Thoughts on Systems

Emil Sit

Nov 16, 2008 - 3 minute read - Technology authentication clipperz passpack password security

The difference between Clipperz and PassPack

Clipperz and PassPack are two web services that store your passwords for you, and provide one (or two) click login to those sites whose passwords it keeps. In doing so, these services hopefully encourage you to select strong passwords that you wouldn’t otherwise be able to remember and thus improve your overall security. Aiming to be the one basket in which you keep all your eggs, both services work very hard to provide you with adequate security.

There are clearly technical differences in the services. PassPack has more user visible phishing protection; Clipperz doesn’t transmit your password anywhere providing mutual authentication using SRP. PassPack requires much longer passphrases; Clipperz has a better (though somewhat harder to set up) system for automatically logging into remote sites. PassPack autolocks your data, though it’s not clear what that does in a technical sense (e.g., does it scrub memory?) But both only store encrypted data and have your browser do all the crypto, which is (for me) a major attraction.

I find some more interesting differences in their terms of service. For their protection, both PassPack and Clipperz use standard lines such as: “You expressly understand and agree that Clipperz shall not be liable to you for any direct, indirect, incidental, special, consequential of exemplary damages […] resulting from unauthorized access to or alteration of your transmissions or data” (taken from Clipperz’s Terms of Service). That is, you are allowed to store access to your million dollar retirement assets but please don’t hold Clipperz responsible if somehow your use of Clipperz results in those assets being stolen. However, PassPack’s User Agreement has an interesting caveat: > If your Account is provided to you without charge, you will not use the Service to handle financial data, information and credentials for accessing bank accounts or services provided by financial institutions, including brokerage services;

It’s not clear to me what additional CYA this is supposed to provide. It’s impossible by design for them to verify compliance and it should be a user choice whether to trust PassPack with encrypted credentials to their financial data. To me, it seems more secure than say

Clipperz and PassPack differ in whether you are allowed to audit their service. Clipperz: > Clipperz grants you a license to use the source code related to the Service for the sole purposes of performing security reviews of the code or enhancing the interoperability of other products and services with the Service.

whereas, PassPack: > You are prohibited from violating or attempting to violate the security of this Site, including, without limitation, (i) accessing data not intended for you or logging into a server or account that you are not authorized to access; (ii) attempting to probe, scan or test the vulnerability of a system or network or to breach security or authentication measures without proper authorization; […]

Clipperz’s terms in this regard are the most reasonable I think I’ve ever seen.

The other main difference is that PassPack is a commercial service so you put your trust in them by establishing a contract. As the Digital Railroad failure fiasco shows, that’s no guarantee. Clipperz is currently not a paid service but is open source; you trust their goodwill and can always roll your own in case of emergency. On the other hand, PassPack has revenue, which means they can continue to innovate whereas Clipperz needs investors or volunteers.

It’s a tough choice. I’m leaning towards Clipperz philosophically but there is a lot to like about PassPack as well.