sara fink wrote:
Hi amos
I checked a little bit about clipperz.com <http://clipperz.com>.
The fact that it's open source it doesn't make it secure. The passwd is
saved on their server (even though it's encrypted). Encrypted data is
reversible. No matter what.
This raises few questions: 1. How much you trust them. Dictionary
attack, brute force attack, rainbow hash tables are just a few to
mention in this case.
2. A potential hacker will be attracted to their site. How long it will
take to hack it? See this
http://www.downloadsquad.com/2007/03/27/a-1-second-reminder-why-you-should-use-better-passwords/
3. Key loggers? They have 1 time passphrase?
4. My 2 cents thoughts, they keep your passphrase and hide it as useful
software.
5. What happens if they are DOS attacked? there are many more aspects
to this, but you get the idea.
6. Security disk linux (backdoor and written by nsa). If you check the
code, you can change it, but how many people will do that?
Personally, I wouldn't trust them.
On Wed, Sep 17, 2008 at 3:45 AM, Amos Shapira <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
Hello,
I just heard about Clipperz (clipperz.com <http://clipperz.com>), a
free, open-source based
online encrypted password vault which promises that your passwords
never leave your browser in cleartext when sent to them.
It looks appealing for use both privately and for my work. Currently I
use pwman3 for both but this means that:
1. If I'm away from home I don't have access to all my passwords (and
I use individual passwords to all the sensitive sites like eBay,
PayPal, banks, google etc). I already remember by heart many of the
different passwords but not all.
2. When I'm outside the office and need a rarely used password to
access a server, I have to be able to VPN+ssh back and access the
computer with the pwman3 database in order to retrieve passwords
relating to work (e.g. remotley hosted server passwords, which I
hardly use because I relay on public ssh keys, but sometimes that's
not available).
Using clipperz.com <http://clipperz.com> sounds like a good solution
for both situations. I
heard at least about one commercial company which uses their online
service to "host" their passwords.
They also provides all sorts of ways to backup the data so in case
they are gone, there is still their code and the user's data around to
retrieve it.
Since it's open source, I'm thinking to start with a local server on
the internal network but the hosted service sounds appealing.
My question - has any of the security experts here heard about them,
their technology or maybe code they base their project on and can give
a quick, at least semi-informed, "thumbs up/down" about what they
think about this service?
Thanks,
--Amos
Download the community verion and install on your own server.
Works ok. Still rough UI and hickups here and there but serves
roaming needs.
One time passphrase is a great idea.
I don't have the skills to check their security concept in depth
but is seems ok.
Moish
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
