Clipperz online password manager just won its first award: it is one of the 20 dumbest startups of 2007! Too bad I’ve not prepared my acceptance speech to thanks the nice folks at Mashable and Drama 2.0.

Why did Clipperz get on that list?

A web-based tool that enables you to store your passwords, PIN numbers and other sensitive information in one place and to share them with others if desired? If you don’t see the potential problem with this, you probably deserve to have your identity stolen. Who knows - perhaps you’ll get lucky and someone with a little more intelligence will assume it.

Are we upset by this award? Not at all! We firmly believe that trust is a major issue for the future of online services and we appreciate any initiative that can bring more attention on this subject. It certainly gives Clipperz a chance to advocate zero-knowledge web applications to a broader audience.

However, if you are interested to find out if Clipperz is a dumb idea or not, I suggest to read the privacy and security section of this website. You can also visit the Clipperz forum and ask our users, or just browse the many interesting discussions about trust, transparency and cryptography. As an example, yesterday I really enjoyed this thread.

Happy holidays!

From xkcd

You no longer have an excuse for keeping your passwords and sensitive data on that password-protected Excel file. It’s not convenient and it’s not safe!

Now Clipperz password manager lets you quickly import from your Excel and CSV files. Similarly, you can now migrate your data to Clipperz other password managers like Keepass, Roboform and PasswordPlus. The import process is straightforward, read more about it here.

But why move your passwords to Clipperz? Why prefer an online password manager? What’s wrong with the password management functionalities of most browsers? What’s wrong with software-based solutions? It’s not just a matter of security, but mostly of convenience.

• If you use multiple computers you need to properly sync your password collections on all of them.
• Not all your passwords are related to web sites, sometimes you just need the admin password for your router.
• If you are on the road it won’t help having all your password stored on your pc at home.
• …

Luckily most software programs provide export functionalities, often to a standard format like CSV, sometimes to a custom format. And even when no export capabilities are present, a solution can be found. As an example, consider the case of Firefox’s password manager where you can use Password Exporter, a Firefox extension, to exports passwords as either an XML or CSV file.

In the future we are going to support even more formats and programs. Feel free to send in your requests.

Clipperz online password manager is adding some cool new features. Before officially announcing them I’m glad to confirm what some of our users have already discovered: Clipperz does support Safari both on Macs and PCs!

Previously Clipperz on Safari used to be extremely slow and suffered from some visualization glitches. Now that Safari 3 is officially out of beta, the Javascript performance are simply astounding. It is just not a personal impression since it has been confirmed by several independent tests.

However, please do write us if you come across any issues. Enjoy!

[UPDATED ENTRY]

A new version of the Clipperz Javascript Crypto Library (CCL JCL) is now available for download from Google Code SourceForge. The new release dramatically enhances execution speeds (the AES cipher is now at least twice as faster as before) and introduces “deferred” mechanisms for a smoother user experience.

The CCL JCL is a Javascript collection of fundamental cryptographic functions that are used within the Clipperz password manager, it is also our way to give back to the community of Javascript developers to which we are deeply indebted. The CCL JCL is released as open source under a revised BSD AGPL license.

We would love to hear from the 1,716 developers that already downloaded the Clipperz Javascript Crypto Library! Please, send in your comments and suggestions.

Javascript implementations of cryptographic algorithms have been around for years. Some of the pioneers in this field were: John Walker, Chris Veness, Paul Andrew Johnston and Leemon Baird. They all realized that Javascript could turn the browser into a new and ubiquitous “number crunching” tool that comes pre-installed on every modern computer. Even if they mostly wrote code for educational purposes, their work was an important inspiration to us.

While building the security foundation of the online password manager, Giulio had to write from scratch all the needed crypto primitives. He did it with the intellectual rigor of the long-time software developer, aiming to achieve maximum execution speed while preserving modularity and reusability. His achievements were too good to be confined to a single web application, therefore we decided to pack them into a library and make it available to everybody. If you are a web developer and into Javascript check it out! You can find:

• the fastest AES-256;
• the only available Javascript implementation of:
  • Fortuna, a strong pseudo-random number generator
  • SRP, the verifier-based authentication protocol
• a robust and efficient SHA-2 hash function

Even if you are not interested in zero-knowledge web applications, you could be tempted to exploit browser-based cryptography to improve the security of specific portion of your application. As an example, you could consider replacing your present authentication system with SRP. Feel free to contact us for any further information and support, we’ll be glad to help!

Recently we’ve approached elliptic curve cryptography (ECC). The code already included in the library is still very slow and incomplete. We would love to improve it and develop all the components of a public-key cryptographic system based on elliptic curves. It’s an ambitious and complex plan. Any volunteer to help?

UPDATE

The Clipperz Crypto Library, now JavaScript Crypto Library, changed its license from BSD to AGPL. As a consequence it was moved from Google Code to SourceForge. Read more here.

To pick the winners of the Clipperz drawing we used a random number generated by the Clipperz password manager itself and looked for 2-digit numbers within the range 1-44, being 44 the total number of donations we received. The first valid numbers were: 15 and 42. They correspond to the following lucky donors:

• Cristian Escalante from São Paulo (Brazil)
• Mike Schroll from Cambridge MA (USA)

Congratulations! We look forward to receive a picture of you wearing the Clipperz T-shirt in a crowded place! ;-)

To make a donation to Clipperz visit this page.

One good thing of web applications is the ability to access them from any Internet enabled computer. However logging in to online services from public computers such as those found in internet cafes and libraries could expose your online credentials to keyloggers.

To some, keystroke logging could appear as a remote threat, but it’s not and it can be easily achieved by both hardware and software means. Hardware key loggers can be easily bought from legitimate vendors, while writing software applications for keylogging is trivial, and like any computer program software keyloggers can be distributed as a trojan horse or as part of a virus.

How to defeat keyloggers? How can I safely access my online accounts without revealing usernames and passwords to keyloggers?

There are several approaches: anti-spywares to detect them, firewalls to prevent transmission over the net of the stolen data, on-screen keyboards and several others. All of them provide only a partial protections and often require administrator rights. Not very useful on public computers.

Clipperz password manager now offers an optimal solutions: one-time passphrases combined with one-click logins!

A one-time passphrase works like a regular Clipperz passphrase, but it can be used only once. If the same passphrase is used again at a later stage in a login attempt it will be rejected and the login process will fail.

Suppose you are on vacation, but you need to check your webmail and bank accounts for some important work stuff. There is a nice internet cafe just in front of your hotel. You sit at one of the several computers available. The place is crowded, you notice fe people peering over your shoulders, moreover the Windows XP workstation you grabbed looks really suspicious: pop-ups everywhere, weird programs running in background, bulgy keyboard connectors, …

It’s a keylogging ambush, but you know a smooth and secure path out of it!

1. Login to your Clipperz account using a one-time passaphrase.
2. Click on the webmail direct login. Click on your bank direct login.
3. Enjoy your exclusive online safety!

To learn more about using one-time passphrases in Clipperz, see this page.

The nasty thing about identity thefts is that victims are usually not aware of the perpetrated crime. At least not until the consequent damage becomes self evident. And, of course, early detection can often avoid more serious outcomes.

Clipperz password manager now provides its users with a new tool: their complete login history. Every time a user successfully logins to Clipperz, the following information are logged:

• IP address (and therefore the geographic area)
• request date and time
• browser type and operating system

This information is prominently presented to the user right after logging in.

Did I just come back from Israel? No! Therefore I have a problem!

Of course this screenshot is forged, but it shows how login data can be used to provide a clear, visual indication of unusual activities on a Clipperz account.

(I selected Israel because I just learned that Israel was the country with the most malicious activity per Internet user in the first six months of 2007! See the Internet Security Threat Report by Symantec. No offense to our Israeli friends and users!)

More than a year ago, I wrote a post about the terrifying announcement of the forthcoming Regulation of Investigatory Powers Act (RIPA) in the United Kingdom. RIPA went into effect few days ago and it’s even worst than expected.

RIPA make it a crime to refuse to decrypt almost any encrypted data requested by authorities as part of a criminal or terror investigation. Individuals who are believed to have the cryptographic keys necessary for such decryption will face up to 5 years in prison for failing to comply with police or military orders to hand over either the cryptographic keys, or the data in a decrypted form.

The new law is frightening but also stupid, luckily.

The law can only be applied to data residing in the UK, hosted on UK servers, or stored on devices located within the UK. The law does not authorize the UK government to intercept encrypted materials in transit on the Internet via the UK […].

So to protect your data from RIPA, you still have two possible strategies:

1. If you have enough technical skills, hide your encrypted stuff using tools like TrueCrypt or steganography, this will prevent any accusation to own encrypted material.
2. Move your encrypted data outside UK.

As I said before, the UK government is going to deprive honest and law-abiding citizens of their liberties while criminals can carry on theirs businesses as usual, with just a little software upgrade.

Do you password-protect Word, Excel and PDF documents? Do you use password managers like Keepass or Roboform? Do you carry an encrypted USB drives in your pocket? If your answer is yes, I hope you are not a UK resident …

Laws as RIPA are another good reason to use Clipperz online password manager as a digital vault for your confidential data. Clipperz is anonymous, web-based and follow a strict zero-knowledge methodology. And it’s free too. And not based in the UK!

Maybe it’s time to move to Clipperz the content of that Excel file with all your passwords …

Clipperz password manager is now available in French. Emmanuel Pays and Antonin Enfrun have done a great job in translating the Clipperz interface to French, a language spoken by more than 100 million people around the world.

As usual, feel free to send in your corrections and suggestions. Users with their browser location set to a French speaking country will automatically display the French version of Clipperz. However, regardless of the browser settings, users can save their favorite language in the “Account > Preferences” section.

(Clipperz is also available in English, Chinese, Portuguese, Italian, Japanese and Spanish)

(picture from Blagman)

Giulio and I want to say thanks to those who have sent donations to Clipperz! Donations are a nice way to show your appreciation for our hard work. We would really be happy to build a viable business out of donations and keep Clipperz password manager a free service!

Therefore here is a little incentive: make a donation and automatically enter a drawing to win one of two Clipperz T-shirts! All past donators, no matter how much they donated, are included in the drawing as well.

The 2 winners will be announced October 15. All those who send their donations before October 14 are eligible for the drawing.

Believe it or not, here is how we will pick the winners:

1. Donations are numbered as they come in.
2. A random number is generated using the Clipperz password generator.
3. The first 2 groups of 2 digits will be used to select the winners. As an example consider the screenshot below: the winners are donators number 2 and 29. If a two digit number is higher than the total number of donations, the next two digits will be considered.