Comparison table and features descriptions of two online password managers. Updated with the release of PassPack’s Beta5.
Like PassPack, Clipperz is an online password manager and personal vault. The crypto foundations, and general architecture of the two applications are fundamentally the same: A blend of industry standard algorithms, including AES-256, in a Host-Proof Hosting pattern. This combination ensures that the users data can’t be read on the server.
The primary difference in the two architectures is that PassPack uses a double access technique. Beyond just User ID and Pass, we’ve added an additional Packing Key. This structure allows us a great deal of flexibility in handling our algorithms, and without which our anti-phishing pattern would not be possible, nor our “remember me” feature, nor many more to come.
Clipperz has no anti-phishing measures in place.
PassPack has defined an Anti-phishing technique that combines a custom Welcome Message, IP recognition and hand-eye training.
“Remember me” (with anti-phishing)
Clipperz encrypts with your password, thus can’t “skip” that step.
PassPack encrypts with the Packing Key, so you can skip User & Pass if you’d like.
This is an important distinguishing feature. PassPack maintains a backup copy of your most recently saved pack – encrypted of course! Should you change (and promptly forget) your Pass or Packing Key, then we can restore your most recent backup and let you access it with your previous Pass or Packing Key – you need to remember at least that. It’s a real life saver!
Clipperz doesn’t perform Rollbacks.
PassPack can perform Rollbacks under certain conditions, read more here.
As mentioned, we’re a bit skeptical on how useful a checksum could be in an internet context. Here’s why: I must go to Clipperz’s home page to see the values that my checksum should be producing. However, if I am in a phished version of Clipperz, it’s a moot point because the phisherman can falsify those values as well so that they match his spoofed version.
In theory, the user could circumvent this problem by saving a copy of the checksums from the homepage, then comparing the application to this local copy every time he connects. This would only work, however, if the Clipperz application has not changed in the meantime.
I just don’t think anyone would really do that – always, every single time, many times a day.
Clipperz uses checksums.
PassPack debates the usefulness of checksums, nonetheless has implemented them for the offline version only.
On-screen Security Features
Caution needs to be taken to hide sensitive information from passer-bys particularly in an Internet Point or open space office. This may include simple measures like scrambling the password field and locking the application manually, or automatically when left unattended. Also a password generator is a useful tool to break the password reuse cycle, as well as a pass strength tester to check the quality of your passwords.
Clipperz has most of these features, except auto-locking (manual locking only) and your password list is visible even when it’s “locked”.
PassPack has all of these features, all data is completly removed from the screen and memory when locked (either manually, or automatically).
Disposable Login (also known as OTP)
A Disposable Login is a set of Pass and Packing Key that can only be used once, then never work again. This is useful when you must connect to your Account from a public computer. Even if the Disposable Login is recorded and saved by malware, it will be useless and your real Pass and Packing Key will remain completely secret.
Clipperz has recently added Disposable Logins.
PassPack supports Disposable Logins.
Another differentiating point is data portability. Clipperz’s previous lack of an export feature potentially lead to a vendor lock-in, they’ve now added import and export. (Good job guys!)
Clipperz supports import, export and Printing.
PassPack allows you to freely Import, Export, Print, Backup and Restore your data.
PassPack can be used in Offline Mode as well as with an Offline Version. For example of what offline mode is: suppose I connect to PassPack on my laptop. Once I’ve logged in, I can disconnect from the internet, put the laptop in standby and leave for the day. As long as I keep PassPack open in a browser tab (or window) I can continue to use PassPack – no internet connection needed. When I get back online, I can press the
Save my Pack button and all my changes will be saved.
Clipperz must have an active internet connection in order to work. However, they offer a fully functioning downloadable version for offline use – this is in read only and you can’t make any changes.
PassPack has also released an Offline Version. It runs on Google Gears, is fully functioning (ie. not read only) and is a Google Code Featured Project. Synchronization with online accounts is planned.
Clipperz has a downloadable Offline Version, you can’t make changes.
PassPack has a downloadable Offline Version, changes are fine, and will also work in Offline Mode.
PassPack opts for speed, Clipperz for advanced templates. Clipperz allows you to create your own “card templates” which may include any number of custom fields. Once open, you can fiddle with many different fields, options and buttons. PassPack uses a simplified approach with no extra clicks – just open, fill it out, and save. There have been a lot of requests forcustom fileds for PassPack — it’s being considered, but no final decision is in yet.
Clipperz requires two clicks and some choices before entering any data, higher customization.
PassPack uses a one-click Entry window, for speed and a lower learning curve, lower customization.
What happens when you have 50+ entries and need to find something quickly? Personally, I have over 200 entries in my PassPack account, so I find that the feature I use most is the Quick Search. I just type in a few letters and the list filters my entries in real time. I don’t think I could manage without it.
Clipperz lists all entries on a long, scrolling page.
Both systems offer auto-login. Clipperz’s “Direct Login” posts forms to websites. They use a bookmarklet to help you capture the information needed to configure a new Direct Login. The configuration process requires some copy and pasting and must be done singularly for each and every “card” in your account. A description can be found here.
PassPack offers a single tool (a bookmarklet) for both auto-login and configuration. The tool can be used in either standard or 1 Click mode. Teaching PassPack a new auto-login is a very simple process: just point-and-click. A common library of “learned” sites is populated by the users themselves, and is available to all – saving users lots of time. PassPack’s technique supports a wide variety of login forms, which Clipperz’s approach simply can’t cover.
Clipperz’s auto-login is one click from the sidebar, one at a time configuration required.
PassPack’s auto-login is 1 Click while you surf, configuration is fast and often not even necesary.
Really, the choice is yours. The two systems offer much of the same base level security. We can say that both services offer these same benefits:
- Free with Open Source Libraries.
- Access anytime from any computer.
- No software to download and nothing to install.
- Avoid keeping secrets on your PC or on paper.
In addition, and I personally feel this is important, PassPack offers Anti-phishing.
The primary difference lies in ease-of-use and target audience. PassPack employs a click-and-go philosophy and can be used by the average person, while Clipperz targets the more advanced user, requiring a larger learning curve to get up and running: no import function, building cards with custom fields and manually pasting in the auto-logins. However, I’ve heard of some people that prefer Clipperz’s approach – so who am I to really judge?
My suggestion would be to try both for a while and see which feels better to you. Afterall, accounts are free and easily deleted.
In the end, the only truly important thing is that you choose – and use – a password manager.
I did my best to be objective and accurate in this post. As always, corrections and suggestions are welcome. You can write me directly or post a comment below.