "zero-knowledge" web applications:
- password manager
- personal accounting and finance manager
- "confidential" word processor
- private to-do list manager
- private calendar
- ...
Thanks again for your kind review and for your thoughts,
best regards,
Marco
Clipperz co-founder
Posted by: Marco Barulli | June 13, 2007 2:54 AM
PassPack is a life saver - yeah your browser handles it but when you use more than one computer and don't want your stuff remember by one that's shared - PassPack rocks the house.
Plus using PassPack means I can now use much stronger passwords without fear of forgetting them. It useful for me particularly as I'm in charge in of lots of websites and with each comes ftp, wordpress, api keys etc etc.
Posted by: Paul Burgess | June 13, 2007 3:40 AM
There are lots of problems with Firefox password storage - not least of which is that, by default, they're accessible with minimal effort to anyone who gets on your computer. Try it: tools -> options -> security -> show passwords.
Reformatting and multiple computers make these apps pretty useful. I've got years' worth of stored passwords in my browser, many of which I would never remember. When I reinstalled Windows, I had to download a special Firefox plugin that allows you to export/import passwords.
Posted by: rmatei | June 13, 2007 3:44 AM
There are many other password managers. I have been using Roboform for several years and couldn't be happier. When I started using Roboform there was no alternative; to switch to another password manager I would need to be told how is it better than Roboform.
Posted by: zamolxis | June 13, 2007 3:45 AM
I just tried Clipperz on the back of this article, and to my mind it's just too complicated.
I spent a fair bit of time reading about all the different features, but to actually start using it to store passwords, I got bored by about the third page of text heavy instructions and gave up. It's a great idea, but spoilt by an overly long winded and cluttered approach.
Good luck though.
Posted by: Jack | June 13, 2007 5:08 AM
I don't see why you would ever need an application to support your storage of passwords when you can implement something similar using a simple self-invented system based on a book on the shelf that only you know you are using for the purpose. If you lose it you can always buy another.
By the way the name Clipperz may not be the most fortune in this area if one is old enough to remember the controversy over the Clipper chip.
I like the idea of user-submitted data being encrypted with a clientside-supplied encryption module though. That's pretty visionary and ties in somewhat with the ideal of empowering users to stay in control of their own data at all times.
Posted by: Kristoffer Nilaus Olsen | June 13, 2007 5:19 AM
I agree that I don't see it being important enough to be a separate service. I find that this service described by Jon Udell solves most of my password problems.
It doesn't store any passwords on my machine, just uses a passphrase I remember and combines it with the hostname of the site to create a different password for each website I use. I only have to remember one passphrase and I can access my passwords from any computer I use.
Posted by: Adrian McEwen | June 13, 2007 5:47 AM
@ Kristoffer
From Clipperz FAQ
"What does Clipperz mean?
Actually we re-used Clipperz name from a different project.
But then we liked the fact that ‚ÄúclipperZ‚Ä? sounds like an hacker/anarchist jargon word. To us, it makes fun of the whole original clipper chip concept. But no Big Brother here, just your ‚ÄúclipZ‚Ä? of private information to protect!"
Regards,
your visionary friends at Clipperz
Posted by: Marco Barulli | June 13, 2007 6:00 AM
What I really need (and use RoboForm for at the moment) is the auto-fill function. Yes, I know security of my personal data should be my primary concern, but easy access is the thing that makes me use a 3rd app for password managing.
During a days work I use 42 (42!) different log-ins...If I didn't have auto-fill I would probably spend min. 1 hour every day, just loggin in.
Posted by: Marie Bach | June 13, 2007 6:56 AM
I like the idea of using a service like Clipperz or PassPack however I still feel a little bit leery. I'm sure that their encryption and security efforts are fine and may never be an issue. I just don't like the idea of having all of my passwords, CC info, etc. stored somewhere that could be hacked into.
Also, what happens if you have sensitive information that you need but don't have access to an internet connection?
These are the reasons I still use KeePass on a flash drive stored safely in my pocket.
Posted by: Huckleberry | June 13, 2007 7:47 AM
@ Huckleberry
With just one click you can dump all your encrypted data from Clipperz servers to your hard disk and create a read-only version of Clipperz to be used when you are offline.
The read-only version is as secure as the read-and-write one and will not expose your data to higher risks since they both share the same code and security architecture.
And you can move the offline copy of Clipperz to flash drive as well. Read more here.
Posted by: Marco Barulli | June 13, 2007 8:42 AM
Identity on the web is a real pain.
I've tried a number of solutions from account aggregation (like www.ewise.com.au) though to offline sync apps to password managers like RoboForm and the one that comes with my fingerprint reader but they're all suboptimal and have a poor user experience.
either they're not truly portable, or they're not robust/secure enough for comfort, or they don't integrate with "everything" (browser, local apps, windows authentication), or they're not properly "full circle" guiding you through registration and password creation.
I'd love a small Bluetooth dongle (with a USB connector for backup, and a small screen to display the password as a last resort) I can take everywhere with me, which coupled with a small app on the PC manges this. Perhaps my Windows Smartphone should be that device (as it's with me all the time), or maybe a federated ID system that looks for the rfid chip in my brain!
Posted by: OffBeatMammal | June 13, 2007 9:27 AM
Hi Richard MacManus,
You have initiated an interesting debate - is there any real need for a Password Manager Software or not.
Well, if it is for personal use, that is, your requirement is to manage your personal passwords such as credit card numbers, PIN, bank account numbers and a few system level login passwords, you may not find a big need for Password Managers. You can live with utilities such as remember password option provided by browsers.
But, even here, most of us are really drowning in Passwords on day-to-day life. We are to deal with hundreds of passwords at various levels. Password Managers make our life easier, besides ensuring a great a level of security for the passwords.
On the next level, think of the job of IT administrators / system administrators / network administrators. They deal with thousands of passwords - server passwords, db passwords, device passwords, application passwords and so on , which are very sensitive.
It is impossible for any human being to remember them. So, in most cases, they tend to write down the passwords on paper and circulate the paper amongst themselves. Some others might store the passwords as a text file in their system.
This is definitely prone to attack by identity thieves, who could easily hack them. So, for efficiently managing the enterprise passwords, Password Managers are definitely helpful. They store the passwords in a secure, centralized repository in encrypted form. They save a lot of time and help avoiding frustration.
Nowadays, a lot of financial instituations come up with a need for 'ownership' concept for passwords. That is, the passwords are to be owned only by one person and they are to be shared to a few others on need basis. This sharing can be efficiently done by Password Managers.
Besides, Password Managers help in enforcement of standard password management policies across the organization.
There are a few Password Managers available in the market specifically for enterprise use. ManageEngine PasswordManager Pro (PMP) (for which I work for), is one among those softwares. Check out http://www.passwordmanagerpro.com for more details. PMP offers all the advantages mentioned above.
My post has become so big, so let me stop here! Add your thoughts to this interesting debate initiated by Richard MacManus!
Bala
Posted by: Bala | June 13, 2007 10:16 AM
Hello Richard,
You asked "But is managing your passwords enough of a 'value add' service?"
Excellent question. Honestly, it depends a lot on the person. However, for more advanced users, I don't think "just a password manager" is enough.
PassPack is styling itself as a Privacy Manager. This is a concept we've just begun to introduce, and have a bit of road to travel. What you see online now is, indeed, little more than a password manager.
I'll be attending the London OpenCoffee tomorrow (June 14) and we'll be talking about just this - what is a privacy manager, what solution it provides, and how PassPack will become that. If you're in London, it would be great if you could stop by. But if not, I'll be posting about this on the PassPack blog in a day or so and I'll post a link here.
But, off the bat I can tell you, yes, there is a lot of room for third party integration. And we have a lot of ideas on how to do that. Good to see some more suggestions too in the comments.
Many of the objections/ideas that have been made in the various comments are being addressed in the next release of PassPack. So I'm glad to see we are heading in the right direction.
Cheers!
Tara
Posted by: Tara | June 13, 2007 2:25 PM
Sorry, I forgot to sign myself:
I'm Tara Kelly, PassPack founding Partner.
Cheers.
Posted by: Tara | June 13, 2007 2:26 PM
Thanks all for your comments. Tara, I'm interested in knowing more about your Privacy Manager concept. It actually sounds like Clipperz and PassPack are heading in the same direction - integration with third party apps.
I just wonder if you'll ever convince ordinary users to store all of their most sensitive data (passwords etc) using one service? It seems like a very big leap that users have to make to accept that it is indeed safe. So third party integration seems like a great idea, in that respect - because then those privacy issues are shared with the third party apps to a degree.
Posted by: Richard MacManus | June 13, 2007 3:41 PM
Now i use KeePass Password Safe (http://keepass.info/). You can try it. It's very powerful, avoid keylogger with function drag and drop, ...Special it's opensource & cross platform (can use the same database in windows & linux)
Posted by: Thanh | June 13, 2007 6:34 PM
I think the proliferation of different passwords and user names is a really big problem for most users...but creating another user name and password to manage the other usernames and passwords might not be solution.
The best solution is that it should just work...users should not have to deal with passwords etc. if they are on a machine they use often...and if they are using a new machine, there should be a way to access all their accounts etc.
Also there should be a distinction between important accounts (like financial accounts etc.) and unimportant accounts that don't deserve that much security.
my 2 cents...
Posted by: Jitendra | June 14, 2007 12:25 AM
Hi Richard,
Sorry I'm a little slower getting that post up than I thought... crazy week. Will post a link as soon as I can.
On convincing ordinary people to trust the password manager - it's amazing, actually people are very (overly) trusting with their personal details.
In my blog travels I've found that almost everyone already does "put all their eggs in one basket". A very common tactic is to sending themselves a gmail with username an pass as a reminder. They are building thier own homegrown password managers this way, except that nothing is encrypted, and all sent completely in the clear over email.
Could anything be less secure than that?
They don't make decisions on actual security - but perceived security. And a name they know inspires trust.
But the key here is that "ordinary" people don't use offline password managers, they either automatically look to get organized online, or they keep a little pen and paper agenda.
It only takes a little bit of education so that they understand that using a dedicated service is safer, and often just easier.
Great discussion going on here. Thanks for opening this up!
Posted by: Tara | June 17, 2007 10:14 AM
I'm still not entirely convinced although the developers of those sites do put forward a convincing argument. I came up with the geekiest idea for devising new passwords that are almost as good as random strings and also blogged recently about making your passwords stronger. Maybe those thoughts couple with Passpack or some other online P/W system would be doubly useful.
http://www.sciencetext.com/making-your-passwords-stronger.html
David Bradley
Sciencetext.com
Posted by: David Bradley | June 19, 2007 3:25 AM
Judging by the interest in Sxipper, people are certainly looking for ways to better control their online identities and personal data. Sxipper, also free, combines single-click login, password generation, form filling, and built-in OpenID provision. We plan to offer alternative storage options in the future, but for now most users are satisfied with Firefox Password Manager. -Matt, product manager, Sxipper
Posted by: Matt Herdon | June 20, 2007 11:47 AM