15 comments

[ 3.6 ms ] story [ 34.8 ms ] thread
Currently, the service works best for Gecko and Webkit. IE does not work. Any and all input is welcome, as well as any questions you may have.
Since I have no way to know what you do with what I give you, and no way to verify how you store what I give you, other than "take my word for it", I would never utilize your service.
The service is mostly Javascript. All code runs on the browser before being sent to the server. The Javascript is viewable.
How does this compare to a service like 1Password? While I get the convenience of having access to it anywhere on any machine since it seems like it's web based, I'm not a huge fan of web base password storage. Most people would not trust you to store their passwords. Some will, but there will be a huge number of skeptics.

I like services on my local machine. While it is true I can't access all my passwords when I'm not on my main device, two things come to my mind right away:

1. I rarely if ever use any other machines. When I do, I easily memorize my passwords for common things I like to check. Usually these days I check them on my smartphone.

2. There are ways to get 1Password to work with Dropbox which in turns allow me to replicate what you guys are doing without having to exclusively use an online service.

Having said that, I believe you can still garner userbase, but my original question stands, what added benefit do you guys offer?

PS Site design is a bit hideous, a change may help.

Unlike the Dropbox method you mentioned, Passwords.cc encrypts the data. Last I checked, Dropbox does not encrypt user's files but I may be wrong (I am an avid user of Dropbox myself). The benefit to Passwords.cc over 1Password is mainly sharing - we created a system that is best used between people, whether it be a married couple or a group of developers. We plan on adding browser support (plugins and extensions) and a desktop app.

Thanks for the input on the site design.. we will work on it, but we spent more time on the UI after you log in.

Dropbox possibly doesn't encrypt user's data but 1Password does. You already have to have two layers of passwords to even get to the encrypted list of passwords stored before hand.

On the shared passwords, I haven't found much use for that ever. Generally speaking, I would just have people create their own accounts or some services allow for sub-user accounts. I can't imagine many use cases having to give someone your password and I'd imagine that the of use of the service is focused on the primary user so whoever they choose to share their password with will have to find their own way to remember the password.

On the note regarding the plugin support, that still doesn't change it's web-base. As for desktop app, unless its a true local machine service, if you're calling back to a server somewhere, it doesn't change the security issues raised in my original post or that of others here.

I never thought about using 1Password with Dropbox, but would you be able to install dropbox on all computers as opposed to a web based alternative?

Sharing passwords is quite important in the development world. When a client gives a company their authentication credentials, it is imperative to keep the data secure while still sharing it with all the developers. The benefit to Passwords.cc with sharing is that the other people who don't have accounts can still view shared passwords without ever registering.

The desktop app we plan on having will be a local system with option of syncing online.

You can access the agile key via dropbox's web login without having to install
I like this service. I have been thinking about doing something similar myself. Though, I think it would have been better if it was marketed as a secure place to store private information.

Also, it would be great if this service had its code audited on frequent basis by a trusted 3rd party.

An iPhone app to synch my personal information locally would be awesome too. This way I could access my information even if I am not in front of a computer or don't have net access.

This definitely is a secure data storage system. We just liked the name passwords.cc (carbon copy).

Do you have any third party that you'd trust? Our code is mostly in Javascript so anyone can check it out.

We will be adding mobile phone apps soon.

You mention "military-grade AES". Are you referring to AES-256? These terms are generally frowned upon (cf. http://www.schneier.com/crypto-gram-9902.html#snakeoil)

Also, you should be using a MAC rather than a checksum. Finally, you mention using a random hashx that links to the wikipedia article on checksum. You are better off using a Password-Based Key-Derivation Function (PBKDF2, if you're using AES).

So we should just mention how strong it is and remove the term "militar-grade AES" ? Sounds good.

Thanks for the advice on using MAC instead of a checksum, we're currently using HMAC-SHA1.

Thanks for the terminology help, we will be using PBKDF2 now for our encryption key.

Thank you!

Is a browser extension (or something like it) in the cards? I love the idea, but it is a dealbreaker to have to visit a website and do a copy-paste dance to log into other websites websites.

Two quick usability thoughts:

- I love Apple's memorable password generator, which puts out passwords like "chai680{Tanya", which are reasonably secure but easy to type and memorize. It really sucks to type an average random password (from my phone) into a public computer, and there's no chance I'll ever memorize it.

- I use the same naming convention for multiple accounts on the same website ("Website (Account)"). Could passwords.cc handle this automatically (show the account name in a lighter shade next to the service name when multiple accounts exist)?

Yes, a browser extension is being developed now. It appears that a lot of people want browser extensions to really make Passwords.cc useful.

We like Apple's memorable password generator, I think we're going to implement this in the near future.

The naming convention UI is a great idea! We will do that right now, it should be updated in a little bit.

What jurisdiction does the company/service/servers fall under? Although I'm based in the UK (which is hardly a privacy haven), I'd be quite wary of storing account data or anything on US-based servers, even though I'm not remotely interesting to the US Govt.

Rsync.net offers storage in Switzerland for this sort of reason, although just to be on the safe side I encrypt backup files for storage before uploading anything.

I'm probably a little too paranoid for cloud-based password management, but it might be an interesting consideration for people who are less paranoid but still keen on privacy.