Web based password manager
Does anyone know of a good web based password manager? I’m inclinced to hack up my own, but I wanted to dig around a little bit first.
Password management has always been an issue with me — there are just way too many passwords to remember, and even though I’m usually lazy and end up using one of 2-3 passwords in most places, I still need to remember login names (why can’t websites explicitly mention that they use email addresses as logins). And sometimes I do create new passwords, which are just impossible to remember.
I’m sure someday we will move away from text based encryption schemes and have some funky audio/visual passwords which won’t require me to remember arbitrary strings of text. But that day is not today, and so I need some solution. Traditionally I’ve been using applications on my desktop to keep track of my passwords (my own Starfish, Revelation etc) and that has scaled nicely so far.
But now its getting out of hand. With all the Web2 hype, new and interesting startups come up on a daily basis. All of them need your email address and password. I have more than 5 GMail accounts. Several bugzilla accounts. Credit cards. Insurance companies. Banks. Airlines. Portals. Passwords, passwords and more passwords. Thanks to spam, now you need some kind of authentication mechanism to get to anything useful on the web. So my list of usernames and passwords is becoming unmanageably long.
Starfish and Revelation were fine, but I would have to sync my password files across systems. But when I was travelling without my laptop, I’d be stuck — so I do need a web front end. Besides, this seems to me the kind of web-app almost everyone needs. So how come I haven’t seen a cool AJAX-ified web based password management tool yet?
Any takers?
I use notepad.yahoo.com to store such information
Wow – that isn’t even encrypted.
We have used Secret Server for years now. (http://www.thycotic.com)
Try PasswordComposer (http://www.xs4all.nl/~jlpoutre/BoT/Javascript/PasswordComposer/) for an interesting hybrid solution.
*@gulli*: I used to use notepad at one point of time, but quickly grew tired of it. Its just too unstructured for my purposes — true, you can create multiple notes, but that only makes it hard to look for stuff. If you keep all passwords in a single note, there’s still no good way of searching through them. Besides, my dream tool would have integrated password generation as well.
*@yoav*: thanks, that looks interesting. One problem with the tool you mention is that I myself *never* see the real password to a website. One can argue that its good from a security point of view, but I wouldn’t be comfortable using it. I need to know and be able to arbitrarily change my passwords.
I use “KeePass Password Manager”:http://keepass.sourceforge.net/, an open-source Windows application. It has a very friendly user interface, and lives as a Windows tray icon. When I want to get a password, I double-click on the icon and type in my master password. Then it will let me copy the appropriate password to my clipboard. There’s also an option where you can hit a hotkey and it will paste the appropriate password into a website without needing to open the app. I haven’t used that myself.
Unfortunately, it’s a desktop app for Windows, which means it’s not particularly portable, especially if I’m using a Mac or a Unix workstation. At one time, I wanted my passwords available on the web, so I thought about creating a web-based password manager. But the security issues really made me paranoid: if someone hacks into my password list, they could really wreak havoc on my life. It did not seem safe to have them published on the World Wide Web and restricted only with a single login password. So I gave up on that quest and decided that I was best off with KeePass.
No … Keepass is portable, they have Mac/Linux versions at KeepassX.sourceforge.net, but its desktop, not centralized like the OP wanted.
I just found this : http://www.agatra.com. I haven’t yet the time to test it, but seems to be great.
hope this link will be usefull…
*@ryan*: thanks for that pointer. KeePass looks pretty good, but as you point out, its not very portable. I’m not all that paranoid about having my passwords on a web app. I mean, half of my life is already online anyways :-) And sooner or later Google will start doing this if I don’t ;-)
*@jean*: agatra looks pretty good actually. I’ll post a review after I’ve tried it for some time. Thanks!
give your help, here is the best password manager
I’m surprised no one has mentioned Pass2Go yet. It’s indispensable and I don’t know how I survived online without it before (both for work and personal stuff). It runs off my Lexar Lightning USB flash drive (as it can from any USB drive), so I can use it on both my desktop and laptop (and any other computer, of course). It’s completely secure and unlocks everything with a single password, so nothing is ever stored on any computer (but I have all the files backed up on my external drive and on my Mozy account, so I’m safe should I ever lose the USB drive).
SafeNotes are also great, so anything you don’t store in a personality, you can safely store away there.
(Pass2Go is the USB version of RoboForm, which I wrote about back in March on my blog.)
I’ve submitted feedback to the vendor that they should develop an online version of the product, too.
*@gabe*: thanks for the suggestions. Unfortunately any Windows only product is a no-go for me. I don’t even have windows on _any_ of my machines.
Haha, I was googling for a solution to the same problem.
Maybe you’ll like http://www.passwordsafe.com.
It’s pretty good for when you don’t remember passwords, you could always check back. Personally, I didn’t like the way it was organized, but hey, it may work for you. Good luck!
*@iris*: Thanks for the pointer. I’m slightly hesitant of any solution that requires me to store _all_ my passwords online with a third party without any guarantees on the safety of my data. Would all my passwords be encrypted before they hit the PasswordSafe website? Would PasswordSafe employees have access to my data? Anyways, I’ll try it out and see if I like it.
I found http://www.passwordpit.com to be useful, perhaps you’d like to give that a try – John.
*@john*: thanks, I’ll check it out!
you blog about money is great, many thx
i just found the online password manager:
http://esoftpro.com/product.php?pid=opm
this program is php and mysql based – so iguess you can install it on any lamp/wamp server. however it is not free (around 25$).
Just what you were looking for: an AJAX-based password manager.
http://www.passlet.com
All encryption and decryption is done client-side; this is a true Web 2.0 site. The server never sees the master password.
*@passlet*: Thanks, it looks pretty cool! Good use of AJAX. The encryption stuff looks intriguing, I’ll have to look at it more closely. Thanks for the pointer!
Yup. Ajax Online Password Manager. Free.
https://www.passpack.com
Similar to Passlet: all encryption happens client-side. It’s in Beta3 now but moving forward fairly quickly. Hope you like it.
I am currently also looking at SecretServer from Thycotic.com. It gives the same functionality as Online Password Manager with the additional features of being able to integrade with Active Directory and to store the password information in “other” database systems as well.
Hi Diwaker. I was just wondering if you ever managed to try any, or all, of the links that were given here. I’d be intrested in hearing your opinion.
Cheers to you,
Tara
http://w3pw.sourceforge.net/
PHP based pass manager.
*@tara*: Sorry for that long hiatus! I registered but never got around to using it. And today I did want to give it a shot, but I think I’ve lost my packing key! :( Is there any option other than to create a new account? Can I delete my existing account and recreate it? (I do remember the password)
Hi Diwaker.
No problem on long comment time – that’s part of life. :)
On recovering your packing key though – that’s not possible. We can delete your account if you’d like to start over, or you can just open a new one (accounts get deleted automatically if abandoned for six months). It’s up to you.
If you do decide to create a new account, remember to print out the memo with all your login credentials – it’s pretty useful. ;)
I’ve linked to a Getting Started Guide here: https://www.passpack.com/info/help/
Drop me an email and I’ll give you more details.
Cheers,
Tara
tara@passpack.com
*@tara*: I think I want to delete my account and start over — I kind of like that user name :-) Just shot you an email, thanks!
Ok, I got your email and took care of it. You’re all set. :)
I came across this post while i was hunting for a single password manager. I was finding life tough. i found some of the links useful
thanks
The product in this url: http://w3pw.sourceforge.net/
did it for me. I dont want to store passwords on someone else’s server or app. And I need the soft to be web based to access it all over the world when I do not have my computer around.
So this is the free alternative to esoftpro that works.
Clauz
Hi, dont know if you found your solution yet, since i was on the look for the same thing. The only thing i found that comes near to what you want and what i want is http://lvoware.com/index.php , which is php and mysql, i have not tried it myself. But i do want a mysql backend for the website and a frontend for windows. This seems like impossible.
I have tried to get this script to work so many times without success. I have access to an account on a shared webhost and I just can’t get by the log in option. During the uploading of the files and setting up the tables on an existing database, there is no request for a username and password to set up an account.
I would appreciate it if someone can point me in the right direction with this script. I have also been in contact with the author of the script with no success.
Hi Diwaker,
Just wanted to drop a link…
http://www.passpack.com
PassPack, Online Password Manager.
Free. Secure. Mac. Windows. Unix. :)
Cheers!
Tara
*@erik*: thanks for the pointer, I’ll check it out! I wish they had some screenshots of the interface. And whats up with the form on the download page? Old school!
I suggest PassPack. It is the best online password manager :o)
*@francesco*: as has been pointed out several times here :-) I do have an account, now I just have to get around to using it…
come on lads one of ye must have found a php/mysql based solution?
Hi all. I suggest you PassPack. It is probably the best online password manager (first position in Google search results). There is an offline version too that uses Google Gears and works on Windows, Linux and MacOS. It is great!
Here’s one I use and love…
http://www.jmbfree.com/software/ps/
124password.com is what i use for password management
um… I went to check out 124password.com, and it looks like a splog.
Sorry, I love PassPack because it’s mine and I know the level of security we put into it. But if you decide to choose something else, at least make sure its reputable.
Tara Kelly
PassPack Founding Partner
I’m using a combination of two php scripts:
1. Flatfile database manager
http://www.zubrag.com/scripts/flatfile-database-manager.php
This is a script which allows you to define your own database. I defined 4 fields for password manager: website, login, password, notes.
2. To protect my passwords list (i.e. above program) i use password protector:
http://www.zubrag.com/scripts/password-protect.php
Works like a charm. The best thing is that i can define as many fields as i want for each of my “password” entries.
I have tried PassPack, but I like Clipperz better.
Hi John – is there a specific feature that you would like to see in Passpack?
Clipperz can be downloaded (open source) and installed on your own hardware. I don’t like the idea of storing password on somebody server – which might potentially become a victim of hackers. This makes me think that if they were hacked – we are hacked too !
Clipperz Community Eddition – http://www.clipperz.com/open_source/clipperz_community_edition
The whole concept of host-proof hosting is precisely this — even if Passpack servers gets hacked, my data is safe. And you are free to store a local copy of your data — Passpack has multiple alternatives for storing data on the desktop for offline usage.
The only feature of Passpack that bothers me is this “packing key”. Why not just tell us that we need to memorize two passwords? And that if we forget either of these passwords we are screwed?
As far as I can tell, Clipperz only requires one password, making it that much more attractive than Passpack.
@Elie
The Packing Key is what actually keeps your data safe so you can’t get rid of that. BUT you can get rid of the username and password. For example, if you want to sign up to Passpack using your gmail account, do that here:
https://www.passpack.com/google
Then all you need to remember is the Packing key.
(There are option for OpenID, Facebook, Yahoo and Hotmail too)
Cheers,
Tara
Hi Diwaker,
Check out http://mitto.com
A free, safe, easy to use online password manager.
-Lisa
@Lisa B: Thanks for the pointer! How is mitto any different/better than, say, Passpack?
Having looked at all the links and recommendations above, I’d say if you wanted to have a secure, encrypted, free web-based password storing application running on your own server, I’d say the open-source Community version of Clipperz:
http://www.clipperz.com/open_source/clipperz_community_edition
Looks like Passpack is pretty neat, but I strongly (personally) dislike storing off of my personal data on someone else’s server. Yes, yes…encryption, no one can decrypt the passwords, yadda-yadda. I’m primarily concerned about security, and there’s nothing that can beat physical control over your own data. Obviously, carrying around a key-fob is nice, but what if you lose it and forget to back it up? Or what if your host machine doesn’t support USB sticks? The web is accessible wherever you would also be needing the majority of the information you’d be storing in this. Plus it appears they have a PDA version of the client? Not sure….
Your mileage may vary, and there’s a decent chance that Passpack (et al) has a better data center presence than, say, my 65 degree basement – but there’s nothing like physical control. Plus, it looks like you can manage your stuff on-line, and then export a fully-encrypted off-line (read-only) copy of the database, for use when you don’t have access to your own server. Nice, eh?
Also, they have the option of using one-time passphrases, for those situations where you’d rather not use your Real passphrase (such as in a library or cyber cafe). Use the passphrase once and it’s done. You can generate a whole bunch of them, print them out and stick them in your wallet. You can also manually disable them if you were to, say, lose your wallet. The passphrases would be useless.
Anyway, just my three cents! Hope you found something good….
Clipperz is a POS…its built off POBS, its confusing as hell to setup and just use. If I have to learn how to code just to be able to use something…then I vote NO!
So I looked at just about all of the solutions here. I called Cyber Ark yesterday and their solution starts at $15K. I think I might use this: http://www.manageengine.com/products/passwordmanagerpro/download.html#licensing its about $1,200.00
Let us know what you end up using.
While storing data on others servers may be secure it will probably breach t&c of almost all financial institutions and many websites. I’ve been using password safe (http://passwordsafe.sourceforge.net/) for quite a while, which is great for desktop, and can be shared over a network drive, although the sharing is not really what it’s designed for.
I think I’ll be giving clipperz a go, it seems to be much better suited to the workgroup/SMB environment and will not breach t&c with my bank!
I have always used keepass v1.0 (it works on windows, linux, mac osX, windows mobile, and there is an iPhone version they are trying to get into the app-store) and it has the ability to use an FTP server as the save/load point, so you can keep a copy online, saved as whatever you want, anywhere on your site, and no one would know where …
Did anyone look at this yet as an option
http://code.google.com/p/webpasswordsafe/
I wrote an online password tool. PHP and you host it yourself.
http://codecanyon.net/item/password-manager/2145518
Michael, I like your script. I would like to offer password management services, is your script safe enough to trust it with many accounts?
Hi Michael,
Thanks for the comments. It was primarily designed for use in an office, so there should be a level of trust between the users.
Saying this the latest version has been updated to allow user registration and it would work for offering such a service, but of course the more users you have the higher chance that someone would try and hack the system.
The key issue is that the encryption key is not unique for each user, it is global to the install (this is to allow the sharing of categories). Therefore I would really only suggest that you allow trusted users into the system. This is something that I would love to improve in a future version, but there is no time frame on that.
Please feel free to contact me directly to discuss further.
Thanks,
michaeldale.com.au
I have tried to get the lvoware script to work many times without success. I have access to an account on a shared webhost and I just can’t get past the log in option. During the uploading of the files and setting up the tables on an existing database, there is no request for a username and password to set up an account.
I would appreciate it if someone can point me in the right direction with this script. I have also been in contact with the author of the script with no success.
Hi Andrew,
I have never used that script before but I would be happy to have a quick look at it for you.
You may contact me here:
http://michaeldale.com.au/contact/