Password Storage Clipperz and Keepass

I have been using http://clipperz.com

for about a year now for password encryption/storage and am very pleased with it. I do have one caveat. I created a new account and immediately stored all the userid and password info into clipperz.com and logged out. The next day I logged into clipperz.com to retrieve that info and to my horror I discovered that this one particular record was CORRUPT. Fortunately, I was able to recreate the information but I suddenly realized that to be safe and secure, one should log out and then retrieve a new password just to make certain that it is readable. Also, one should BACK UP clipperz daily and keep a folder with all backups just in case one has to revert to some previous backup to retrieve something.

I was totally mistaken about one essential matter regarding clipperz. I realized that there was a way to EXPORT clipperz to a .JSON file (which is their format of export file. I assumed that I should regularly export JSON files in addition to the off-line backup files. I also incorrectly assumed that a JSON export was protected by my password. I discovered my error when one day I decided to create a NEW clipperz file and import the JSON. I WAS NOT prompted for any password and it was then that I realized that anyone who has access to a JSON export can easily IMPORT everything to their own clipperz account and thereby gain access to all passwords.

The CORRECT thing to do is to regularly create the OFF LINE copies of clipperz. In the event that you actually need a JSON file, you may create such an export from an off-line backup of clipperz. The off-line copies ALWAYS remain password protected.

Having made these observations about clipperz, I would now like to describe a different password program: KEEPASS .

The following link fully describes all the features of KEEPASS

http://keepass.info/features.html

NOTE: You can even install KeePass on your Blackberry cell phone by going to the browser on your Blackberry, entering this link http://keepass.info/download.html and clicking on the Blackberry install. You will have to use your desktop Blackberry media manager to copy your password database to a folder on your Blackberry device.

For me the biggest advantage of clipperz is that one may log into one’s account from ANY computer with Internet access (it is not necessary to have your usb-flash-thumb drive with you.)

I suppose one advangage of Keepass is that you may have any number of separate databases with different passwords and open them one at a time with the same Keepass installation.

KEEPASS requires that you have physical access to your password database either on a local hard drive or a usb drive.

I do wonder about security issues when using either Clipperz or Keepass on someone else’s computer. Suppose they have a keystroke logger installed? Would it not be possible for such a logger to report your password information? In the case of Keepass, even if someone knows your password they still must have access to your physical database file. But in the case of Clipperz if someone knows your user ID and your password then they have instant on-line access to all your information.
Perhaps the authors of Clipperz or Keepass will offer some advice with regard to the dangers of keystroke loggers.

By the way, both programs are open source and the source code may be examined by anyone (who is competent to read source code) and re-compiled to assure that there is no spyware at work in these programs. Keepass even advertises that someone is free to take the source code and substitute their own favorite encryption algorithm. Keepass also allows for the possibility of 3rd party plugin/add-ins.

SO WHY WOULD ANYONE WANT TO USE BOTH CLIPPERZ AND KEEPASS?

Well, IF you value your password info and want to be more certain to guard against the possibility of a corrupted record in clipperz, then you can record userid and password info in BOTH clipperz and KEEPASS.

Keepass may be downloaded to a thumb drive and simply unzipped into the folder of your choice (there is no installation involved.) You may then access your passwords from any Windows computer with a USB port.

I have an Ubuntu desktop in addition to a Windows Dell XP. I wanted to see if the thumb drive would also run under Ubuntu. IT IS NOT POSSIBLE to run the .exe under Ubuntu BUT it IS possible to launch your Ubuntu synaptic package manager, search on KEEPASS, and install Keepass on your Ubuntu deskto. Once installed on Ubuntu, Keepass IS able to open the password database created by Windows on the thumb drive.

My plan is to go through my several hundred Clipperz entries and store the more important ones to Keepass. I keep track of which ones I have ported by updating the Clipperz info description field with “KEEPASS.”

Advertisements

Tags: ,

One Response to “Password Storage Clipperz and Keepass”

  1. Marco Barulli Says:

    Hi William,
    thanks for this post! Your distinction between the JSON export and the offline copy should be made more obvious than it is now.

    With regard to keyloggers, you should avoid to type your Clipperz passphrase from a potentially unsecure computer. Instead you should login using a one-time passphrase, a feature that Clipperz provides since its launch. Just go to “Account > Manage one-time passhrase” and generate as many OTP as you may need.

    Read more here:
    http://www.clipperz.com/users/marco/blog/2007/10/11/defeat_keyloggers_onetime_passphrases_plus_oneclick_logins

    Thanks,
    Marco

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: