The nasty thing about identity thefts is that victims are usually not aware of the perpetrated crime. At least not until the consequent damage becomes self evident. And, of course, early detection can often avoid more serious outcomes.

UPDATED ENTRY

When we launched our online password manager, we dubbed it the first example of a zero-knowledge web application. We simply meant that Clipperz knows nothing about its users and their data. It was a simplistic and inaccurate definition: the zero-knowledge paradigm needs to be better defined. Our fault.

In the previous post I wrote about our zeal in building zero-knowledge web applications and our pledge to never introduce features that could compromise the integrity of our model.

Now I present a comparative analysis of Clipperz and PassPack with regard to the implementation of one-click logins. The analysis will clearly show the benefits of adopting a rigorous zero-knowledge methodology.

A true zero-knowledge web application knows nothing about its users and their data. We have been fascinated by this simple idea since 2005 when we started this blog. Since then it became our obsession.

Authentication is an essential part of any web application. But why are web service providers so secretive about their authentication protocols and procedures? Why they are not disclosing any information about how users’ credentials are communicated, verified and stored?

Clipperz password manager is a huge Javascript application downloaded to your browser before you sign-in. No further Javascript code is downloaded to your browser after the login page is loaded. Therefore it’s quite easy to take a look at the whole application code and verify if it is a genuine version.

Clipperz online password manager is a cryptographic system designed and built to achieve a 128-bit security level. This could be an obscure statement and I will try to clarify it.

Using a password manager is not merely convenient, it’s an effective way to adopt better security practices without too much stress. It basically sums up to: 1) never re-use the same password, 2) use strong passwords.

But could you gauge the strength of your passwords? Can you easily determine how much entropy they contain?

Nothing was more appropriate for Clipperz than being reviewed by Charles Martin on his blog Before you are gone that displays the intriguing and remarkable subtitle “What happens to your Online life when your Real life has ended?”.

I wouldn’t recommend to use your browser as password manager. It’s not just a matter of security, but mostly of convenience.

Better think twice before using those nice Ajax desktops to lighten your daily burden of password submissions.

These “startpages” are very commonly used to quickly access a growing collection of online services: webmails, to do lists, calendars, blogging tools, photo and video sharing, instant messaging, bookmarking, …

Just one login to display your whole online ecosystem in one neat page. How convenient! But what about security?

Everybody has probably heard [about this][1] before, but it’s worth repeating: Firefox’s storage of passwords is not secure!

At Clipperz we are huge fan of cryptography as a tool to empower users and protect freedom, therefore we are beholden to all the people who contributed to the development of this science.

The title of a recent Lifehacker post was very intriguing: “Keep your password safe at public computers”. The content sounded even more promising since it was about an academic paper from Carnegie Mellon University with the hearthening title: “How to login from an Internet cafe without worrying about keyloggers”.

I readily downloaded the PDF files and dived into reading it. What a disappointment! The proposed solution to defeat keyloggers was impractical and flawed in many aspects. I was amazed that a prestigious institution like Carnegie Mellon could produce such an amateurish study!

Then I took a closer look at the paper and discovered that Carnegie Mellon was not involved at all: the authors (Cormac Herley and Dinei Florencio) are from Microsoft Research and I did not found any connection with the University except that this paper was presented at SOUPS 2006, the Symposium On Usable Privacy and Security held at CMU last July (!).

The fact that CMU was not directly involved was reassuring. The fact that Microsoft is saying “use this method and you are safe from keyloggers and spywares” is quite scaring. Why write a professional looking document and present it to a conference? Wouldn’t be better to just write a short blog post and openly discuss this weak and quite old idea?

However the paper was widely linked and it has been dugg more than 1400 times, but the wrong attribution to Carnegie Mellon was never pointed out.

For those interested: the two authors delved into this idea even deeper and produced another paper about a system called KLASSP (KeyLogger Avoidance using a Shared Secret Proxy), the name says it all …

Image from Antispam.br

[Prof.

AJAX applications will remain unworthy of serious business (at least for risk-conscious people).

This is quite a bold statement, especially considering the [source][1]: The Center for Education and Research in Information Assurance and Security ([CERIAS][3]), a prestigious academic institution.

I find this idea from Ka-Ping Yee very compelling.

What if, instead of treating memorability as the constant and strength as the variable, we treat strength as the constant and memorability as the variable? Suppose we have the computer choose a completely random password, to guarantee good password entropy. The phrase-based technique shows that a phrase can be turned into a random-looking jumble of letters and numbers. With a sufficiently large word list and a basic knowledge of grammar, can a computer turn a truly random jumble of letters and numbers into a memorable phrase?

Today’s mail servers, file servers and other data storage servers typically must be fully trusted since they have complete access to your data and are supposed not to reveal them without your authorization.

There are several banks that use non-SSL login pages. This does not mean they are sending your credentials in the clear, but the user has no way to tell if the login form is legit or spoofed. Alun Jones moves from the findings of Johannes Ullrich, chief research officer for the SANS Institute, to raise an alarm on this overlooked problem: how secure is the web form you are filling in?