Comments on: Clipperz v. Passpack, Round 2

By: Le soleil n’ignore pas un village parce qu’il est petit. » Archive du blog » Gestionnaire de mot de passes

Thu, 02 Apr 2009 20:54:37 +0000

[...] Avis d’un blogueur en faveur de Clipperz [...]

By: felix

felix — Wed, 24 Oct 2007 18:00:41 +0000

I suspect that these are all tricks that probably don’t do a ton to help. If someone’s savvy enough to get this info they’re probably savvy enough to try some permutations. Although, it’s possible that if someone has a ton of data and they’re just checking everything, failed hits will not be scrutinized more closely and they’ll just move on.

To be honest, though… I have no idea. :)

By: Doc Savage

Doc Savage — Wed, 24 Oct 2007 15:52:05 +0000

What do you guys think about the idea of just adding a bogus character (or two) to the end of your most critical (financial) passwords? Then when you use the information from clipperz, you could just remove the last character?

Also, this scheme could be modified to remove the last character (from clipperz or passpack), so you would need to add it, so say your password is generated as … but you would actualy set them up as +”!” … then you use clipperz or passpack … truly you also hold the final key (secret) in your mind, but its still simple to remember … but keeps your secrets just a little more secret.

Is this kind of thing necessary for security or just paraniod?

I also talked to a co-worker the other day who said that he enters passwords incorrectly, then uses his mouse to click back into the password and then types the missing character or characters(s) … so that keyloggers cannot figure out his passwords.

Could something like this be automated by a site like clipperz or passpack?

By: felix

felix — Sat, 20 Oct 2007 21:24:57 +0000

Alek, thanks! I’m hoping that as they both become more full featured, they’ll learn from each other. I want two great options! But for now, neither is perfect.

By: Alek Davis

Alek Davis — Fri, 19 Oct 2007 23:57:22 +0000

Felix, I totally agree with your points and preferences. I mentioned to Tara the inconvenience of the two-password authentication, but got a similar response. I see where Tara is coming from, though, but still wish they did it a bit differently. At this point, if Clipperz offered an import option, I would’ve jumped on it immediately. Thanks for good reviews.

By: felix

felix — Tue, 11 Sep 2007 19:41:59 +0000

Giap, Have a good vacation!

I definitely agree with you – in all cases you need to trust the organization you are dealing with. Honestly, I have not looked around at either the Clipperz or PassPack code – but I believe that Clipperz uses ShrinkSafe, another standard packer – so you can take their human readable code, verify it and then compress it using that code to verify that it matches up with the code they are shipping out. I haven’t verified the code quality myself, nor have I don’t any significant research into others who have.

At this point, both services don’t quite live up to the baseline requirements for everyday use (for differing reasons). They both are very close and as PassPack opens up their codebase and Clipperz begins working on the iPhone, I’ll probably spend more time looking and verifying. Although, I will probably never host any very sensitive information on either of them.

Hope to see you back here, it’s been a verry interesting conversation!

By: Giap

Giap — Tue, 11 Sep 2007 16:32:01 +0000

Hello. Perhaps I have been too much hard. I wanted to only say that for experience I know that you can be only trusted the persons. You, as an example, use Yodlee because you trust it. Nevertheless they have all the your financial life. If a Yodlee dishonest employer modificates the code he can make many damages to you. But you trust Yodlee because you are sure that Yodlee has created strong security systems, not because they do not know who you are. Therefore it is not important that they know who you are but that they protect your identity. And however I have given one look to the code of passpack. It is packed in a standard way (http://dean.edwards.name/packer/) and enough one code line in order to unpack it. It is Javascript and therefore is direct readable. Where is the difference? I only say that often firm people to the appearances and are not attempted to understand what are under. I have seen the code of clipperz. It is difficult to understand. I ask myself if there is one developer that it has used it in some application. You know it? I have made a search and I have not found nothing. The things are not always those that appear.
Excuse me, in the next hours I will go to my vacation :-) We can continue our discussion after two weeks, if you want.

By: felix

felix — Tue, 11 Sep 2007 12:43:16 +0000

Giap, thanks again – this is really making me think more about this. :) I want to be clear about a couple things – I’m defending this which may make it seem like a bigger deal to me than it actually is. It’s an interesting philosophy and I believe it does have merit, but I’m not building my life around it. :)

Having said that.. I think we can agree that there is no perfect privacy – just like there is no perfect security. No firewall vendor says, “If you put up our firewall, you will never be hacked”. But people still do it because it adds a little bit to your defenses. In the same way Zero Knowledge doesn’t claim to offer you perfect privacy, but it does add a little.

It’s true that someone very dedicated could probably always find you. But if you’re using Tor how many people have the resources and the drive to figure out which servers you went through and go back through all of them cracking the encryption as they go?

In the example you give above, assuming they do find you, they still won’t know your autologging in because you never actually go to Clipperz site – you downloaded your encrypted package once and have been using it locally for the duration.

It is not Zero Knowledge that increases my trust of Clipperz, it’s one thing that I found interesting but it was the freely (free as in beer) available nature of their code that I liked. Something that I believe does increase their security. (PassPack says they they will have this soon, too! Very cool.)

By: Giap

Giap — Tue, 11 Sep 2007 12:18:26 +0000

You have a limited vision.
I can place myself on a passage node and monitor all the traffic that passes for the node and goes towards clipperz. Therefore I can see which IP are connected to clipperz and where they go after. This means that clipperz it does not know it, but I can know it. Obviously if I have the authorizations that serve in order to make the monitoring to me. According to me clipperz he cannot offer more to me privacy than others. If my bank holds my data for itself, they are sure as it they are on clipperz.
I’m afraid that currently privacy doesn’t exist on the internet.
I have to trust of the service to use it.
clipperz it says many things but as you make not ago knowing that an inner monitoring of the accesses? and if it trusts you clipperz because does not trust you others? the thing is much complex and the philosophy zero-knowledge seems much superficial. Bye, this to me is all.

By: felix

felix — Mon, 10 Sep 2007 21:11:34 +0000

Giap, I see your point. But I think you haven’t interpreted my post properly – I’m not saying that Zero Knowledge actually increases your security – that is from a purely security conscious viewpoint, both architectures are very similar and all code being equal seem equally secure. I do believe that Clipperz increases your privacy – in ways that may not be important to many people – but take autologin, for example, I believe that PassPack will know what servers you can login to – where as in Clipperz the entire process is autonomous. To your point, no amount of watching or snooping the Clipperz server will reveal your autologins – simply because they don’t know and nothing goes through their servers.

But ultimately, I agree with you, it is not possible (at this point) to prevent someone from discovering that you actually use either of these services. I think with Clipperz they will be able to find out less than with PassPack either through official or unofficial channels.

Nevertheless, finding that you use the application does not make the actual data less secure for either.