Clipperz v. Passpack, Round 2
I’ve spent a little more time thinking about Clipperz and Passpack (see my Clipperz review and my PassPack review for some background info). The short answer is - I think these are both worthy apps, with differences that will cause each one to appeal to different people. My preference is slightly towards Clipperz, except for the fact that I can’t use it yet on my iPhone which is sort of a killer for me. But it is really just a preference, let me ’splain.
There are a few minor things that I like in Clipperz more than PassPack, but one major thing. The big deal for me is Clipperz security policies, from the availability of their sourcecode (though it is not free software) to their Zero Knowledge policy. For me putting my personal private business onto the web is a nausea inducing stress point - I fear it irrationally and I find that the effort that Clipperz puts into proving their security comforting. PassPack will soon make their source code available (great!) but does not subscribe to the Zero Knowledge principle - which is a completely reasonable decision to make.
Zero Knowledge is a really interesting philosophy to adhere to, it’s multi-faceted and I can’t go into it too much here so read the piece if you want to know more. But the summary is it increases certain types of privacy for you the user over applications that do not. Part of it also increases your security, but in this case, I believe that PassPack actually implements or plans to implement the list items in there that pertain to the security enhancing features, while not subscribing to the privacy enhancing ones. And the reason? Because jumping through all those privacy hoops prevents you from doing certain things which can make some features a lot more convenient.
This seems to manifest most visibly in the autologin features of the sites. PassPack offers a fancier version which makes things easier and more convenient for you the user - it can do this because it allows itself to know more about you. This is pretty much the way almost every website works - so I would imagine many people are probably ok with this. Personally I am not overly interested in the autologin feature - I am able to remember most of my logins and my financial login information is already stored in Yodlee, which tend to be the ones I don’t remember - so I won’t really use any autologins, so I prefer the enhanced privacy that Clipperz offers - but like I said, this may be a non-issue for you.
There is one other issue that I don’t like about PassPack and hope that they change - they are very nannyish about their security. That is, they enforce a high level of complexity to the two passwords you choose to be able to work with them. So you end up needing to type in very long and thus difficult to remember passwords. I appreciate the security reasons for doing this, but forcing this on me is, in my opinion, obnoxious. They should feel free to popup a warning that tells me if I am about to choose an insecure password and give me reasons as to why that might be a bad idea, but it’s my data and I should be able to lock it down with the security I choose to give it. One killer feature of this is that it works on the iPhone, but typing in these long passwords (especially when you can’t see it, since what you are typing is *’d out) is quite difficult.
Those are the two non-trivial issues with PassPack - both of them are personal - but they may not be issues for you, or you may instead prefer the tactic that PassPack takes over what Clipperz has done. They are not technical problems, they are just different philosophies on the subject. Both of them do a great job of storing the information. I have a mild preference towards Clipperz’ interface, again something that is completely subjective. PassPack does have a much more robust export/backup system than Clipperz which is really nice, letting you revert to previous copies in the event that something goes wrong or gets lost. Clipperz, as far as I could find, does not yet have an answer to that one.
So there it is, if you’re looking for an online, secure password storage system you’ve got to more than capable solutions in Clipperz and PassPack. Both of them have blogs where they tell you what’s going on (Clipperz’ blog, PassPack’s blog). I prefer Clipperz, but it isn’t for any technical or implementation reasons - it isn’t objectively better - I simply agree more with the development philosphy behind Clipperz than PassPack. You may find the opposite to be true.
August 29th, 2007 at 12:29 pm
Thanks for this article. It’s quite well written and does a good job highlighting the differences. I think more and more people are going to be choosing one service over the other based on preferences in philosophy.
Sorry about enforcing the password quality, most people just ignore the warnings and use the absolute minimum they can get away with. :)
August 30th, 2007 at 8:30 am
Tara, thanks! Yeah, I think despite their similarities they each have some fundamental differences that will appeal to some and not to others. Problem for me is your minimum password is like a dozen characters with case, numbers and punctuation! Try typing that blind on an iPhone. :)
September 10th, 2007 at 5:19 am
(I am not English and translate my words with Babelfish from French, therefore excuse for my English.)
What it says the zero-knowledge is evocative, but ridicule. When I am connected from my PC to clipperz, through tens of nodes (enough to make a traceroute in order to see it). And everyone of these nodes ago the log of all that passes. Therefore even if you say that your application does not know nothing, someone (the police?) could know those that they are themselves connects to you, when they are themselves connects to you, where other have gone. This renders the zero-knowledge one ingenuous utopy and, indirectly, an ugly joke for the customer. The thing makes me to anger.
Giap
September 10th, 2007 at 8:07 am
Giap, those are interesting points you bring up, although I think it’s a little much to get so angry over. It’s true you leave your foot prints over the route you go to get there - but that doesn’t actually add any more data than zero knowledge actually does have. That is, the app will know that you arrived there - although you could easily use something like Tor to block off even that.
What Zero Knowledge gets you is that that’s all they know about you. They can’t decrypt what you’ve put up there, they don’t know where you are logging in to, etc… all they know is that you have been to the site. Which is really all you can hope for.
September 10th, 2007 at 12:37 pm
Felix, you talk about clipperz and passpack saying that the first one is better because it is zero-knowledge. I have given a look to passpack and I have inasmuch as they ask me only an email. But they do not want to know null. I can create an anonymous email and use it. I have made therefore and it works. Therefore they know exactly of me what it knows clipperz. But, if I use clipperz or I use passpack, if someone wants to identify me, he can. Even if I use a proxy (like I am doing now). Because proxies maintain logs too. They must do it. I work in a security company and I know that if I have the authorization I can identify any man in the world if I can capture its traces. Therefore the zero-knowledge is a beautiful useless invention.
September 10th, 2007 at 4:11 pm
Giap, I see your point. But I think you haven’t interpreted my post properly - I’m not saying that Zero Knowledge actually increases your security - that is from a purely security conscious viewpoint, both architectures are very similar and all code being equal seem equally secure. I do believe that Clipperz increases your privacy - in ways that may not be important to many people - but take autologin, for example, I believe that PassPack will know what servers you can login to - where as in Clipperz the entire process is autonomous. To your point, no amount of watching or snooping the Clipperz server will reveal your autologins - simply because they don’t know and nothing goes through their servers.
But ultimately, I agree with you, it is not possible (at this point) to prevent someone from discovering that you actually use either of these services. I think with Clipperz they will be able to find out less than with PassPack either through official or unofficial channels.
Nevertheless, finding that you use the application does not make the actual data less secure for either.
September 11th, 2007 at 7:18 am
You have a limited vision.
I can place myself on a passage node and monitor all the traffic that passes for the node and goes towards clipperz. Therefore I can see which IP are connected to clipperz and where they go after. This means that clipperz it does not know it, but I can know it. Obviously if I have the authorizations that serve in order to make the monitoring to me. According to me clipperz he cannot offer more to me privacy than others. If my bank holds my data for itself, they are sure as it they are on clipperz.
I’m afraid that currently privacy doesn’t exist on the internet.
I have to trust of the service to use it.
clipperz it says many things but as you make not ago knowing that an inner monitoring of the accesses? and if it trusts you clipperz because does not trust you others? the thing is much complex and the philosophy zero-knowledge seems much superficial. Bye, this to me is all.
September 11th, 2007 at 7:43 am
Giap, thanks again - this is really making me think more about this. :) I want to be clear about a couple things - I’m defending this which may make it seem like a bigger deal to me than it actually is. It’s an interesting philosophy and I believe it does have merit, but I’m not building my life around it. :)
Having said that.. I think we can agree that there is no perfect privacy - just like there is no perfect security. No firewall vendor says, “If you put up our firewall, you will never be hacked”. But people still do it because it adds a little bit to your defenses. In the same way Zero Knowledge doesn’t claim to offer you perfect privacy, but it does add a little.
It’s true that someone very dedicated could probably always find you. But if you’re using Tor how many people have the resources and the drive to figure out which servers you went through and go back through all of them cracking the encryption as they go?
In the example you give above, assuming they do find you, they still won’t know your autologging in because you never actually go to Clipperz site - you downloaded your encrypted package once and have been using it locally for the duration.
It is not Zero Knowledge that increases my trust of Clipperz, it’s one thing that I found interesting but it was the freely (free as in beer) available nature of their code that I liked. Something that I believe does increase their security. (PassPack says they they will have this soon, too! Very cool.)
September 11th, 2007 at 11:32 am
Hello. Perhaps I have been too much hard. I wanted to only say that for experience I know that you can be only trusted the persons. You, as an example, use Yodlee because you trust it. Nevertheless they have all the your financial life. If a Yodlee dishonest employer modificates the code he can make many damages to you. But you trust Yodlee because you are sure that Yodlee has created strong security systems, not because they do not know who you are. Therefore it is not important that they know who you are but that they protect your identity. And however I have given one look to the code of passpack. It is packed in a standard way (http://dean.edwards.name/packer/) and enough one code line in order to unpack it. It is Javascript and therefore is direct readable. Where is the difference? I only say that often firm people to the appearances and are not attempted to understand what are under. I have seen the code of clipperz. It is difficult to understand. I ask myself if there is one developer that it has used it in some application. You know it? I have made a search and I have not found nothing. The things are not always those that appear.
Excuse me, in the next hours I will go to my vacation :-) We can continue our discussion after two weeks, if you want.
September 11th, 2007 at 2:41 pm
Giap, Have a good vacation!
I definitely agree with you - in all cases you need to trust the organization you are dealing with. Honestly, I have not looked around at either the Clipperz or PassPack code - but I believe that Clipperz uses ShrinkSafe, another standard packer - so you can take their human readable code, verify it and then compress it using that code to verify that it matches up with the code they are shipping out. I haven’t verified the code quality myself, nor have I don’t any significant research into others who have.
At this point, both services don’t quite live up to the baseline requirements for everyday use (for differing reasons). They both are very close and as PassPack opens up their codebase and Clipperz begins working on the iPhone, I’ll probably spend more time looking and verifying. Although, I will probably never host any very sensitive information on either of them.
Hope to see you back here, it’s been a verry interesting conversation!
October 19th, 2007 at 6:57 pm
Felix, I totally agree with your points and preferences. I mentioned to Tara the inconvenience of the two-password authentication, but got a similar response. I see where Tara is coming from, though, but still wish they did it a bit differently. At this point, if Clipperz offered an import option, I would’ve jumped on it immediately. Thanks for good reviews.
October 20th, 2007 at 4:24 pm
Alek, thanks! I’m hoping that as they both become more full featured, they’ll learn from each other. I want two great options! But for now, neither is perfect.
October 24th, 2007 at 10:52 am
What do you guys think about the idea of just adding a bogus character (or two) to the end of your most critical (financial) passwords? Then when you use the information from clipperz, you could just remove the last character?
Also, this scheme could be modified to remove the last character (from clipperz or passpack), so you would need to add it, so say your password is generated as … but you would actualy set them up as +”!” … then you use clipperz or passpack … truly you also hold the final key (secret) in your mind, but its still simple to remember … but keeps your secrets just a little more secret.
Is this kind of thing necessary for security or just paraniod?
I also talked to a co-worker the other day who said that he enters passwords incorrectly, then uses his mouse to click back into the password and then types the missing character or characters(s) … so that keyloggers cannot figure out his passwords.
Could something like this be automated by a site like clipperz or passpack?
October 24th, 2007 at 1:00 pm
I suspect that these are all tricks that probably don’t do a ton to help. If someone’s savvy enough to get this info they’re probably savvy enough to try some permutations. Although, it’s possible that if someone has a ton of data and they’re just checking everything, failed hits will not be scrutinized more closely and they’ll just move on.
To be honest, though… I have no idea. :)