openID solves this problem and I also tend to use things like backpack from 37 signals for this stuff also.

As Plinan says also Firefox does this fine and also so do the other major browsers out there.

Hacking our servers will be quite useless since Clipperz let you submit confidential information into your browser, but your secrets are locally encrypted by the browser itself before being uploaded to Clipperz. You are not providing Clipperz any data, just a bunch of scrambled bits.

I just wanted to add that you don’t really need to trust us, since _all_ Clipperz source code is available from our website along with checksums to verify its integrity. Further information about performing a security code review of Clipperz are available here:
http://www.clipperz.com/learn_more/reviewing_the_code

Furthermore we released under a BSD license the core crypto functions, the Clipperz Crypto Library is available here: http://code.google.com/p/clipperz.

So, don’t trust us, but check for yourself! :-)

@Darren and Plinan

Browsers could really be a useful tool to store you password, but:
- just your passwords and the many other confidential data of our everyday lives
- if you need to access your web services from more than one terminal an ubiquitous online service works much better

Thanks for discussing Clipperz,
best regards,
Marco

What about the comment of what happens when you are at a public terminal?

I may be at the library or a public work machine and need a password/login. Obviously a keylogger could be used in that case, but that is nearly unavoidable. What about someone coming after the fact or someone hacking into that public machine and getting some kind of locally cached version of your unencrypted info?

Try using a Password Manager – it’s just better. There’s Clipperz. There’s also PassPack (that’s mine). Or if you prefer something not internet based, there’s a plethora of sowftware to choose from.

The important thing is that you choose – and use – a password manager.

OpenID = authentication (no security implied)
Password Manager = secure storage (no authentication implied)

Granted, password manager often *also* do an auto-login that pushes them into the realm of authentication as well, but that’s not the primary function.

Plus, not all passwords are for websites, and not all websites support OpenID. So there’s still plenty of need for a password manager.

OpenID = authentication (no security implied)
Password Manager = secure storage (no authentication implied)

Granted, password manager often *also* do an auto-login that pushes them into the realm of authentication as well, but that’s not the primary function.

Plus, not all passwords are for websites, and not all websites support OpenID. So there’s still plenty of need for a password manager.

By combining disposable logins, with an auto-login feature, you can sucessfully circumvent keyloggers.

PassPack’s autologin tool (coming very soon) uses an anonymous bookmarklet.

The procedure would be: sign into your account using the Disposable Login, add the bookmarklet to the browser’s favorites and use it. You can remove it form the favorites before leaving the terminal, but even if you forget, it won’t work for anyone else. It contains no passwords or account information, and is entirely useless unless there is a PassPack account open in that browser.

All the data in PassPack (and Clipperz – they’re our competitor, and we know their code probably better than they do [wink]) is totally volitile. When the browser window is closed, or you sign out, it’s gone. Completely gone.