Perfect Paper Passwords

I have been listening to the Security Now podcast from the beginning. It is a really good podcast about computer or network security. It is hosted by Steve Gibson and Leo Laporte. Steve is the creator of Spinrite, a hard disk repair and maintenance utility. He is also the author of several free utilities that can be found at his website. The podcast is all about security. Sometimes I think they talk too much about Spinrite, or e-book readers and I also think Leo sometimes falls asleep during the taping because he'll ask Steve questions that Steve already addressed. But anyway, other than that, it's a really good podcast.

Lately, there has been a lot of talk about one time use passwords. Steve had a need for his staff to securely log into the GRC network when they are away from their home. He wanted everything to be as impenetrable as possible. Sometimes I think Steve goes overboard. He would prefer NO risk of attack, whereas I understand that there will be some risk involved. I would rather it be easier than harder. The more hoops I have to jump, the more secure it is, but you're also increasing the frustration level if you already have a low risk of some one trying to break in. I mean, who really wants to read MY email? And there are some instances where the extra hoops aren't so frustrating, like my Paypal account. You can listen to episode 115 for all the details about why he came up with this, but he wanted something that couldn't be sniffed and used again later. I think what he has come up with is very good. And I think it will work for a few different websites or systems. For example, I think this would be perfect for Passpack or Clipperz. Websites like that have the potential of being targets, and this would give one more authentication factor that would be incredibly hard to attack.

The system Steve has come up with is called "Perfect Paper Passwords", or PPP. The website has all the information about it. Steve said that someone has already used his system to create a plug in for the Mac that will use this authentication system for logging into an OS X system. If someone comes up with something for Windows, I'd probably use it.

Also, I like my Paypal Security Key, but what Steve has come up with is better in a lot of ways. The biggest difference is cost. It doesn't cost anything to print out a card. And it will also have a low start up cost for websites too. It's just really cool. And I really hope Passpack and Clipperz will implement it, as I still use both of those sites and would enjoy the extra security.

And speaking of Passpack and Clipperz. I sent Steve feedback asking him about those two sites. He hasn't answered it yet, but he did answer someone else about a similar website called Passlet. I asked Steve what he thought of those sites, and based on his response to the Passlet question, he seems to think they are okay. But, Passlet is just plain ugly and doesn't provide nearly the same feature set as Passpack or Clipperz. Maybe Steve will still have a look at my question and answer it. I'm hoping he uses a tracker and will see this blog post. If not, I'll try again because I'd really like to know what he thinks of these sites, and maybe even compare it to Passlet.

(I realize I didn't say anything about Leo as an introduction. After all, who doesn't already know Leo?)

PassPack and Clipperz, head to head

I've talked about PassPack and Clipperz before. I have been playing with both sites over the last few months, trying to decide which one I want to use. They both have features that are necessary, like a high level of encryption. They are both easy to use. They both are easily accessible from any browser and computer. Where they differ is in the implementation. I still like the interface of PassPack better than Clipperz. To me, it just makes more sense. But Clipperz's interface is not bad either. I just prefer PassPacks.

Clipperz has had a feature called "Direct Login" for awhile now. This feature allows you to click a link and have Clipperz automatically open a window (or tab) for that site, and automatically log you in, doing it in a highly secure way. They include a bookmarklet to help with the creation of the card with the necessary information for automatic log ins. This, for the most part, works.

PassPack has had a similar feature in the works for awhile now, and has recently released it as "Auto-login". I like the way PassPack has implemented this feature. They have a button similar to Clipperz's bookmarklet called the "PassPack It!" button. This button allows you to easily configure a website for auto-login. You first create an entry in PassPack for the site in question. After that, you click on the "Go There" button to open up the website in a new window or tab. Then you click the PassPack It! button and, if this is your first time setting up the site, it will give you instructions to click on the username field, then the password field, and then the login button. You are basically teaching the system where the fields are. After that, when you click the PassPack It! button on that website, it will automatically fill in the information and log you in.

I like PassPack's set up process, but I like the way Clipperz does it after everything is set up. Setting up direct login's for Clipperz is a bit tedious. But once it is set up, you click on one link, a new window or tab is opened to that site, and you are automatically logged in. PassPack, however, you have to click on the "Go there" link and then click on the PassPack It! button to initiate the auto-login. A "Go there and log in" button in PassPack would make PassPack more competitive. So, right now, I'm leaning towards Clipperz again. It saves me an extra click...

Currently, I have 37 entries. Most of those sites work. But some do not. Some sites have two step authentication. This is where you enter a username (or some other information) on a screen, and after clicking "next" or something other button, you are presented with a second screen with your password field, and they usually have other identifiable information to thwart phishing. Systems like this simply do not work with auto-login systems like Clipperz and PassPack. Maybe one day, but not now.

Then, there are sites that have a single place to log in, but do it in a funky way. Or have a window that pops up like Diet Television. Or, they have a box that slides down from the top, like Technorati does. These sites, as well as the two step authentication, just don't play nice with Clipperz and PassPack.

Here is a list of sites that do work:
Boxbe
Blockbuster Online
DomainDiscover
ILetYou
OboPay
PayPerPost
Prosper

This is just a sample of ones I've set up for auto-login.

Now, when I first set a few up sites for auto-login, there were a few that Clipperz could do that PassPack could not do. Trying everything again today showed that all sites that worked in one works in the other. So, either I was screwing something up, or PassPack has made some improvements in the last couple of days. I'm not sure which. But what I do know is that I really like being able to click one button to have everything done for me. I don't know if it was designed that way, or if PassPack will fix it. Until it is fixed, I'm going to have to start using Clipperz a little more than usual.

I will, however, continue to use both. I don't like the idea, for one, of having all my eggs in one basket. Plus, Clipperz still doesn't have one-time password capability yet. PassPack currently has this feature (they call it a "Disposable Login"). I can set up a one-time password that automatically expires after a certain period of time. A period of time I can select. I can use the randomly generated password exactly one time to log into my account. It helps keep the keyloggers at bay.

Clipperz is also lacking decent backup and restore features. You can export your data in a printable format. But that isn't very secure. PassPack can give you a printable version, if you'd like, but you can also have the data stored in an encrypted file. And the file can be encrypted with your account passwords, or a completely different password can be used. Your choice. Clipperz has no import feature, and PassPack offers the ability to import a CSV file, or you can restore the encrypted file mentioned above.

That's it for now. They both have had quite a lot of improvments over the last few months. And there just isn't a clear winner. Both are well done and easy to use. As improvements are made, I'm sure a winner will be more clear. But until then, I'll continue using both.

Passpack and Clipperz

As promised, I've been playing with Passpack and Clipperz for a few weeks now. And, I have to say, I like aspects of both of them. But Passpack is in the lead, by the narrowest of margins. Since my last report of both services, both have introduced more features or improvements.

Clipperz, for instance, now has a "Clipperz Compact" version of their service. It works in Firefox, and allows you to log into your account from the sidebar. When you want to log into a particular website, you just click on the icon for that website and Clipperz Compact does the rest. Passpack has not yet introduced an autologin feature (supposedly it will be introduced next month).

Clipperz has also improved the interface with new card templates and password strength indicators. The card templates allow you to select what kind of website it is, and it will then fill in appropriate fields for that type of site. And when typing in a password, an indicator just below the field will indicate how good of a password it is.


All of those improvements are a move in the right direction, but it still isn't as easy to use as Passpack. Clipperz is lacking a password generator and a one time password generator. I think a one time password generator is a great idea (and it is "coming soon" for Clipperz). If I happen to use a computer at the Library, or at an Internet Cafe, I can use my one time password without fear that a key logger recorded my account information.

Passpack is best for websites. It's geared for it. It would, however, be nice for it to include the ability to secure other things like Clipperz can do. Like, for instance, a lot of websites are using other questions for forgotten passwords, or extra security. Clipperz allows you to add other fields to the card to track what you put for those extra security questions. This is why I like aspects of both sites.

In the near future I'll do a side by side comparison of the two. Hopefully Passpack will have their auto-login feature released by then.

PassPack

A comment was posted on my last entry about Clipperz about a competitor for Clipperz. And, I have to say, Clipperz has some tough competition. PassPack seems to take password management up a notch, or two. I don't know who made it onto the scene first, but there are a lot of things I like about PassPack. For the most part, it's the same as Clipperz. When you add username and passwords to PassPack, it encrypts the data locally and stores the encrypted data on the servers. Like Clipperz, PassPack has no way of resetting your password for the PassPack system.

But some things that make PassPack stand out are the double passwords required for logging in. One password is for getting into the account. And the second password is for unpacking the data. It's kind of nice to have the double layer of security.


Another nice thing about PassPack is the password manager. After you have entered a username and password, you can view the record with the information and the password is scrambled. Unlike Clipperz, you can highlight the field and do a standard copy and paste to copy the password. Someone watching over your shoulder will not see the password. In Clipperz, the best I can tell is that you have to unhide the password in order to be reminded of what it is. With PassPacks way of doing it, it is never revealed.

Like Clipperz, PassPack also has disposable logins. If you are going to be using your account from a public computer, or a friends computer, you can create a disposable login that will work exactly ONE time. That way, if they have a key logger running on the computer, they will not be able to have access to your data.

PassPack is working on a direct login feature for their product, and they promise that it will be a lot easier to use than Clipperz.

One other thing that I really like about PassPack is that they offer a password generator. With a password manager like this, longer tougher passwords are possible. Especially since the password can be copied and pasted easily. And, when they get their version of the direct login, you won't even have to copy and paste it. So, having a generator that will give you more secure passwords is a huge plus.

I'll keep playing with both services and will post an entry in the future what my experiences are. If anything, if I have my passwords in both services, I'm doubly protected if one goes under. Which also makes me wonder how they are going to make money. Clipperz has an entry on their blog about it. Should be interesting.

Clipperz

If you are like me, you have LOTS of different accounts on many different sites. If you are also like me, you have the same password at all of those sites. Yes, I know, it's dumb to do something like that. I figure that the sites I go to can be trusted to not go trying out my credentials at other sites. I don't usually create accounts on sites that can't be trusted, and if I do, I use different credentials.

That being said, I have always hated this habit of mine. I didn't want to write down my passwords on paper. I didn't want to create a file on my computer with my passwords. I didn't want to use a program on my computer to keep track of passwords. Either of the last two options would be lost if the computer died. I also haven't been to keen on the OpenID thing either. I just don't trust the key holders.

So, that's where the topic of this post comes in. The site is called Clipperz. It is a site that will allow you to manage all of your username and passwords for any site on the Internet. And, it does it in a highly secure way. You could be thinking, "how is this different than OpenID? Won't they have all the keys to your information?" Well, actually, no they won't. The reason is, the browser will encrypt the data before sending the information to the website. The information to Clipperz is a bunch of noise, more or less. In fact, if you lose/forget your Clipperz username and password you're simply out of luck as there is no way they can retrieve the information for you. You can even have a look at the code they use to verify their claims.

This just looks to be the ideal solution to all of my password problems. I can now use different passwords for all of my site accounts. I won't lose the data if my computer crashes. It's accessible from any browser. I don't even have to worry about my computer getting compromised and someone finding my passwords in the password manager of my browser. It's the ideal solution.

Besides being a great way to store passwords, it's also a great way to login to sites for you. They call it "Direct Logins". When you create a "Card" for a site, you can set it up for direct login. Then, when you click on the direct login link, it will open up a new window (or tab) and automatically log you in to that site. The drawback is that not all sites will work. I'm sure Cipperz will be working on making it work with more and more sites, but it's, for the ones that work, a great way to log in.

Direct logins are created with the help of their "Bookmarklet". Basically, you drag the bookmarklet button to the bookmark toolbar of your browser. Then, on a site that you want to create a card for, you click on the bookmarklet and a popup window is displayed with code that is prehighlighted. Copy that code and paste it into the appropriate box when creating a card. You may have to clean up some of the fields that are unnecessary for logging in. But once you have the data entered and saved, you can then try clicking the direct login link to automatically log in.

Also, the site can be used for any piece of information. That is probably why they use "cards" instead of some other name. The fields are not limited to just username and password. Any field label can be used with any type of data for the information. So, whatever your secrets are, you can securely store it. For instance, bank account numbers could be stored.

The site is also completely anonymous. All you need to create an account is a username that isn't already being used, and a passphrase. No email address, or any other identifiable information, is required to create an account.

The site is still in beta and is completely free for the time being. And new features are planned for the near future. One that I'm looking forward to is sharing of data. Another function of password management I have been interested in is for where I work. I want a way to securely allow access to passwords to certain employees, and only the passwords I select. So far, I just haven't found anything that works like I want. Hopefully, the sharing feature will do just what I'm looking for.

If you are looking for a way to store passwords, Clipperz is a great way to do it.