I have been listening to the Security Now podcast from the beginning. It is a really good podcast about computer or network security. It is hosted by Steve Gibson and Leo Laporte. Steve is the creator of Spinrite, a hard disk repair and maintenance utility. He is also the author of several free utilities that can be found at his website. The podcast is all about security. Sometimes I think they talk too much about Spinrite, or e-book readers and I also think Leo sometimes falls asleep during the taping because he'll ask Steve questions that Steve already addressed. But anyway, other than that, it's a really good podcast.
Lately, there has been a lot of talk about one time use passwords. Steve had a need for his staff to securely log into the GRC network when they are away from their home. He wanted everything to be as impenetrable as possible. Sometimes I think Steve goes overboard. He would prefer NO risk of attack, whereas I understand that there will be some risk involved. I would rather it be easier than harder. The more hoops I have to jump, the more secure it is, but you're also increasing the frustration level if you already have a low risk of some one trying to break in. I mean, who really wants to read MY email? And there are some instances where the extra hoops aren't so frustrating, like my Paypal account. You can listen to episode 115 for all the details about why he came up with this, but he wanted something that couldn't be sniffed and used again later. I think what he has come up with is very good. And I think it will work for a few different websites or systems. For example, I think this would be perfect for Passpack or Clipperz. Websites like that have the potential of being targets, and this would give one more authentication factor that would be incredibly hard to attack.
The system Steve has come up with is called "Perfect Paper Passwords", or PPP. The website has all the information about it. Steve said that someone has already used his system to create a plug in for the Mac that will use this authentication system for logging into an OS X system. If someone comes up with something for Windows, I'd probably use it.
Also, I like my Paypal Security Key, but what Steve has come up with is better in a lot of ways. The biggest difference is cost. It doesn't cost anything to print out a card. And it will also have a low start up cost for websites too. It's just really cool. And I really hope Passpack and Clipperz will implement it, as I still use both of those sites and would enjoy the extra security.
And speaking of Passpack and Clipperz. I sent Steve feedback asking him about those two sites. He hasn't answered it yet, but he did answer someone else about a similar website called Passlet. I asked Steve what he thought of those sites, and based on his response to the Passlet question, he seems to think they are okay. But, Passlet is just plain ugly and doesn't provide nearly the same feature set as Passpack or Clipperz. Maybe Steve will still have a look at my question and answer it. I'm hoping he uses a tracker and will see this blog post. If not, I'll try again because I'd really like to know what he thinks of these sites, and maybe even compare it to Passlet.
(I realize I didn't say anything about Leo as an introduction. After all, who doesn't already know Leo?)
Thursday, November 15, 2007
Perfect Paper Passwords
Friday, April 6, 2007
Clipperz
If you are like me, you have LOTS of different accounts on many different sites. If you are also like me, you have the same password at all of those sites. Yes, I know, it's dumb to do something like that. I figure that the sites I go to can be trusted to not go trying out my credentials at other sites. I don't usually create accounts on sites that can't be trusted, and if I do, I use different credentials.
That being said, I have always hated this habit of mine. I didn't want to write down my passwords on paper. I didn't want to create a file on my computer with my passwords. I didn't want to use a program on my computer to keep track of passwords. Either of the last two options would be lost if the computer died. I also haven't been to keen on the OpenID thing either. I just don't trust the key holders.
So, that's where the topic of this post comes in. The site is called Clipperz. It is a site that will allow you to manage all of your username and passwords for any site on the Internet. And, it does it in a highly secure way. You could be thinking, "how is this different than OpenID? Won't they have all the keys to your information?" Well, actually, no they won't. The reason is, the browser will encrypt the data before sending the information to the website. The information to Clipperz is a bunch of noise, more or less. In fact, if you lose/forget your Clipperz username and password you're simply out of luck as there is no way they can retrieve the information for you. You can even have a look at the code they use to verify their claims.
This just looks to be the ideal solution to all of my password problems. I can now use different passwords for all of my site accounts. I won't lose the data if my computer crashes. It's accessible from any browser. I don't even have to worry about my computer getting compromised and someone finding my passwords in the password manager of my browser. It's the ideal solution.
Besides being a great way to store passwords, it's also a great way to login to sites for you. They call it "Direct Logins". When you create a "Card" for a site, you can set it up for direct login. Then, when you click on the direct login link, it will open up a new window (or tab) and automatically log you in to that site. The drawback is that not all sites will work. I'm sure Cipperz will be working on making it work with more and more sites, but it's, for the ones that work, a great way to log in.
Direct logins are created with the help of their "Bookmarklet". Basically, you drag the bookmarklet button to the bookmark toolbar of your browser. Then, on a site that you want to create a card for, you click on the bookmarklet and a popup window is displayed with code that is prehighlighted. Copy that code and paste it into the appropriate box when creating a card. You may have to clean up some of the fields that are unnecessary for logging in. But once you have the data entered and saved, you can then try clicking the direct login link to automatically log in.
Also, the site can be used for any piece of information. That is probably why they use "cards" instead of some other name. The fields are not limited to just username and password. Any field label can be used with any type of data for the information. So, whatever your secrets are, you can securely store it. For instance, bank account numbers could be stored.
The site is also completely anonymous. All you need to create an account is a username that isn't already being used, and a passphrase. No email address, or any other identifiable information, is required to create an account.
The site is still in beta and is completely free for the time being. And new features are planned for the near future. One that I'm looking forward to is sharing of data. Another function of password management I have been interested in is for where I work. I want a way to securely allow access to passwords to certain employees, and only the passwords I select. So far, I just haven't found anything that works like I want. Hopefully, the sharing feature will do just what I'm looking for.
If you are looking for a way to store passwords, Clipperz is a great way to do it.
