Perfect Paper Passwords

I have been listening to the Security Now podcast from the beginning. It is a really good podcast about computer or network security. It is hosted by Steve Gibson and Leo Laporte. Steve is the creator of Spinrite, a hard disk repair and maintenance utility. He is also the author of several free utilities that can be found at his website. The podcast is all about security. Sometimes I think they talk too much about Spinrite, or e-book readers and I also think Leo sometimes falls asleep during the taping because he'll ask Steve questions that Steve already addressed. But anyway, other than that, it's a really good podcast.

Lately, there has been a lot of talk about one time use passwords. Steve had a need for his staff to securely log into the GRC network when they are away from their home. He wanted everything to be as impenetrable as possible. Sometimes I think Steve goes overboard. He would prefer NO risk of attack, whereas I understand that there will be some risk involved. I would rather it be easier than harder. The more hoops I have to jump, the more secure it is, but you're also increasing the frustration level if you already have a low risk of some one trying to break in. I mean, who really wants to read MY email? And there are some instances where the extra hoops aren't so frustrating, like my Paypal account. You can listen to episode 115 for all the details about why he came up with this, but he wanted something that couldn't be sniffed and used again later. I think what he has come up with is very good. And I think it will work for a few different websites or systems. For example, I think this would be perfect for Passpack or Clipperz. Websites like that have the potential of being targets, and this would give one more authentication factor that would be incredibly hard to attack.

The system Steve has come up with is called "Perfect Paper Passwords", or PPP. The website has all the information about it. Steve said that someone has already used his system to create a plug in for the Mac that will use this authentication system for logging into an OS X system. If someone comes up with something for Windows, I'd probably use it.

Also, I like my Paypal Security Key, but what Steve has come up with is better in a lot of ways. The biggest difference is cost. It doesn't cost anything to print out a card. And it will also have a low start up cost for websites too. It's just really cool. And I really hope Passpack and Clipperz will implement it, as I still use both of those sites and would enjoy the extra security.

And speaking of Passpack and Clipperz. I sent Steve feedback asking him about those two sites. He hasn't answered it yet, but he did answer someone else about a similar website called Passlet. I asked Steve what he thought of those sites, and based on his response to the Passlet question, he seems to think they are okay. But, Passlet is just plain ugly and doesn't provide nearly the same feature set as Passpack or Clipperz. Maybe Steve will still have a look at my question and answer it. I'm hoping he uses a tracker and will see this blog post. If not, I'll try again because I'd really like to know what he thinks of these sites, and maybe even compare it to Passlet.

(I realize I didn't say anything about Leo as an introduction. After all, who doesn't already know Leo?)

PassPack and Clipperz, head to head

I've talked about PassPack and Clipperz before. I have been playing with both sites over the last few months, trying to decide which one I want to use. They both have features that are necessary, like a high level of encryption. They are both easy to use. They both are easily accessible from any browser and computer. Where they differ is in the implementation. I still like the interface of PassPack better than Clipperz. To me, it just makes more sense. But Clipperz's interface is not bad either. I just prefer PassPacks.

Clipperz has had a feature called "Direct Login" for awhile now. This feature allows you to click a link and have Clipperz automatically open a window (or tab) for that site, and automatically log you in, doing it in a highly secure way. They include a bookmarklet to help with the creation of the card with the necessary information for automatic log ins. This, for the most part, works.

PassPack has had a similar feature in the works for awhile now, and has recently released it as "Auto-login". I like the way PassPack has implemented this feature. They have a button similar to Clipperz's bookmarklet called the "PassPack It!" button. This button allows you to easily configure a website for auto-login. You first create an entry in PassPack for the site in question. After that, you click on the "Go There" button to open up the website in a new window or tab. Then you click the PassPack It! button and, if this is your first time setting up the site, it will give you instructions to click on the username field, then the password field, and then the login button. You are basically teaching the system where the fields are. After that, when you click the PassPack It! button on that website, it will automatically fill in the information and log you in.

I like PassPack's set up process, but I like the way Clipperz does it after everything is set up. Setting up direct login's for Clipperz is a bit tedious. But once it is set up, you click on one link, a new window or tab is opened to that site, and you are automatically logged in. PassPack, however, you have to click on the "Go there" link and then click on the PassPack It! button to initiate the auto-login. A "Go there and log in" button in PassPack would make PassPack more competitive. So, right now, I'm leaning towards Clipperz again. It saves me an extra click...

Currently, I have 37 entries. Most of those sites work. But some do not. Some sites have two step authentication. This is where you enter a username (or some other information) on a screen, and after clicking "next" or something other button, you are presented with a second screen with your password field, and they usually have other identifiable information to thwart phishing. Systems like this simply do not work with auto-login systems like Clipperz and PassPack. Maybe one day, but not now.

Then, there are sites that have a single place to log in, but do it in a funky way. Or have a window that pops up like Diet Television. Or, they have a box that slides down from the top, like Technorati does. These sites, as well as the two step authentication, just don't play nice with Clipperz and PassPack.

Here is a list of sites that do work:
Boxbe
Blockbuster Online
DomainDiscover
ILetYou
OboPay
PayPerPost
Prosper

This is just a sample of ones I've set up for auto-login.

Now, when I first set a few up sites for auto-login, there were a few that Clipperz could do that PassPack could not do. Trying everything again today showed that all sites that worked in one works in the other. So, either I was screwing something up, or PassPack has made some improvements in the last couple of days. I'm not sure which. But what I do know is that I really like being able to click one button to have everything done for me. I don't know if it was designed that way, or if PassPack will fix it. Until it is fixed, I'm going to have to start using Clipperz a little more than usual.

I will, however, continue to use both. I don't like the idea, for one, of having all my eggs in one basket. Plus, Clipperz still doesn't have one-time password capability yet. PassPack currently has this feature (they call it a "Disposable Login"). I can set up a one-time password that automatically expires after a certain period of time. A period of time I can select. I can use the randomly generated password exactly one time to log into my account. It helps keep the keyloggers at bay.

Clipperz is also lacking decent backup and restore features. You can export your data in a printable format. But that isn't very secure. PassPack can give you a printable version, if you'd like, but you can also have the data stored in an encrypted file. And the file can be encrypted with your account passwords, or a completely different password can be used. Your choice. Clipperz has no import feature, and PassPack offers the ability to import a CSV file, or you can restore the encrypted file mentioned above.

That's it for now. They both have had quite a lot of improvments over the last few months. And there just isn't a clear winner. Both are well done and easy to use. As improvements are made, I'm sure a winner will be more clear. But until then, I'll continue using both.

Passpack and Clipperz

As promised, I've been playing with Passpack and Clipperz for a few weeks now. And, I have to say, I like aspects of both of them. But Passpack is in the lead, by the narrowest of margins. Since my last report of both services, both have introduced more features or improvements.

Clipperz, for instance, now has a "Clipperz Compact" version of their service. It works in Firefox, and allows you to log into your account from the sidebar. When you want to log into a particular website, you just click on the icon for that website and Clipperz Compact does the rest. Passpack has not yet introduced an autologin feature (supposedly it will be introduced next month).

Clipperz has also improved the interface with new card templates and password strength indicators. The card templates allow you to select what kind of website it is, and it will then fill in appropriate fields for that type of site. And when typing in a password, an indicator just below the field will indicate how good of a password it is.


All of those improvements are a move in the right direction, but it still isn't as easy to use as Passpack. Clipperz is lacking a password generator and a one time password generator. I think a one time password generator is a great idea (and it is "coming soon" for Clipperz). If I happen to use a computer at the Library, or at an Internet Cafe, I can use my one time password without fear that a key logger recorded my account information.

Passpack is best for websites. It's geared for it. It would, however, be nice for it to include the ability to secure other things like Clipperz can do. Like, for instance, a lot of websites are using other questions for forgotten passwords, or extra security. Clipperz allows you to add other fields to the card to track what you put for those extra security questions. This is why I like aspects of both sites.

In the near future I'll do a side by side comparison of the two. Hopefully Passpack will have their auto-login feature released by then.

PassPack

A comment was posted on my last entry about Clipperz about a competitor for Clipperz. And, I have to say, Clipperz has some tough competition. PassPack seems to take password management up a notch, or two. I don't know who made it onto the scene first, but there are a lot of things I like about PassPack. For the most part, it's the same as Clipperz. When you add username and passwords to PassPack, it encrypts the data locally and stores the encrypted data on the servers. Like Clipperz, PassPack has no way of resetting your password for the PassPack system.

But some things that make PassPack stand out are the double passwords required for logging in. One password is for getting into the account. And the second password is for unpacking the data. It's kind of nice to have the double layer of security.


Another nice thing about PassPack is the password manager. After you have entered a username and password, you can view the record with the information and the password is scrambled. Unlike Clipperz, you can highlight the field and do a standard copy and paste to copy the password. Someone watching over your shoulder will not see the password. In Clipperz, the best I can tell is that you have to unhide the password in order to be reminded of what it is. With PassPacks way of doing it, it is never revealed.

Like Clipperz, PassPack also has disposable logins. If you are going to be using your account from a public computer, or a friends computer, you can create a disposable login that will work exactly ONE time. That way, if they have a key logger running on the computer, they will not be able to have access to your data.

PassPack is working on a direct login feature for their product, and they promise that it will be a lot easier to use than Clipperz.

One other thing that I really like about PassPack is that they offer a password generator. With a password manager like this, longer tougher passwords are possible. Especially since the password can be copied and pasted easily. And, when they get their version of the direct login, you won't even have to copy and paste it. So, having a generator that will give you more secure passwords is a huge plus.

I'll keep playing with both services and will post an entry in the future what my experiences are. If anything, if I have my passwords in both services, I'm doubly protected if one goes under. Which also makes me wonder how they are going to make money. Clipperz has an entry on their blog about it. Should be interesting.