While I am a huge proponent of on-the-fly site-specific password hashing, like PasswordMaker, I find that “traditional” password vaults are still necessary. Not all sensitive information is browser-based, like PIN numbers or passwords used in desktop applications. My chosen password hashing method does not work with some sites due to stupid password restrictions. I also, regrettably, share some accounts with co-workers, so I need to use passwords they created. In all of these situations, I need to store the sensitive information in a password vault. I love the convenience and portability of online password managers like PassPack and Clipperz. However, I can’t shake this nagging thought: can I trust PassPack or Clipperz with my life?
I am essentially handing over the keys to my life over to the online password manager when I input passwords to my bank accounts, credit cards, accounts for work, etc. If these passwords are compromised, I could lose time, money, reputation, credit rating, career, and my whole identity. In short, my life could easily be ruined. The greatest hurdle by far that PassPack and Clipperz must overcome is convincing the world that such worst-case scenarios are impossible, or at least no more probable than any other password management system.
Before I continue, I’d like to state that I have no reason to doubt the integrity of the awesome people behind PassPack and Clipperz. I am playing devil’s advocate and exploring the most remote possibilities (ex. developer’s family kidnapped by the Mafia and forced to steal our passwords) because the stakes are so high in the game of password management. I sincerely hope that PassPack and Clipperz can find ways to gain the trust of the general public and grow to become staple web services.
Mashable published a guest post by “web skeptic Drama 2.0″ called The Dumbest Startups of 2007. The list includes Clipperz.
A web-based tool that enables you to store your passwords, PIN numbers and other sensitive information in one place and to share them with others if desired? If you don’t see the potential problem with this, you probably deserve to have your identity stolen. Who knows - perhaps you’ll get lucky and someone with a little more intelligence will assume it.
Calling the idea behind Clipperz or PassPack dumb is incredibly short-sighted, unimaginative, and rude. I am disappointed that Mashable would post such rubbish. But the quote does remind us that if our password manager is compromised, the consequences are catastrophic.
PassPack goes to great lengths in promoting the sercurity features of the service, like here and here. One of these features is the concept of Host-Proof Hosting where data is transmitted and stored in encrypted form so that even the web host cannot gain access to the information. PassPack also has a Privacy Policy that seems to be written with care specifically for PassPack and not a mere boiler-plate document full of legalese like most web services.
While PassPack claims to only know as much about the users as they need to in order to provide the service, Clipperz promotes the concept of “zero-knowledge“, that Clipperz should know nothing about the users. There is much debate about whether “zero-knowledge” makes sense, but it seems like a laudable goal to me, if it can be achieved.
Clipperz also released the source code of their security functions for public review. The idea is that no user should trust Clipperz on blind faith, but rather review the source code themselves before passing judgment. I hope PassPack will also release their source code for review in a similar manner. Personally, I much prefer transparency and public scrutiny to security through obscurity.
However, I am not at all satisfied by the mere fact that source code is available for community review. I and most end-users are not developers or security experts. I cannot conduct my own review of the source code. I cannot even know if the source code released is all the code required to be convinced of Clipperz’s security. I also do not know if it is possible for Clipperz or PassPack to show us source code that is different from code that actually powers the service.
It would be a bit different if PassPack or Clipperz were used by millions of users. In such a large userbase, there are bound to be competent developers or security experts who would review and publish their findings. (On an unrelated note, amongst a userbase of millions, I would be a drop in the ocean even if there is a security breach, a small but definite comfort.) Unfortunately, PassPack and Clipperz have relatively small communities. Compete.com shows that traffic to the two sites is so low that the statistics shown are only rough estimates. Also, Compete.com doesn’t list PassPack as a “trusted” site. Quantcast has even less data for the two sites. Thus, Clipperz’s statement that “it would be enough that a single person found a broken statement in it, to kill the whole project and company” isn’t very convincing to me due to the limited community.
Is there a solution to this trust problem?
As mentioned above, I hope PassPack releases its source code for public review.
Many have asked for third-party security audits of Clipperz, like here and here. I agree. Obviously, a third-party audit is not a silver bullet. Third-party audits are generally paid for the party being audited. There is a basic conflict of interest there. The same can be said of financial rating firms like Standard and Poor’s or Moody’s which are paid by the entities they are rating. In fact, S&P and Moody’s failed us big time in the whole American subprime debacle. Nevertheless, we can be relatively certain that such audit and rating firms are not intentionally creating false reports. Ultimately, being wrong about their predictions and analyses hurts them far more than the short-term financial gains from giving clients good reports.
The bigger problem is that third-party audits cost money. Startups like Clipperz and PassPack probably cannot afford it. Perhaps they could shop around for a security audit service, publish their intention to get audited by this service, publish details and qualifications of this service, and then start a donation drive to raise money solely for this security audit? (Is Sxip a possibility? They call themselves the market leader in “Identity 2.0″ and are the people behind Sxipper, a form filler browser plugin with some password management features.)
Here’s a crazy idea: what about mutual security audits by PassPack and Clipperz? That is, PassPack and Clipperz perform security audits on each other. While they are competitors, I’m sure both are more than willing to help each other succeed as mainstream adoption of online password vaults is a great boon to both.
PassPack and Clipperz should actively solicit security reviews from knowledgeable users. Existing users who are fans of the service might be willing to conduct a semi-formal review for free.
Reach out to Computer Science professors at major universities who specialize in information assurance and security. Encourage the use of PassPack/Clipperz as case studies or material in classes and student projects. This could net formal studies performed by knowledgeable students and computer scientists for free. Professor Gene Spafford perhaps? He has written about password vaults.
I believe that both PassPack and Clipperz need to explain their business plans and profit model in detail. The more we know about how their plans to make money, the more comfortable we will be.
I’d also be satisfied if PassPack or Clipperz were funded by (and thus guaranteed by) a large and reputable corporation, preferably a public company. Pitch to Google, anyone? 
Are there other ways to gain the typical end-user’s trust?
If you liked this post, please subscribe to my feed. Thanks for visiting!
Dear Tummblr,
thanks for the great post!
Host-proof hosting, ie. encryption on the browser, is not enough to drift the attention away from trusting us, the developers, and let users focus on trusting the application.
Clipperz is the first “zero-knowledge web application” and it’s based on the following rules:
- encryption on the browser (host-proof hosting)
- hide nothing (source code available, tools for checking code integrity, …)
- prevent code changes (download all the code before login, avoid code injections, …)
- learn nothing!
The password manager is just our first experiment, but we have plenty of ideas about other contexts that could benefit from a zero-knowledge approach.
Think of corporate wikis, online poker sites, web chats, health records, …
With regard to the business model, Clipperz password manager is free and it will always be free. We need a large community of users, a large number of eyeballs looking at our code to validate the zero-knowledge paradigm!
We are currently accepting donations to sustain the project.
Thanks again, great post,
Marco
Clipperz co-founder
Hi there.
First - great post! Thank you for taking the time to do such an in depth analysis. You touched on a lot of points, so I’m going to just list off some bullets below:
* Compete.com
I checked their FAQ [http://compete.com/help#snp8] and it seems the trust score uses GeoTrust. We have our SSL certificate via Comodo, Clipperz has theirs on Equifax (which is owned by GeoTrust http://tinyurl.com/2azzvc). I’ve written their support team to understand how this effects my trust score. THANK you for pointing this out. I’ll let you know Compete’s reply.
* Traffic & Users
Yeah, we’re still just getting started. But there is growth. I’ll let you know when we get to a million
* Releasing the source code for public review
Absolutely. We will be doing this.
* Third-party Security Audits
Yes, we’ll be doing these too. It’s in the budget.
* Business & Profit Model
We’ll be using the Freemium model. I believe the first time I mentioned upgrades was here: http://tinyurl.com/347h8z and we actually wound up changing our pricing plan based on user feedback in the comments. The paid packages will expand accounts and also add some features, mostly for businesses http://tinyurl.com/36lxhc
We actually have a business plan
With the upcoming release of Beta 6, we’ll also be doing a site redesign so I’ll make sure to make this info more easily available.
* Funding
I can’t release any information now about funding, but it is undoubtedly top of the list for us.
* Other ideas
I LOVE your ideas on collaboration and getting some free security audits. I’ll definitely look into that. Thanks.
I think I addressed all the macro issues you raised, but please me know if you want more or different information.
Cheers to you,
Tara
PassPack Founding Partner
Wow this sure got some attention. lmao
Anyway I use Clipperz and love it. It solves my problem of having many passwords and using many machines, some not even my own. Having the source code public was one of the reasons I choose that site. I did look at the source code tho I’m no security expert I can code a bit. I have no data there truly important tho just passwords to e-mail and social sites and stuff.
Great article.
@Marco and Tara: Thank you both for your comments. Glad to hear that there are many great things in the pipelines. Looking forward to them!
@Starhawk: You must be the only one who follows my random ramblings. Thanks, it certainly makes my day. ^_^
LOL
I subscribe to about 600 blogs just don’t have time to comment on them all, but yeah yours is one of them
Thanks to you - I’ve added you to my feeds now. At least half my feeds are from great blogs I’ve discovered via PassPack-related issues.
I also just posted to our blog about our Profit Model:
http://passpack.wordpress.com/2008/02/20/passpacks-profit-model/
Now onto those collaboration suggestions…
Cheers!
Tara