Passwords and Hacking (Part 3)

Clipperz in a browser screen captureThere are several services that meet these needs. Like the desktop solutions, some cost and some are free. These tools work by encrypting passwords you enter into your browser and saving those encrypted passwords on a server. In many cases the passwords are encrypted in the browser with JavaScript prior to sending them to the server. When you need a password, the server sends the browser the encrypted password and the browser decrypts it for your use.

I found one application called Clipperz ( Clipperz provides a service to managing your passwords on their server. They all provide a community source version for personal or internal use, and a commercial license for the same. I have installed the community source version on my web server to manage my passwords. That way they are available whenever and wherever I happen to be. I have KeePass installed on my desktop and am slowly migrating to Clipperz. Clipperz will take a bulk import from KeePass and convert it to its own structure. A future blog will report on the overall ease of use of Clipperz.

Clipperz works by encrypting the provided password in your browser and sending it to the server. It uses the login password as part of the encryption key. At no time is any username or password transmitted to the server in clear-text, even if the server is not using SSL. Decryption is also done in JavaScript in the web browser. This means that even if the server is broken into, your passwords are not readable.

The main disadvantage of encrypting everything in the browser is that there is no way to recover your information should you loose/forget your login passphrase. Your passphrase needs to be easy enough to remember and correctly type, but complex enough so that no one else can guess it. The system does allow you to change your login passphrase, but you are required to know the current passphrase.

Clipperz stores your login information in an item called a card. The card contains all of the information necessary to access that protected resource. You can add items to the basic list if you need to. Cards for web accounts contain (by default) the URL, username, password, title, and notes section. Once that information is entered and saved, cards are listed alphabetically by title. There is no other organization, unlike KeePass which allows you to organization the entries into password groups. It appears that appropriately titling your cards will work almost as well, but it is more awkward.

Storing your passwords in an online application makes it easier to access from multiple computers, including hand-held (phone or tablet) devices. The basic web password card is not ideal because of the need to remember the password as you copy it from the display in Clipperz to the other site’s login page. Clipperz provides a feature called “Direct login” that makes that process easier. That will be reviewed in a future article.