Help Johny to decide between Clipperz and PassPack
109 views
Skip to first unread message
Marco Barulli
Jan 9, 2009, 12:49:00 PM1/9/09
to Clipperz
Hi all,
Johny sent a couple of interesting comments to this blog post on the
Clipperz web site
http://www.clipperz.com/users/marco/blog/2007/08/14/clipperz_direct_login_vs_passpack_auto_login#comment-1804
He has a lot of sensible questions about Clipperz's and PassPack's
features.
He needs to decide which service better suits his needs.
Instead of directly answering his questions, I decided to move his
comments here and ask the small community of Clipperz users to provide
answers, opinions and advices to Johny.
I think this is a better way for Johny to get less biased answers that
will help him to make the right choice.
Thanks for your help!
Marco
======================================
PHONY CRITICISM?
Submitted by johny why (not verified) on 8 January, 2009 - 20:49.
I’m just a regular user, comparison-shopping. I hope the two providers
will both respond to my questions, so i’m posting it on both their
sites.
PassPack’s Comparison Table: http://passpack.wordpress.com/2007/04/10/passpack-and-clipperz-the-difference/
Click-itis: personally, i’m less concerned about the number of clicks
it takes to “create” a new auto-login, because that’s only done once.
i’m more concerned about the number of clicks it takes to login on
subsequent visits, and the strength of security. clipperz apparently
wins this one.
clipperz mentions passpack’s “100 seconds window” in which the user
can login, as if that’s a bad thing. it’s not an overt criticism, but
they sneak it into their critique, because it “sounds” like a
limitation. the 100-second window is actually a good thing— if i walk
away from my computer, the login will time-out, and the guy in the
next cubicle won’t be able to log into my accounts. it improves
passpack’s security. point against clipperz for being sneaky, point
for passpack for yet another security layer.
Zero Knowledge: “no data is transmitted to the Clipperz server when a
user click on a “direct login” link” —i don’t really see how that’s
possible. their servers hold my password info, so how can they log me
in without knowing which password to transmit? when i click on a
“direct login” link, that submits my click back to clipperz server,
does it not? Hard to believe clipperz has zero knowledge. unless they
cache my passwords on my local pc, but how could they, if it’s
accessible from any computer? i think maybe they mean that passpack
collects info about who adds auto-login sites, but clipperz does not.
big deal.
clipperz, and passpack, can both track the actual auto-logins i
perform, which means clipperz can still track my personal login
activities. not that i really care, i’m not doing anything illegal. so
they know i logged into my gmail, so what?
but are they keeping a log of my logins? if so, then they better be
giving me access to that log, so i can see if a hacker, or my wife,
logged into my gmail yesterday, when i was on the train to ohio (i’m
not married, and i never go to ohio, but you know what i mean). do
either of these services give me access to my login history? i would
want that.
clipperz says “if you are helping PassPack to grow the collection of
websites that “auto login” can handle, consider that your username and
email will be linked to every website you “teach” them!” Sounds like a
legit complaint— what does passpack really mean by “for security
purposes…we store information that may help us identify the account
that registered.” what security purposes? hmm, i could see how someone
could theoretically use their library of auto-login sites to mount
some sort of brute-force password hacking scheme. is that what they
mean? if so, then passpack could more easily track hackers, so this
could be a point in passpack’s favor.
Installation: i need to login from multiple computers, including
shared or public computers, so the requirement of a bookmark may make
passpack unusable for me. it means, if i’m at the library, i’ve got to
go through the install procedure, and if the library computer prevents
me from adding bookmarks to the web-browser, i’m out of luck. major
points against passpack for that.
Security: passpack’s “double key”, modify user id, anti-phishing,
automatic application-locking are all security advantages over
clipperz (even tho i may not have the time to study what exactly they
all are). passpack has “two-factor authentication” in the pipeline (as
of 10/07). passpack seems to beat out clipperz on security in a big
way.
Clipperz says “When a PassPack user clicks [autologin], It’s sensible
to imagine that the “mini pack” [sent from my computer to passpack]
contains the user credentials for the specific website.” first, i see
this as a security issue, not a zero-knowledge issue. but I don’t
understand why the minipack would contain my passwords— my user
credentials are stored on the passpack server, not my local computer.
both services send their data with encryption.
clipperz has “Referrer obfuscation” and checksums —i don’t totally get
that, but it sounds good, and passpack doesn’t have those.
Recovery: if you forget your passpack login credentials, you’re out of
luck. what!? bad, very bad. absolutely catastrophic. major black mark
against passpack for that.
clipperz does not appear to have an offline app, but i don’t want an
offline app. web-based password-management is the whole point— i’m
only using it for website passwords. on the other hand, what if i had
local secured apps, and i was in a job that did not allow internet
access? can’t use clipperz. so, ideally, i would prefer a dual online/
offline password manager— a web-based app with a secure local cache
(generally, i prefer web-based apps to installed apps— it’s the
future, yo!)
Performance: clipperz says: “Firefox may display the following warning
message: “Unresponsive script.” That’s while using clipperz, not
passpack. And it’s baaad. they should eliminate the error, somehow.
either by remotely adjusting firefox’s maxscriptruntime value, or by
sending repeated “i’m still thinking” messages to firefox, to prevent
it from timing out, or by pushing the computation to the server-side,
or to the client-side, or by accelerating the computation, or
whatever! this kind of error could easily lose them tons of customers,
who will just give up and switch over to passpack. big point against
clipperz. http://www.clipperz.com/support/generalfaq#How to get rid of
Firefox unresponsive script pop-up dialog boxes?
Documentation: clipperz has a lovely, well-organized user-manual, with
a table of contents. love it. i cannot find the same on passpack’s
site. big point in clipperz favor.
Export: passpack’s comparison table says clipperz does not offer
offline backup, but clipperz site says “Users can dump their encrypted
data from Clipperz servers to a local hard disk” in json or xml, and
can import from json, xml, Roboform, Keepass and PasswordPlus, Excel,
and CSV. point against passpack for incorrect info— and it makes me
doubt the credibility of the other info in their table— i suspect that
it’s simply outdated, not intentionally deceptive. clipperz needs to
respond to passpack’s comparison table. both offer some kind of
import, but clipperz appears mighty robust.
Disposable Logins: brilliant. only passpack has ‘em. yet another
security layer. big points for passpack.
Orange: juicy sweet modern Orange is nicer to look at than stale,
pale, grammar-school green. clipperz wins on color. sexiness matters
to me, baby.
Self-Hosting: Clipperz has an open-source system you can download and
run on your own server, for example to manage internal passwords for
your organization. bravissimo! point for clipperz.
Tone: i don’t see anything wrong with the tone of this article. when
ambitious companies compete, consumers benefit. This article, and
passpack’s comparison, make my comparison-shopping much easier! but
for passpack to criticize clipperz on “tone” seems like a red-herring—
a distraction from substance.
Competition: In 9/08, Tara from passpack said “we’ve stopped competing
directly with Clipperz (exception made for the theoretical debate
around Zero-knowledge Web Applications…). Marco’s last post was simply
painful to read. It hurts to see a friendly competitor drop out of the
race. I hope they make a comeback.”
http://passpack.wordpress.com/2007/04/10/passpack-and-clipperz-the-difference/#comment-9769
So, clipperz is going out of business? Or, passpack got funding and
clipperz didn’t? if you’re both still in business, then you’re
competitors, like it or not. Tara, you should not take competition
personally. i think tara just does not like the fact that clipperz is,
apparently, upping the ante. go clipperz. make passpack better!
passpack, make clipperz better! its all better for me!
i’m sure there’s more to compare, but i’m out of steam. You both need
to do an up-to-date comparison page.
======================
CORRECTION: NO PASSWORD RECOVERY
Submitted by johny why (not verified) on 8 January, 2009 - 22:52.
correction: Clipperz does not have password recovery (of your clipperz
password, not the passwords of your external accounts). Neither does
passpack, but at least passpack can roll you back to your last
passpack password, if you changed it recently.
i am guessing that’s done as a security precaution, but seriously, if
my bank (and every other website in the universe) feels safe giving me
a password recovery mechanism, then passpack and clipperz should.
there are all sorts of security layers they could include in the
password recovery system to protect it from hackers, like question-
response (eg ‘your mother’s maiden name’), text-as-picture (come to
think of it, are they doing text-as-picture for my stored passwords,
or some other safe-display mechanism?), etc.
lose your passpack or clipperz password, then you can no longer access
ANY of your stored passwords. ie, you’re fugged.
which means, i have to store my passpack or clipperz password on my
local computer, to protect me from forgetting it. which means anyone
who has access to my local computer can get my passpack/clipperz
password, and thence ALL OF MY PASSWORDS!
which destroys the whole reason for having a password management
system. that’s simply unacceptable, as well as unbelievable.
am i missing something here?
Johny sent a couple of interesting comments to this blog post on the
Clipperz web site
http://www.clipperz.com/users/marco/blog/2007/08/14/clipperz_direct_login_vs_passpack_auto_login#comment-1804
He has a lot of sensible questions about Clipperz's and PassPack's
features.
He needs to decide which service better suits his needs.
Instead of directly answering his questions, I decided to move his
comments here and ask the small community of Clipperz users to provide
answers, opinions and advices to Johny.
I think this is a better way for Johny to get less biased answers that
will help him to make the right choice.
Thanks for your help!
Marco
======================================
PHONY CRITICISM?
Submitted by johny why (not verified) on 8 January, 2009 - 20:49.
I’m just a regular user, comparison-shopping. I hope the two providers
will both respond to my questions, so i’m posting it on both their
sites.
PassPack’s Comparison Table: http://passpack.wordpress.com/2007/04/10/passpack-and-clipperz-the-difference/
Click-itis: personally, i’m less concerned about the number of clicks
it takes to “create” a new auto-login, because that’s only done once.
i’m more concerned about the number of clicks it takes to login on
subsequent visits, and the strength of security. clipperz apparently
wins this one.
clipperz mentions passpack’s “100 seconds window” in which the user
can login, as if that’s a bad thing. it’s not an overt criticism, but
they sneak it into their critique, because it “sounds” like a
limitation. the 100-second window is actually a good thing— if i walk
away from my computer, the login will time-out, and the guy in the
next cubicle won’t be able to log into my accounts. it improves
passpack’s security. point against clipperz for being sneaky, point
for passpack for yet another security layer.
Zero Knowledge: “no data is transmitted to the Clipperz server when a
user click on a “direct login” link” —i don’t really see how that’s
possible. their servers hold my password info, so how can they log me
in without knowing which password to transmit? when i click on a
“direct login” link, that submits my click back to clipperz server,
does it not? Hard to believe clipperz has zero knowledge. unless they
cache my passwords on my local pc, but how could they, if it’s
accessible from any computer? i think maybe they mean that passpack
collects info about who adds auto-login sites, but clipperz does not.
big deal.
clipperz, and passpack, can both track the actual auto-logins i
perform, which means clipperz can still track my personal login
activities. not that i really care, i’m not doing anything illegal. so
they know i logged into my gmail, so what?
but are they keeping a log of my logins? if so, then they better be
giving me access to that log, so i can see if a hacker, or my wife,
logged into my gmail yesterday, when i was on the train to ohio (i’m
not married, and i never go to ohio, but you know what i mean). do
either of these services give me access to my login history? i would
want that.
clipperz says “if you are helping PassPack to grow the collection of
websites that “auto login” can handle, consider that your username and
email will be linked to every website you “teach” them!” Sounds like a
legit complaint— what does passpack really mean by “for security
purposes…we store information that may help us identify the account
that registered.” what security purposes? hmm, i could see how someone
could theoretically use their library of auto-login sites to mount
some sort of brute-force password hacking scheme. is that what they
mean? if so, then passpack could more easily track hackers, so this
could be a point in passpack’s favor.
Installation: i need to login from multiple computers, including
shared or public computers, so the requirement of a bookmark may make
passpack unusable for me. it means, if i’m at the library, i’ve got to
go through the install procedure, and if the library computer prevents
me from adding bookmarks to the web-browser, i’m out of luck. major
points against passpack for that.
Security: passpack’s “double key”, modify user id, anti-phishing,
automatic application-locking are all security advantages over
clipperz (even tho i may not have the time to study what exactly they
all are). passpack has “two-factor authentication” in the pipeline (as
of 10/07). passpack seems to beat out clipperz on security in a big
way.
Clipperz says “When a PassPack user clicks [autologin], It’s sensible
to imagine that the “mini pack” [sent from my computer to passpack]
contains the user credentials for the specific website.” first, i see
this as a security issue, not a zero-knowledge issue. but I don’t
understand why the minipack would contain my passwords— my user
credentials are stored on the passpack server, not my local computer.
both services send their data with encryption.
clipperz has “Referrer obfuscation” and checksums —i don’t totally get
that, but it sounds good, and passpack doesn’t have those.
Recovery: if you forget your passpack login credentials, you’re out of
luck. what!? bad, very bad. absolutely catastrophic. major black mark
against passpack for that.
clipperz does not appear to have an offline app, but i don’t want an
offline app. web-based password-management is the whole point— i’m
only using it for website passwords. on the other hand, what if i had
local secured apps, and i was in a job that did not allow internet
access? can’t use clipperz. so, ideally, i would prefer a dual online/
offline password manager— a web-based app with a secure local cache
(generally, i prefer web-based apps to installed apps— it’s the
future, yo!)
Performance: clipperz says: “Firefox may display the following warning
message: “Unresponsive script.” That’s while using clipperz, not
passpack. And it’s baaad. they should eliminate the error, somehow.
either by remotely adjusting firefox’s maxscriptruntime value, or by
sending repeated “i’m still thinking” messages to firefox, to prevent
it from timing out, or by pushing the computation to the server-side,
or to the client-side, or by accelerating the computation, or
whatever! this kind of error could easily lose them tons of customers,
who will just give up and switch over to passpack. big point against
clipperz. http://www.clipperz.com/support/generalfaq#How to get rid of
Firefox unresponsive script pop-up dialog boxes?
Documentation: clipperz has a lovely, well-organized user-manual, with
a table of contents. love it. i cannot find the same on passpack’s
site. big point in clipperz favor.
Export: passpack’s comparison table says clipperz does not offer
offline backup, but clipperz site says “Users can dump their encrypted
data from Clipperz servers to a local hard disk” in json or xml, and
can import from json, xml, Roboform, Keepass and PasswordPlus, Excel,
and CSV. point against passpack for incorrect info— and it makes me
doubt the credibility of the other info in their table— i suspect that
it’s simply outdated, not intentionally deceptive. clipperz needs to
respond to passpack’s comparison table. both offer some kind of
import, but clipperz appears mighty robust.
Disposable Logins: brilliant. only passpack has ‘em. yet another
security layer. big points for passpack.
Orange: juicy sweet modern Orange is nicer to look at than stale,
pale, grammar-school green. clipperz wins on color. sexiness matters
to me, baby.
Self-Hosting: Clipperz has an open-source system you can download and
run on your own server, for example to manage internal passwords for
your organization. bravissimo! point for clipperz.
Tone: i don’t see anything wrong with the tone of this article. when
ambitious companies compete, consumers benefit. This article, and
passpack’s comparison, make my comparison-shopping much easier! but
for passpack to criticize clipperz on “tone” seems like a red-herring—
a distraction from substance.
Competition: In 9/08, Tara from passpack said “we’ve stopped competing
directly with Clipperz (exception made for the theoretical debate
around Zero-knowledge Web Applications…). Marco’s last post was simply
painful to read. It hurts to see a friendly competitor drop out of the
race. I hope they make a comeback.”
http://passpack.wordpress.com/2007/04/10/passpack-and-clipperz-the-difference/#comment-9769
So, clipperz is going out of business? Or, passpack got funding and
clipperz didn’t? if you’re both still in business, then you’re
competitors, like it or not. Tara, you should not take competition
personally. i think tara just does not like the fact that clipperz is,
apparently, upping the ante. go clipperz. make passpack better!
passpack, make clipperz better! its all better for me!
i’m sure there’s more to compare, but i’m out of steam. You both need
to do an up-to-date comparison page.
======================
CORRECTION: NO PASSWORD RECOVERY
Submitted by johny why (not verified) on 8 January, 2009 - 22:52.
correction: Clipperz does not have password recovery (of your clipperz
password, not the passwords of your external accounts). Neither does
passpack, but at least passpack can roll you back to your last
passpack password, if you changed it recently.
i am guessing that’s done as a security precaution, but seriously, if
my bank (and every other website in the universe) feels safe giving me
a password recovery mechanism, then passpack and clipperz should.
there are all sorts of security layers they could include in the
password recovery system to protect it from hackers, like question-
response (eg ‘your mother’s maiden name’), text-as-picture (come to
think of it, are they doing text-as-picture for my stored passwords,
or some other safe-display mechanism?), etc.
lose your passpack or clipperz password, then you can no longer access
ANY of your stored passwords. ie, you’re fugged.
which means, i have to store my passpack or clipperz password on my
local computer, to protect me from forgetting it. which means anyone
who has access to my local computer can get my passpack/clipperz
password, and thence ALL OF MY PASSWORDS!
which destroys the whole reason for having a password management
system. that’s simply unacceptable, as well as unbelievable.
am i missing something here?
johny why
Jan 9, 2009, 10:02:13 PM1/9/09
to Clipperz
i'm now also evaluating https://myvidoop.com/, which is the only
strong contender i've seen.
there are others, but myvidoop, clipperz, and passpack seem the most
user-friendly and active. there are also desktop installed password
managers, but i'm only interested in web-based systems, in this
comparison.
strong contender i've seen.
there are others, but myvidoop, clipperz, and passpack seem the most
user-friendly and active. there are also desktop installed password
managers, but i'm only interested in web-based systems, in this
comparison.
Joel Riedesel
Jan 9, 2009, 11:44:05 PM1/9/09
to john...@gmail.com, Clipperz
You should evaluate all these systems by trhing them each for a while. A lot of your analysis of clipperz is incomplete/wrong. I can't speak for the others. Clipperz is true zero knowlege. All interaction between you and clipperz web site is encrypted data, period. Direct logins are on the browser side.
I was able to port (to some degree) clipperz to run on Google App Engine environment. It worked fine. Definitely enough to convince me that I can install/compile/run clipperz myself if need be to woork with my data. Web-based clipperz works great for me across my various computers. I don't use direct login (and never will) so I don't care about that.
I periodically download the encrypted html so that I can run clipperz locally (so to speak). Basically as an archived copy. Completely encrypted of course.
I really think you should take a closer look at clipperz. It really is zero-knowledge. You are in complete control. If you worry about forgetting your pass phrase then export to an unencrypted format and print and put in your safe deposit box. I mean... you can only go so far.
Drinks and late at night and I didn't notice anyone else respond to you... :-)
Cheers,
Joel--
Build your own smart web apps: http://jnana.appspot.com
I was able to port (to some degree) clipperz to run on Google App Engine environment. It worked fine. Definitely enough to convince me that I can install/compile/run clipperz myself if need be to woork with my data. Web-based clipperz works great for me across my various computers. I don't use direct login (and never will) so I don't care about that.
I periodically download the encrypted html so that I can run clipperz locally (so to speak). Basically as an archived copy. Completely encrypted of course.
I really think you should take a closer look at clipperz. It really is zero-knowledge. You are in complete control. If you worry about forgetting your pass phrase then export to an unencrypted format and print and put in your safe deposit box. I mean... you can only go so far.
Drinks and late at night and I didn't notice anyone else respond to you... :-)
Cheers,
Joel
Build your own smart web apps: http://jnana.appspot.com
Reply all
Reply to author
Forward
0 new messages