Skip to content.

TalkBMC

Sections
You are here: Home » Blog Archive » Jeff Bohren » The Identity Management Expert » Web Password Management Revisited

Web Password Management Revisited Web Password Management Revisited

Document Actions
Web Password Management Revisited

A while back I blogged about various password management solutions here. Just to follow up on this, Clipperz has made a huge leap forward in that it now supports IE in additional the Firefox support it had previously. Clipperz has also added Chinese language support.

I tried out the IE version of Clipperz and was able to open a GMail test account using IE 7.0 and the user profile that I had created with the Firefox version. Everything worked fine.

It interesting to compare the two different architectures of Clipperz and Sxipper. Both do more or less the same thing but take very different approaches. Clipperz stores your credentials and other information in an encrypted form. The data is encrypted in your local browser using client-side encryption (implemented in Javascript). Sxipper on the other hand uses the Firefox Password Manager credential store.

There are some interesting trade-offs here. With Clipperz you have to remember a pass phrase that is used for encryption/decryption. If you forget that, you have lost your stored credentials for good. Clipperz claims to not keep your pass phrase for security reasons (if they stored it for you they could decrypt your credentials).

One big advantage of the Clipperz approach is that your data is available on any browser they support. You can switch to another browser on another computer and access your credentials because Clipperz stores them (encrypted) on their server.

Sxipper on the other hand uses a client side password store. No pass phrase is needed. But there are some drawbacks with this approach. If you switch to another computer or even another browser on the same computer, your credentials aren’t available. Also, Sxipper is not safe to use unless you can guarantee that only trusted people have physical access to the machine. In other words it would not be safe to use in an office environment.

Of course at the moment Sxipper only supports Firefox, which severely limits its usefulness. On Firefox Sxipper uses the Firefox Password Manager which apparently has a serious security issue.

On the plus side, Sxipper does offer OpenID support. Sxipper.com can serve as your OpenID Provider using your Sxipper login.

Which solution do I use? Neither. The benefit offered is not sufficient for me to go through the vetting process I would need to go through to trust Clipperz with my passwords. At the same time I would never use anything based on the Firefox Password Manager so Sxipper is a non-starter for me.

It’s not that I’m not a trusting person... yes it is.

And while this may sound heretical to the Identity community, I am not really interested in using Firefox for my day to day use.

Marco Barulli from Clipperz has some very interest thoughts in this area. His blog is here. I remain very impressed with the work Clipperz has done and their commitment to openness and transparency.


_____
tags:
Wednesday, July 11, 2007  |  Permalink |  Comments (1)

Sxipper

Posted by Matt Herdon at 2007-07-16 19:11
You'll be happy to hear that each Sxipper concern you raised will be addressed. On the issue of protection, it is recommended that Firefox users set the master password, to prevent others from viewing stored passwords. Currently, Sxipper combines password management/generation, form filling, and secure OpenID provision. Our goal is to give you convenient, secure identity management for the web. To that end, new capabilities and services, such as our disposable email service, are being added. Thanks for the mention, and hopefully we attract you back to Sxipper some day soon! -Matt, product manager, Sxipper.
 
Powered by Plone

This site conforms to the following standards: