Thin Client Password Management

August 10, 2009 by Dave Michels

Over the past few weeks, I’ve taken a deliberate effort to reduce my dependence on specific software clients. I am tired of carrying around a notebook computer on every trip. I just took a 3 week trip to Europe with only a Linux based netbook – and was mostly functional. Current activities are to turn that “mostly” into “completely”. I am pretty close. The only reason I carry a netbook is so I have a computer when I need one – but really any computer with a connection and browser should suffice. But I’ve run into a few problems I am slowly working my way through. This post is about password management.

I have more user accounts and passwords than I can possibly remember. It’s more that that too, it is other information such as insurance policy numbers, license plates, or even the number to call on a lost credit card. Years ago, I moved this data to an Excel file on my hard drive. I encrypt the file with one of the strong encryptions Microsoft released in Excel 2007. This model has worked pretty well for me over the years, but it requires both the file AND Microsoft Excel 2007 to decrypt the file.

My Linux Netbook can’t run Excel. I considered uploading the document to Google Docs, but their spreadsheet solution doesn’t offer ANY encryption. The data seems too sensitive for the file to be left unencrypted in the Google cloud. I could subscribe to a hosted Excel offering, but I thought I would investigate new models rather than simply move my old model.

The thought of keeping all of one’s sensitive identification secrets in the cloud is a difficult concept at first. We regularly hear about secure sites being compromised – can it really be practical to take all of your passwords, PINs, account numbers, and secret bits of information and make them accessible from anywhere? I believe the answer is yes. Yes, it makes sense, and yes we need to do it. The Internet is everywhere with universal access as one of its key strengths. If you are going to live on the net, you need to deal with net security. Just like Californians needs to deal with Earthquakes.

The Internet is only useful with some trust and reasonable security. Not long ago (5 years?) there was still fear about entering credit cards online – but the net evolved. Better security and education has now made that an acceptable practice. Today, it is fairly common practice to access key financial institutions, even credit card balances and applications, etc. on the net. My bank even lets me write checks (billpay) online – without any valid ID or signature. This practice has crossed the bounds into “reasonable” and is rapidly growing in popularity. While traveling in Europe, I got an email that one of my credit cards expired on a monthly recurring service I don’t think much about. I didn’t have that userid and password with me, so I was forced to deal with it later. I’ve said it before, we live in a world of mobility, stop blaming things on mobility – deal with it.

So this started my search for an online service offering password management, along with some healthy curiosity about their security model. If you have your own host – say a Terminal Server, the Microsoft model with Excel isn’t bad. But I decided to search for a service that requires only a browser. The service I found which I think I like is quite intriguing. It is called Clipperz.com. This site pushes a concept of zero knowledge – that is they don’t want to know anything about me or my data. It is actually a pretty clever model, because even if they are hacked or accidentally employ a dangerous hacker – they don’t have sensitive information to divulge. Let me explain.

First off, they don’t know who I am. I don’t create a userid that links to me – no email, no name, no credit card (this of course makes charging for their service a bit tricky – currently free). The data I send them is encrypted by a strong key which I choose. They don’t store the key. See, in most encryption schemes, both the sender and receiver need to know the key – I send Amazon my credit card encrypted over the network, and they decrypt it once they get it. But Clipperz doesn’t need to decrypt the file to simply store it. They don’t want to know the key (zero knowledge) and encourage me to pick a very strong key.

All this begs the question – who is doing the encrypting then? It is all done in the browser. Modern browsers actually have quite a bit of encryption capability – that’s why credit card transactions are now largely considered safe on the Internet. It uses the browsers built-in encryption to send the information over the net. But in this case, my password information is first encrypted by the browser using a Clipperz Javascript applet. What is sent over the Internet is double encrypted. The applet encrypts the text using a passphrase that is not sent over the net. The data is stored under a unique username I created. The username doesn’t link to me. If a hacker got into the systems, they find a unique username and encrypted data – and that’s it.

Now with the basic design out of the way, let’s address some of the pointy stick questions:

Can’t the Javascript applet be compromised? Yes, this is the weak link. However, there are some precautions you can take around this. The certified code (open source) can have its checksum compared. The site offers everything you need to do this. They also provide a script to test checksum’s with your specific MD5 key which can be hosted on a different server.
Are there restrictions about the passphrase? Not really, it can be as short or as long as you like (Excel wants a pretty short password). They recommend about 8 words with punctuation and random uppercase/number substitutes to create the strongest phrase. It uses 128 bit encryption.
Won’t a keyboard logger defeat the security? In addition to your passphrase, you can optionally create a number of one time disposable pass phrases. In this case, Clipperz can generate these 32 character codes and print them on an otherwise blank sheet of paper. If you find yourself using an Internet café or library computer to access your information (where keyboard loggers are common), you can use this one time code. As soon as this one time code is used, it is logged (IP address, OS, browser, and country) and deactivated. Clipperz can also directly log you into a desired site using your browser again – so you don’t have to type in the password of your destination. This One Click logins’ is very clever and completely browser based (new session is from your browser, not their server).
What about offline access? This is fairly clever. Since Clipperz is using the browser’s encryption capability – it is possible to create an offline HTML version to be saved on your desktop. This is a read only file, but still encrypted. Simply download the file to your computer and it can be accessed from any browser (linux, Mac, Windows). Access all your secret information from a submarine.

I have gradually starting moving data over. I am finding the service very useful and friendly – and I am enjoying my freedom of not having to use my PC. I can access the data from the three different workstations I primarily use. The service is free, but accepts donations. I am considering using separate userIDs to split up some of my information – one more layer of security.

Clipperz slideshow overview:

An introduction to Clipperzhttp://static.slidesharecdn.com/swf/ssplayer2.swf?doc=clipperzbpopen-1216995584461018-9&stripped_title=an-introduction-to-clipperz

View more documents from Marco Barulli.

By Dave Michels

Dave is an independent analyst and founder of TalkingPointz which is focused on enterprise communications. In addition to this (free and paid) content on TalkingPointz, he contributes to industry sites, can be found at major industry events, and provides advisory services to vendors and financial analysts.

Look ma, no ads!

Admit it! You just can’t look away. Yet, there’s so much more.

Become a subscriber to TalkingPointz for access to reports and premium posts.

There are several ways to stay informed:

Visit this site regularly.
Receive new posts in your email once a week.
Become an Insider or All Access Subscriber for alerts and access to uncensored content.

Become a Member from $49 / month

TalkingHeadz Podcast

The TalkingHeadz podcasts are @DaveMichels and @EvanKirstel chatting with interesting guests. These are unsponsored and unscripted for your enjoyment. You can subscribe on most podcast apps including iTunes.

Listen on iTunes

Podcast

TalkingHeadz with Brad Hintze of Crestron

April 10, 2023

Multi-camera video is best demonstrated in large conference rooms, and that can be a challenge in an expo hall. Crestron solved it: We’re going to need a bigger booth. I experienced Crestron’s 1 Beyond experience in an expo booth with…

Discussion

Jer Warren August 10, 2009

would it be more of a hassle to use pgp to encrypt a non-Excel-format spreadsheet and upload it to your hosting account?

And maybe keep it in sync by way of unison?

It'd be a little bit more hassle, but you wouldn't be depending on the viability of their eventual business model. Maybe they can't figure out how to make money on it, and shut it down along with your data…

Would a php app you install on your webserver to manage passwords in a secure manner be useful?

Reply
Dave Michels August 10, 2009

Thanks for the comment Jer.

There are lots of ways to skin this cat, but my objective was to use only the browser as a client. PGP doesn't meet that, and some Internet Cafe or Libraries would prevent it from being installed.

Regarding the risk of Clipperz shutting down their servers – that is mitigated with the saved downloaded copy of the pages. The offline files are still secure (read only) and could be accessed if the service was shut down.

Reply
Giulio Cesare Solaroli August 15, 2009

Hello Dave, thanks for your kind review.

I would just like to point out that Clipperz grants a minimum security level of 128 bits; but all the algorithms used are 256bits.

Regards,

Giulio Cesare

Reply