« For Teacher, All's Not Well Because It Hasn't Ended | Main | DNS Exploit "Weaponized," Major ISPs Still Flapping »

July 23, 2008

Zero-Knowledge Password Management

Ed showed me Clipperz a few weeks ago. It’s a Web password management app that purports to allow you to store all your passwords up in the cloud, with encryption done on the client end (in your browser), so even if your clipperz.com account is compromised, your passwords are secure:

“A web-based password manager seems insanely insecure, but not so if you implement it as a zero-knowledge web app. It’s basically like keeping a local HTML with all your passwords and javascript which allows you to click on those passwords and have it launch the appropriate page and log in to the service in question (Google, Facebook, whatever) — except that instead of keeping it locally you’re keeping an encrypted version of it on clipperz.com’s servers.

“As far as usage goes, it’s pretty simple, but unusual. In a normal web app, you log in once, after which you are recognized by cookies until some timeout period. That’s because you’re logging in to an app running on the server, and cookies help maintain the illusion of a persistent connection. In clipperz, the app is running in your browser. So if you close the page and come back to it, you have to log in again. But you can leave that page open forever and it never times out, because there’s a real connection between you and the app (an open browser window) so there’s no need for the whole cookie deal.

“Adding logins to the app is an unusual process but easy once you get used to it. When you’re on the login page to the service in question (myspace, yahoo, whatever) with your username and password typed in the blanks, you can click on a bookmarklet you’ve previously saved from clipperz, and it will extract a chunk of JSON data from the page you’re on, representing the login form, your username, and password. You cut and paste that into your running clipperz session in another tab or window, and it takes that JSON chunk and adds that to its data store, and now you have a clickable link on your clipperz page which will log you in to that service.”

I want to give it a try, if only because it sounds interesting. My password manager of choice is 1Password, which continues to get better. Once it has a site memorized, signing in is just a cmd-\ away. It provides a little extra control where keychain management is concerned, too, so it can require a password after a set period of inactivity. Oh … I guess I wrote it up for PracNet. I wondered why this paragraph sounded familiar.

Ed attracted a little attention from a Clipperz rival, too. You’ll see that in the comments.

(Link to Ed’s review)

E-mail   0 Comments    Digg This    add to del.icio.us

Posted by mhall at 5:32 PM | Add Comment

Leave a comment











Type the characters you see in the picture above.

 




JupiterOnlineMedia

internet.comearthweb.comDevx.commediabistro.comGraphics.com

Search:

Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia

Jupitermedia Corporate Info


Legal Notices, Licensing, Reprints, & Permissions, Privacy Policy.

Advertise | Newsletters | Tech Jobs | Shopping | E-mail Offers