Thin Client Password Management

by Dave Michels

Over the past few weeks, I’ve taken a deliberate effort to reduce my dependence on specific software clients. I am tired of carrying around a notebook computer on every trip. I just took a 3 week trip to Europe with only a Linux based netbook – and was mostly functional. Current activities are to turn that “mostly” into “completely”. I am pretty close. The only reason I carry a netbook is so I have a computer when I need one – but really any computer with a connection and browser should suffice. But I’ve run into a few problems I am slowly working my way through. This post is about password management.

I have more user accounts and passwords than I can possibly remember. It’s more that that too, it is other information such as insurance policy numbers, license plates, or even the number to call on a lost credit card. Years ago, I moved this data to an Excel file on my hard drive. I encrypt the file with one of the strong encryptions Microsoft released in Excel 2007. This model has worked pretty well for me over the years, but it requires both the file AND Microsoft Excel 2007 to decrypt the file.

My Linux Netbook can’t run Excel. I considered uploading the document to Google Docs, but their spreadsheet solution doesn’t offer ANY encryption. The data seems too sensitive for the file to be left unencrypted in the Google cloud. I could subscribe to a hosted Excel offering, but I thought I would investigate new models rather than simply move my old model.

The thought of keeping all of one’s sensitive identification secrets in the cloud is a difficult concept at first. We regularly hear about secure sites being compromised – can it really be practical to take all of your passwords, PINs, account numbers, and secret bits of information and make them accessible from anywhere? I believe the answer is yes. Yes, it makes sense, and yes we need to do it. The Internet is everywhere with universal access as one of its key strengths. If you are going to live on the net, you need to deal with net security. Just like Californians needs to deal with Earthquakes.

The Internet is only useful with some trust and reasonable security. Not long ago (5 years?) there was still fear about entering credit cards online – but the net evolved. Better security and education has now made that an acceptable practice. Today, it is fairly common practice to access key financial institutions, even credit card balances and applications, etc. on the net. My bank even lets me write checks (billpay) online – without any valid ID or signature. This practice has crossed the bounds into “reasonable” and is rapidly growing in popularity. While traveling in Europe, I got an email that one of my credit cards expired on a monthly recurring service I don’t think much about. I didn’t have that userid and password with me, so I was forced to deal with it later. I’ve said it before, we live in a world of mobility, stop blaming things on mobility – deal with it.

So this started my search for an online service offering password management, along with some healthy curiosity about their security model. If you have your own host – say a Terminal Server, the Microsoft model with Excel isn’t bad. But I decided to search for a service that requires only a browser. The service I found which I think I like is quite intriguing. It is called This site pushes a concept of zero knowledge – that is they don’t want to know anything about me or my data. It is actually a pretty clever model, because even if they are hacked or accidentally employ a dangerous hacker – they don’t have sensitive information to divulge. Let me explain.

First off, they don’t know who I am. I don’t create a userid that links to me – no email, no name, no credit card (this of course makes charging for their service a bit tricky – currently free). The data I send them is encrypted by a strong key which I choose. They don’t store the key. See, in most encryption schemes, both the sender and receiver need to know the key – I send Amazon my credit card encrypted over the network, and they decrypt it once they get it. But Clipperz doesn’t need to decrypt the file to simply store it. They don’t want to know the key (zero knowledge) and encourage me to pick a very strong key.

All this begs the question – who is doing the encrypting then? It is all done in the browser. Modern browsers actually have quite a bit of encryption capability – that’s why credit card transactions are now largely considered safe on the Internet. It uses the browsers built-in encryption to send the information over the net. But in this case, my password information is first encrypted by the browser using a Clipperz Javascript applet. What is sent over the Internet is double encrypted. The applet encrypts the text using a passphrase that is not sent over the net. The data is stored under a unique username I created. The username doesn’t link to me. If a hacker got into the systems, they find a unique username and encrypted data – and that’s it.

Now with the basic design out of the way, let’s address some of the pointy stick questions:

  1. Can’t the Javascript applet be compromised? Yes, this is the weak link. However, there are some precautions you can take around this. The certified code (open source) can have its checksum compared. The site offers everything you need to do this. They also provide a script to test checksum’s with your specific MD5 key which can be hosted on a different server.
  2. Are there restrictions about the passphrase? Not really, it can be as short or as long as you like (Excel wants a pretty short password). They recommend about 8 words with punctuation and random uppercase/number substitutes to create the strongest phrase. It uses 128 bit encryption.
  3. Won’t a keyboard logger defeat the security? In addition to your passphrase, you can optionally create a number of one time disposable pass phrases. In this case, Clipperz can generate these 32 character codes and print them on an otherwise blank sheet of paper. If you find yourself using an Internet café or library computer to access your information (where keyboard loggers are common), you can use this one time code. As soon as this one time code is used, it is logged (IP address, OS, browser, and country) and deactivated. Clipperz can also directly log you into a desired site using your browser again – so you don’t have to type in the password of your destination. This One Click logins’ is very clever and completely browser based (new session is from your browser, not their server).
  4. What about offline access? This is fairly clever. Since Clipperz is using the browser’s encryption capability – it is possible to create an offline HTML version to be saved on your desktop. This is a read only file, but still encrypted. Simply download the file to your computer and it can be accessed from any browser (linux, Mac, Windows). Access all your secret information from a submarine.

I have gradually starting moving data over. I am finding the service very useful and friendly – and I am enjoying my freedom of not having to use my PC. I can access the data from the three different workstations I primarily use. The service is free, but accepts donations. I am considering using separate userIDs to split up some of my information – one more layer of security.

Clipperz slideshow overview:

An introduction to Clipperz

View more documents from Marco Barulli.