The basic problem of public computers is that they could contain any kind of malware, including the kind that can copy your login credentials (user name and password) and send them off to cybercriminals who can then use them, for example, to log in to your bank or email account. Not a happy thought.
Enter the password managers. These programs let you to store your passwords safely somewhere where others can't read them. The passwords are encrypted so that only you can get to them, with some "master key" that you know. This lets you use different, high quality passwords on your sites without being burdened with remembering them all. This in itself is quite useful, without even considering the issue of public computers.
Perhaps the biggest security problem with most people's passwords is that people tend to use easy, guessable passwords and the same password for many accounts. This is natural, since it is hard to remember different, long passwords (or better, passphrases) for each account. A password manager can generate a long, random password for you, or store the password you choose, so that you don't have to remember it.
In the past few couple of weeks, I've looked at three highly-rated password programs: RoboForm, PassPack, and Clipperz. RoboForm stores your passwords on your own computer or flash drive, while the other two store them online.
I have tried mainly the portable RoboForm, called RoboForm2Go, which stores the program and encrypted passwords on a flash drive. This gives me access to the passwords both at home and at work; I could also use the same flash drive on a friend's computer, another computer at work, or a public computer with an available USB port and have access to the passwords without installing any programs or data onto the other computer.
All three of the programs I tested were fairly easy to use, but I think that RoboForm was the easiest. The program sits in the background and automatically offers to memorize the credentials any time you open a new login page or any page with forms to fill in. The next time you open the page, it offers to fill in the fields automatically.
RoboForm Passcard Editor
How is this different from the automatic password retrieval in Firefox and Internet Explorer? First, with RoboForm2Go you can carry your passwords with you rather than their being stored only on your computer. Second, RoboForm2Go can store many pieces of data besides your user name and password, including first and last name, phone number, address, email addresses, and so on. At your command, it will fill in as much of any form as it can using these stored values. You can store different profiles and identities if, for example, you want to have one set of information for your work and another for your personal life.
Clipperz and PassPack both store only your encrypted passwords online. The advantage is that this gives you access to them from any Internet-connected computer. On the other hand, you need to trust either service enough to enter your passwords on its web page. For that matter, you have to trust RoboForm in the same way. Since all the companies have been around a while and appear reputable, this seems reasonable. Assuming the companies do what they claim, your decrypted passwords never even exist on ClipperZ or PassPack; the only thing that gets sent to the server is an encrypted package.
With either online service, to retrieve your passwords or to directly log in to a protected site you first open your Clipperz or PassPack account with your master password. The master password should be strong so that no one else can access your account. PassPack adds an added layer of protection by using two master keys: one to log in to your account and retrieve the encrypted package, and a second key to use on your own computer to decrypt the package. This means that even someone who breaks your PassPack account password and steals your encrypted package will not be able to decrypt it. It seems to me that if your master password is strong, then the added security is not that important; no one could open your account by a brute force attack, and anyone who manages to steal one password (e.g. with a keylogger or looking over your shoulder) may just as easily steal two.
Although the two work a bit differently, in essence both Clipperz and PassPack send you your encrypted package and then your own computer performs the decryption to extract the actual passwords or other data. Assuming that you have chosen an unguessable master password to unlock all the others, the only significant risk to your data is the risk that exists on your own computer: that's the only place that the unencrypted password ever occur.
All three of the programs (RoboForm, PassPack and Clipperz) allow you to select a service from your stored list and log in directly, thus functioning as a collection of bookmarks as well as passwords. RoboForm, which by default adds its toolbar to your browser, lets you click on the login button then select the page you want to navigate to, where it logs you in after entering your saved credentials.
All three programs also let you save notes in the encrypted entries, so you can store your account numbers, credit card info, phone numbers, or whatever you want. PassPack, for example, provides a note field for each entry (figure at right). Clipperz lets you choose from a variety of "cards" pre-formatted for you bank account, credit cards, address book and so on, or you can define your own fields as well as using the Note field that's included in each card.
Both of the online password managers allow you to copy your encrypted data to your own computer so that you can access it without an Internet-connected computer. Their methods are different, with PassPack using separate programs that require either Adobe Air or Google Gears to run, while Clipperz downloads a large HTML file which you open in your browser just as you do the online version.
Distinctive Features
RoboForm
- Runs from your own computer or a flash drive. You need a separate license ($) for each computer and each flash drive, though package discounts are available.
- Fills forms of all kinds from data you store in "identities".
- The easiest of the three to use when saving new login information.
- Paid version lets you store separate profiles and identities.
- Free version limits you to 10 passwords and 2 identities after 30 days
PassPack
- Stores your encrypted data online
- Two-passwords: one to access your account and another to decrypt your data.
- Although they cannot retrieve a forgotten decryption password, PassPack staff can roll back your account to use your previous password if you remember that one.
- Stores and retrieves your data as a single package; updated or new entries are not saved until you click a button to save the package back to the server.
- You can reach any of your entries quickly, even if there are many, by typing the beginning of the name into the search box.
- Free version limits you to 100 passwords (but you could open multiple accounts); yearly fee of about $15-20 for unlimited account.
- Small but growing company, with the responsiveness and accessibility that comes from that.
Clipperz
- Stores your encrypted data online
- Stores and retrieves your data as single "cards" as needed; updated or new entries are saved automatically.
- Freeware (donations accepted), unlimited passwords
- Not commercial; future development status uncertain, though product is fully-functional as is.
Which is best?
All three of these are good programs, and I think would be quite usable for most people. I found RoboForm to be a little more convenient than the others, but it's not free. I do not think that there is much difference in features and usability between PassPack and Clipperz, though I've only used them for a few weeks. Since all three programs are either free or have free versions, you will probably want to try them out for yourself to see which you prefer. There is no question that any of them will make your life easier if you want to follow good security practices and use strong, different passwords for your various accounts.
Will they protect you on a public computer?
This is a question I will discuss in the next post. The short answer is that while these products probably decrease your risk on a public computer, they do not eliminate it. There is one more service, however, called kyps (keep your password safe) that works quite differently and might be considered safe for use on a public computer.
Features Summary
| Price | Multiple Identities | Ease of Use | Offline Storage | Online Storage | Access from any Internet- connected computer | Quick lockout feature | |
| RoboForm | $30 ($40 for flash drive version) | Yes | +++ | yes | no | with flash drive version | yes |
| PassPack | 100 entries free; $15-$20/yr for unlimited version | No (but can use multiple accounts) | ++ | yes | yes | yes | yes |
| Clipperz | Free | No (but can use multiple accounts) | ++ | yes | yes | yes | yes |
Import/Export features
| CSV | HTML/ Printable | KeePass | RoboForm | Password Plus | Printable | JSON | |
| RoboForm | E? | ||||||
| PassPack | E/I | E | I | I | |||
| Clipperz | I | E | I | I | I | E | E/I |
RoboForm lists export options as Firebox bookmarks and Internet Explorer favorites. Importable files are Firefox Passwords, Outlook contacts, and various favorites and bookmarks. There does not appear to be an option to import/export arbitrary data with passwords, but I have not researched this beyond looking at what the Import and Export buttons on the menu do.
I welcome any corrections to this review as well as different viewpoints and suggestions of different products to consider for the job.
See also
Thank you! Excellent comparison. One (tiny) correction. Passpack has a print option as one of the export options.
ReplyDeleteAlso, while not native support, there is also a way to run Passpack off of a USB drive. It uses Passpack's Offline version + Google Gears + Portable Firefox: http://tinyurl.com/passpackusb
Tara Kelly
Passpack Founding Partner