Web based password manager

Does anyone know of a good web based password manager? I’m inclinced to hack up my own, but I wanted to dig around a little bit first.

Password management has always been an issue with me — there are just way too many passwords to remember, and even though I’m usually lazy and end up using one of 2-3 passwords in most places, I still need to remember login names (why can’t websites explicitly mention that they use email addresses as logins). And sometimes I do create new passwords, which are just impossible to remember.

I’m sure someday we will move away from text based encryption schemes and have some funky audio/visual passwords which won’t require me to remember arbitrary strings of text. But that day is not today, and so I need some solution. Traditionally I’ve been using applications on my desktop to keep track of my passwords (my own Starfish, Revelation etc) and that has scaled nicely so far.

But now its getting out of hand. With all the Web2 hype, new and interesting startups come up on a daily basis. All of them need your email address and password. I have more than 5 GMail accounts. Several bugzilla accounts. Credit cards. Insurance companies. Banks. Airlines. Portals. Passwords, passwords and more passwords. Thanks to spam, now you need some kind of authentication mechanism to get to anything useful on the web. So my list of usernames and passwords is becoming unmanageably long.

Starfish and Revelation were fine, but I would have to sync my password files across systems. But when I was travelling without my laptop, I’d be stuck — so I do need a web front end. Besides, this seems to me the kind of web-app almost everyone needs. So how come I haven’t seen a cool AJAX-ified web based password management tool yet?

Any takers?

63 comments

  1. diwaker

    *@gulli*: I used to use notepad at one point of time, but quickly grew tired of it. Its just too unstructured for my purposes — true, you can create multiple notes, but that only makes it hard to look for stuff. If you keep all passwords in a single note, there’s still no good way of searching through them. Besides, my dream tool would have integrated password generation as well.

    *@yoav*: thanks, that looks interesting. One problem with the tool you mention is that I myself *never* see the real password to a website. One can argue that its good from a security point of view, but I wouldn’t be comfortable using it. I need to know and be able to arbitrarily change my passwords.

  2. Ryan

    I use “KeePass Password Manager”:http://keepass.sourceforge.net/, an open-source Windows application. It has a very friendly user interface, and lives as a Windows tray icon. When I want to get a password, I double-click on the icon and type in my master password. Then it will let me copy the appropriate password to my clipboard. There’s also an option where you can hit a hotkey and it will paste the appropriate password into a website without needing to open the app. I haven’t used that myself.

    Unfortunately, it’s a desktop app for Windows, which means it’s not particularly portable, especially if I’m using a Mac or a Unix workstation. At one time, I wanted my passwords available on the web, so I thought about creating a web-based password manager. But the security issues really made me paranoid: if someone hacks into my password list, they could really wreak havoc on my life. It did not seem safe to have them published on the World Wide Web and restricted only with a single login password. So I gave up on that quest and decided that I was best off with KeePass.

    • Jeff

      No … Keepass is portable, they have Mac/Linux versions at KeepassX.sourceforge.net, but its desktop, not centralized like the OP wanted.

  3. diwaker

    *@ryan*: thanks for that pointer. KeePass looks pretty good, but as you point out, its not very portable. I’m not all that paranoid about having my passwords on a web app. I mean, half of my life is already online anyways :-) And sooner or later Google will start doing this if I don’t ;-)

  4. Gabe Anderson

    I’m surprised no one has mentioned Pass2Go yet. It’s indispensable and I don’t know how I survived online without it before (both for work and personal stuff). It runs off my Lexar Lightning USB flash drive (as it can from any USB drive), so I can use it on both my desktop and laptop (and any other computer, of course). It’s completely secure and unlocks everything with a single password, so nothing is ever stored on any computer (but I have all the files backed up on my external drive and on my Mozy account, so I’m safe should I ever lose the USB drive).

    SafeNotes are also great, so anything you don’t store in a personality, you can safely store away there.

    (Pass2Go is the USB version of RoboForm, which I wrote about back in March on my blog.)

    I’ve submitted feedback to the vendor that they should develop an online version of the product, too.

  5. Iris

    Haha, I was googling for a solution to the same problem.
    Maybe you’ll like http://www.passwordsafe.com.
    It’s pretty good for when you don’t remember passwords, you could always check back. Personally, I didn’t like the way it was organized, but hey, it may work for you. Good luck!

  6. Diwaker Gupta

    *@iris*: Thanks for the pointer. I’m slightly hesitant of any solution that requires me to store _all_ my passwords online with a third party without any guarantees on the safety of my data. Would all my passwords be encrypted before they hit the PasswordSafe website? Would PasswordSafe employees have access to my data? Anyways, I’ll try it out and see if I like it.

  7. Pierre van Wyk

    I am currently also looking at SecretServer from Thycotic.com. It gives the same functionality as Online Password Manager with the additional features of being able to integrade with Active Directory and to store the password information in “other” database systems as well.

  8. Tara

    Hi Diwaker. I was just wondering if you ever managed to try any, or all, of the links that were given here. I’d be intrested in hearing your opinion.

    Cheers to you,
    Tara

  9. Diwaker Gupta

    *@tara*: Sorry for that long hiatus! I registered but never got around to using it. And today I did want to give it a shot, but I think I’ve lost my packing key! :( Is there any option other than to create a new account? Can I delete my existing account and recreate it? (I do remember the password)

  10. Tara

    Hi Diwaker.
    No problem on long comment time – that’s part of life. :)

    On recovering your packing key though – that’s not possible. We can delete your account if you’d like to start over, or you can just open a new one (accounts get deleted automatically if abandoned for six months). It’s up to you.

    If you do decide to create a new account, remember to print out the memo with all your login credentials – it’s pretty useful. ;)

    I’ve linked to a Getting Started Guide here: https://www.passpack.com/info/help/

    Drop me an email and I’ll give you more details.

    Cheers,
    Tara
    tara@passpack.com

  11. rajesh menon

    I came across this post while i was hunting for a single password manager. I was finding life tough. i found some of the links useful

    thanks

  12. Clauz

    The product in this url: http://w3pw.sourceforge.net/

    did it for me. I dont want to store passwords on someone else’s server or app. And I need the soft to be web based to access it all over the world when I do not have my computer around.
    So this is the free alternative to esoftpro that works.
    Clauz

  13. Erik

    Hi, dont know if you found your solution yet, since i was on the look for the same thing. The only thing i found that comes near to what you want and what i want is http://lvoware.com/index.php , which is php and mysql, i have not tried it myself. But i do want a mysql backend for the website and a frontend for windows. This seems like impossible.

    • Andrew

      I have tried to get this script to work so many times without success. I have access to an account on a shared webhost and I just can’t get by the log in option. During the uploading of the files and setting up the tables on an existing database, there is no request for a username and password to set up an account.

      I would appreciate it if someone can point me in the right direction with this script. I have also been in contact with the author of the script with no success.

  14. Marco

    Hi all. I suggest you PassPack. It is probably the best online password manager (first position in Google search results). There is an offline version too that uses Google Gears and works on Windows, Linux and MacOS. It is great!

  15. Tara Kelly

    um… I went to check out 124password.com, and it looks like a splog.

    Sorry, I love PassPack because it’s mine and I know the level of security we put into it. But if you decide to choose something else, at least make sure its reputable.

    Tara Kelly
    PassPack Founding Partner

  16. Freelancer

    I’m using a combination of two php scripts:

    1. Flatfile database manager
    http://www.zubrag.com/scripts/flatfile-database-manager.php
    This is a script which allows you to define your own database. I defined 4 fields for password manager: website, login, password, notes.

    2. To protect my passwords list (i.e. above program) i use password protector:
    http://www.zubrag.com/scripts/password-protect.php

    Works like a charm. The best thing is that i can define as many fields as i want for each of my “password” entries.

    • Diwaker Gupta

      The whole concept of host-proof hosting is precisely this — even if Passpack servers gets hacked, my data is safe. And you are free to store a local copy of your data — Passpack has multiple alternatives for storing data on the desktop for offline usage.

  17. Elie

    The only feature of Passpack that bothers me is this “packing key”. Why not just tell us that we need to memorize two passwords? And that if we forget either of these passwords we are screwed?

    As far as I can tell, Clipperz only requires one password, making it that much more attractive than Passpack.

    • Tara Kelly

      @Elie
      The Packing Key is what actually keeps your data safe so you can’t get rid of that. BUT you can get rid of the username and password. For example, if you want to sign up to Passpack using your gmail account, do that here:

      https://www.passpack.com/google

      Then all you need to remember is the Packing key.

      (There are option for OpenID, Facebook, Yahoo and Hotmail too)
      Cheers,
      Tara

  18. Amarand Agasi

    Having looked at all the links and recommendations above, I’d say if you wanted to have a secure, encrypted, free web-based password storing application running on your own server, I’d say the open-source Community version of Clipperz:

    http://www.clipperz.com/open_source/clipperz_community_edition

    Looks like Passpack is pretty neat, but I strongly (personally) dislike storing off of my personal data on someone else’s server. Yes, yes…encryption, no one can decrypt the passwords, yadda-yadda. I’m primarily concerned about security, and there’s nothing that can beat physical control over your own data. Obviously, carrying around a key-fob is nice, but what if you lose it and forget to back it up? Or what if your host machine doesn’t support USB sticks? The web is accessible wherever you would also be needing the majority of the information you’d be storing in this. Plus it appears they have a PDA version of the client? Not sure….

    Your mileage may vary, and there’s a decent chance that Passpack (et al) has a better data center presence than, say, my 65 degree basement – but there’s nothing like physical control. Plus, it looks like you can manage your stuff on-line, and then export a fully-encrypted off-line (read-only) copy of the database, for use when you don’t have access to your own server. Nice, eh?

    Also, they have the option of using one-time passphrases, for those situations where you’d rather not use your Real passphrase (such as in a library or cyber cafe). Use the passphrase once and it’s done. You can generate a whole bunch of them, print them out and stick them in your wallet. You can also manually disable them if you were to, say, lose your wallet. The passphrases would be useless.

    Anyway, just my three cents! Hope you found something good….

    • Jeff

      Clipperz is a POS…its built off POBS, its confusing as hell to setup and just use. If I have to learn how to code just to be able to use something…then I vote NO!

  19. david hartley

    While storing data on others servers may be secure it will probably breach t&c of almost all financial institutions and many websites. I’ve been using password safe (http://passwordsafe.sourceforge.net/) for quite a while, which is great for desktop, and can be shared over a network drive, although the sharing is not really what it’s designed for.

    I think I’ll be giving clipperz a go, it seems to be much better suited to the workgroup/SMB environment and will not breach t&c with my bank!

  20. Jason Fowler

    I have always used keepass v1.0 (it works on windows, linux, mac osX, windows mobile, and there is an iPhone version they are trying to get into the app-store) and it has the ability to use an FTP server as the save/load point, so you can keep a copy online, saved as whatever you want, anywhere on your site, and no one would know where …

  21. Pingback: Web based password managers: 3 years later
  22. Trackback: The Social Media Traffic Generation
    • Michael Dale

      Hi Michael,

      Thanks for the comments. It was primarily designed for use in an office, so there should be a level of trust between the users.

      Saying this the latest version has been updated to allow user registration and it would work for offering such a service, but of course the more users you have the higher chance that someone would try and hack the system.

      The key issue is that the encryption key is not unique for each user, it is global to the install (this is to allow the sharing of categories). Therefore I would really only suggest that you allow trusted users into the system. This is something that I would love to improve in a future version, but there is no time frame on that.

      Please feel free to contact me directly to discuss further.

      Thanks,
      michaeldale.com.au

  23. Andrew

    I have tried to get the lvoware script to work many times without success. I have access to an account on a shared webhost and I just can’t get past the log in option. During the uploading of the files and setting up the tables on an existing database, there is no request for a username and password to set up an account.

    I would appreciate it if someone can point me in the right direction with this script. I have also been in contact with the author of the script with no success.

Leave a Reply