Hi amos I checked a little bit about clipperz.com.
The fact that it's open source it doesn't make it secure. The passwd is saved on their server (even though it's encrypted). Encrypted data is reversible. No matter what. This raises few questions: 1. How much you trust them. Dictionary attack, brute force attack, rainbow hash tables are just a few to mention in this case. 2. A potential hacker will be attracted to their site. How long it will take to hack it? See this http://www.downloadsquad.com/2007/03/27/a-1-second-reminder-why-you-should-use-better-passwords/ 3. Key loggers? They have 1 time passphrase? 4. My 2 cents thoughts, they keep your passphrase and hide it as useful software. 5. What happens if they are DOS attacked? there are many more aspects to this, but you get the idea. 6. Security disk linux (backdoor and written by nsa). If you check the code, you can change it, but how many people will do that? Personally, I wouldn't trust them. On Wed, Sep 17, 2008 at 3:45 AM, Amos Shapira <[EMAIL PROTECTED]>wrote: > Hello, > > I just heard about Clipperz (clipperz.com), a free, open-source based > online encrypted password vault which promises that your passwords > never leave your browser in cleartext when sent to them. > > It looks appealing for use both privately and for my work. Currently I > use pwman3 for both but this means that: > 1. If I'm away from home I don't have access to all my passwords (and > I use individual passwords to all the sensitive sites like eBay, > PayPal, banks, google etc). I already remember by heart many of the > different passwords but not all. > 2. When I'm outside the office and need a rarely used password to > access a server, I have to be able to VPN+ssh back and access the > computer with the pwman3 database in order to retrieve passwords > relating to work (e.g. remotley hosted server passwords, which I > hardly use because I relay on public ssh keys, but sometimes that's > not available). > > Using clipperz.com sounds like a good solution for both situations. I > heard at least about one commercial company which uses their online > service to "host" their passwords. > > They also provides all sorts of ways to backup the data so in case > they are gone, there is still their code and the user's data around to > retrieve it. > > Since it's open source, I'm thinking to start with a local server on > the internal network but the hosted service sounds appealing. > > My question - has any of the security experts here heard about them, > their technology or maybe code they base their project on and can give > a quick, at least semi-informed, "thumbs up/down" about what they > think about this service? > > Thanks, > > --Amos > > ================================================================= > To unsubscribe, send mail to [EMAIL PROTECTED] with > the word "unsubscribe" in the message body, e.g., run the command > echo unsubscribe | mail [EMAIL PROTECTED] > >
