Tag Archives: Google Chrome

Thoughts on password managers

I’ve only started looking at password managers, as recently a password that I reused as a low-importance password finally got sufficiently compromised that I have to give up on it. Yes — I finally have to seriously look at password management.

I have not actually tried out most of these. I have some experience with iCloud Keychain and Chrome’s password manager and sync. These are my notes based solely on reading about the tools. Think of them as a thought-dump; something that will help me decide over the next few days what to go with.

Context

I’m a user of:

  • many locations (home + work + travel)
  • many platforms (GNU/Linux, OS X, Windows, Android, iOS, plus an assortment of atypical OSes, including SailfishOS, ChromeOS)
  • many browsers (Chrome, Safari for battery saving, Firefox as a speedy alternative)
  • many devices and device sizes (24″ desktop touchscreen at home, smartphone, tablet)
  • many games with their own account systems

I require or strongly desire:

  • password autogeneration
  • safe bug-free synchronization
  • browser integration
    • …which stays inside its browser profile
    • external app, especially closed source, is a no-go for work use!
  • optional self-hosting
  • client side crypto
    • …unlocked with long password…
    • …and later unlocked with a PIN
  • offline access
  • easily enter passwords into games
  • mobile viewing of passwords (so I can manually type it into a terminal, for example)
  • two-factor auth for setting up sync
  • ability to back out, and switch to another solution

Being open source and free is a strong bonus, but I’m okay with using a proprietary and/or paid solution.

Examined password managers

This is not a review. I have not actually run most of the managers.

1Password

After I commented about my quest for a password manager on Twitter, two out of two people that reached back to me have surprisingly suggested this solution which seems strongly tied to Apple platforms. True, they do Windows and Android too — but, as evidenced by the order of icons on product’s website, Mac and iOS come first.

I would have always felt greatly uneasy about this (which is a strong reason why I never fully adopted iCloud Keychain), but today it’s a total no-starter.

That is, I am not going to bother even starting to try out this manager if it focuses on Apple platforms.

I am worried about the part that states that sync happens through iCloud or Dropbox (or Wi-Fi Sync). More specificially, I’m worried about what the promo page for iOS product does not state. What happens if I change password database from two devices at the same time? iCloud Core Data on Apple platforms supports merging during sync; Dropbox has datastore API. I hope these are used; I would expect them to be. Ditto for proper crypto. But the description of how to use 1Password.html to view password does not make me confident; it looks like it’s using files. It could still be doing the right thing, but… shrug

Still, if I cannot be sure I’ll be able to access my data on GNU/Linux or some of the more “obscure” platforms that I use, this is sadly a non-starter. It’s a shame, it looks like a nice product that I’d advise readers to check out.

iCloud Keychain

It’s simple, really: it’s entirely tied to Apple platforms, and to the best of my knowledge, I cannot view passwords on any other platform, much less integrate with browsers on other platforms. (Apparently it is possible to view passwords on iOS devices… but seriously, digging through Settings app?) At least Chrome uses Keychain Access on OS X, which is nice.

I’m also not too happy with the idea of having passwords in iCloud. There have been a couple of security incidents related to Apple which may or may not have happened due to users misusing the service. The ‘may not’ part is what worries me; occasionally Apple’s customer service was social-engineered, other times there were allegations of actual breaches of Apple ID authentication.

I do like the idea of syncing not just passwords, but credit card information as well, and neatly inserting it where required. If I were an Apple-only user, this would be a sufficient solution.

Google Chrome’s password sync

Chrome has its own password store which can be synced. I use this already and am mostly happy with it.

However, it’s unusable on any other browser, password generator is experimental and doesn’t seem to be manually triggerable, and accessing passwords for use in other applications is horribly hard. If I could easily get the passwords generated manually, and if I could easily find passwords (while still locking the password store after a timeout), I’d be a very happy person.

Also, given my experience with Chrome’s Bookmark Sync, where deleted bookmarks show up later, duplicated bookmarks show up later, sometimes folders are duplicated or are created as empty folders, etc, I’m highly unlikely to rely on this.

This also does not pass the self-hosted test, and partially passes the open-source test, even though I do highly trust my current employer.

LastPass

LastPass is neat. It’s a free+paid service, without a self-hosting option. But it’s neat.

It covers all major platforms that I use, and doesn’t feel like favoring any of them (there’s even a WinRT/Metro/Windows Modern application!). It has multifactor authentication. It seems to be doing its own sync protocol (so probably doesn’t lose data when merging). Its browser integration seems very powerful. There’s a command line version which is even open source. (Yes, I almost began this section of the overview by claiming this is a proprietary offering, which is true.)

They seem not to be able to see your passwords, even if the passwords are synced to their servers. CLI tool’s open source nature lets me check that — this pleases me. I also checked how the passwords are synced. Apparently, there’s an upload queue (presumably containing unsynced passwords), and the whole database seems to be optionally and as required fetched as a single blob (yes, literally blob; see also init_all(), used sometime during startup). This also pleases me — this is almost the way I would have implemented this.

I’m strongly, strongly leaning towards using this, and using its paid tier. Especially given the strong recommendations from colleagues.

(I am mildly amused that the sync server is apparently written in PHP. I am also slightly unamused by the lack of comments in lastpass-cli source code. )

KeePass ecosystem

This is a strong ecosystem built around KeePass’s file format, and one that strongly supports self-hosting. KeePass2Android seems to support SFTP. The ecosystem seems to value open source, as well: see KeePassX.

Strong contender, due to its opensource values. And UI of KeePass2Android seems nice. But I can’t get around the fact that its idea of syncing is — use a single file.

Surely we can do better than that to handle conflicts in 2015? I’d rather expose my files to a third party than lose passwords to file version conflicts.

But if I was not so afraid of losing data, this would seem like the tool to use.

zx2c4 pass (PasswordStore)

After I already posted the first iteration of this post, I got a suggestion to take a look at [pass][26]. And this one is interesting — I got it running in minutes!

Pro:

  • A simple command line tool!
  • Stores one password per file
  • Passwords are encrypted with GPG
    • Just specify your GPG ID (e.g. email address)
    • Since I store my GPG private key, PIN-protected, on my YubiKey NEO (it also does U2F, which you should use as second-factor authentication), this is awesome
  • Changes are optionally tracked with Git
    • I dislike Git, but a VCS seems perfect for this use case
  • There’s Firefox integration and there’s an Android app which seems to use OpenKeychain (hello YubiKey!)
  • The “file format” does not seem to be so much a format as just a directory with a bunch of GPG-encrypted text files in it (and optionally a git repo backing it)

Con:

  • The only Chrome extension I ran into is “in early alpha”
    • …even worse, it says: “It is not planned to add support for managing (adding,changing,removing) passwords to passext. That’s what the pass programm is for.”
    • That statement is essentially a promise for a terrible UX
  • It seems strongly oriented towards UNIX systems… what will I do on Windows?
  • Firefox addon still uses the standalone app
  • If I lose my YubiKey, I’ll lose passwords, unless I encrypt with multiple keys.

The last one is particularly worrying.

Even though, given enough time and considering how simple the “database” “format” is, I could put together proper extensions that manage passwords using in-browser GPG and Git implementations (or at least in-browser GPG + a web service to upload files to a trusted server), I’m not sure I want to invest that time. From the looks of it, I would also lose the ability to use YubiKey; searching for yubikey gpg chrome does not reveal any useful results, so I would assume that only native GPG can do this.

Windows being an afterthought would be less of an issue if the in-browser experience didn’t (seemingly always) depend on the native executable…

Closing thoughts and wishes

All the tools I took a quick look at seem like quality products that, at worst, may have just made an odd choice or two that make them inappropriate for a oh-my-eyes-they-hurt-look-at-the-number-of-devices-and-browsers users, or that lack a certain good feature.

Game passwords

None of the password managers seem appropriate for storing game passwords. I’m saddened by lack of confirmation that it is possible, under Android, to create a Bluetooth service that advertises Bluetooth HID profile; that is, I can’t confirm that it is possible to get an Android phone to behave like a keyboard. (Some sources imply this is actually not possible. Others seem to suggest it “just” requires root.)

If this were realistically possible, it would make sense for me to suggest this to developer of my chosen password manager, or to implement it myself (assuming source code availability): make an app that pretends to be a Bluetooth HID keyboard, lets me choose a password from the list, then “types” the password into whatever game I’m playing.

Maybe this would be a reason to start using Jolla as my third phone?

Self-hosting sync

Other than that, I’d really like an optionally-self-hosted service. One that would either:

  • use a one-password-per-file approach (but still properly encrypted — this is doable, right?), or
  • provide a self-hosted service with a nice CRUD API that the apps, browser extensions and CLI programs would use in the background

The first option could live on FTP, SFTP and WebDAV. If it’s properly content-addressed and append-only, you’d at worst get an outdated file. The second of those would mean less files on the filesystem, which is always nice, but would require deploying a service of some sort. (Would Camlistore be appropriate here as a backend and password store viewer? I think so.)

I definitely don’t need a “single-blob database synced to a remote filesystem” approach. That’s scary and loss-prone. Syncing is hard even if we don’t make it harder. I’m not sure I want to use something that even tries to merge two disparate single-big-blob databases, then upload the result back. (iCloud Keychain is, I expect, smarter than this; then again, it’s not a self-hosted service.)

So, choice?

I’m still making the choice LastPass and KeePass, but I’ll probably go with LastPass. Especially given the opensourced nature of the CLI tool, and how easy it is for me to validate that they’re doing the right thing with syncing passwords (at least in the CLI tool).

And when I already finished writing this post, pass came into play. It feels better than KeePass — this is, in my world, a strong contender.

Google’s recent sins

Here’s a list of some of the sins that Google committed against me as a small user, and without leaving me a venue to vent myself off (where someone might actually read it).

Let me point out: most of them are not evil — unless you consider willful sloppiness evil. I also still love Google. I am however highly frustrated by some of the stuff they do.

Google Talk app for Chrome… OS
After introducing Chrome Web Store, Google managed to frakk up one of its offering. Google Talk app is available only for Chrome OS. One of commenters alleges that this is because on other platforms the browser lacks capability to show popups and other feats of integration. Well, the way out is clear then, isn’t it?

GoogleSoftwareUpdateAgent on Mac
Read more in my previous post. Read more in this post why having this agent is evil.

Charging $5.00 for adding content to Chrome Web Store
I understand this one — they’re trying to filter out spam this way. I agree, this is a good way to do it. Still, I had to cash out $5.00 to add a free app and no way of getting the cash back… because Google Checkout merchant accounts are unavailable outside US (and UK, I think).

Google Checkout merchant accounts are US/UK only
Google is one of the first mega-ultra-big computing-related companies that offered its services in Croatia, in Croatian, and overall localized. We also got Google Translate support relatively early in its development, and it works relatively well. It’s true that some of the services lag an internal release or two behind it’s .com counterparts, but still, for a 4-million-strong country, we’re pretty well supported. We can also receive payments from Google Adsense; they simply mail a check.

Then Google Checkout comes and Google frakks up by not allowing me to earn money that way. Then they do an even worse sin, and allow Chrome Web Store payments only through Checkout. Hello, guys! We can already receive money from you. Apple allows app developers from Croatia to earn money from iPhone development (and soon Mac development). Why the hell can’t a company that already has a payment system in place, that is obviously dedicated to Croatian market, and overall is obviously familiar with Croatia, introduce its payment system over here?

Google Latitude is iOS4 only, Google Goggles is iOS4 only, new Gmail interface is iOS4 only, …
Frakk you on this one, Google, seriously. Have you heard about NSObject’s “respondsToSelector”?

Damn you for making Latitude iOS4 only. My iPhone 2G is not good enough for it? Oh, you mean the point of the app is sharing location in background? You mean there is no chance that I might not want to load the web-based app in Safari? That’s right, on iPhone 2G Safari is “HYPER-FAST” and Latitude loads instantly on it — why the hell would I want a native app?!

Damn you for filtering Google Goggles out of your app. My iPhone has a camera already — why the hell can’t you process a static image I photograph and extract the data from that?

Damn you for leaving us 2G users to use old interface of Mobile Gmail. You told me on Twitter (can’t find link, sorry) that you had to override native scrolling in order to do some of the magic. What about simply using “position: fixed;” for your toolbar? That was not possible? Because that’s basically why I want to use the new interface — I really am not interested in much else.

No native client Google Talk with video chat
Hey Google. I don’t want your browser-based plugin. I want to use native Google Talk as you used to develop for Windows, but I want it to have video chat support. And I want to use it on my Mac. Did you know, Google, that Gmail video plugin is the only way your Mac users can use video chat? No, that’s not acceptable — I don’t want to have to switch to one of a zillion Safari tabs I have open whenever I receive a message, and I don’t want people’s clients to get confused about which client to deliver to.

And your plugin crashes often, taking Safari down with it. That. is. not. acceptable.

Fragmenting people more and more
They began by having screwy support for Google Talk on Mac and Linux (no native client). Then they went on doing the same with Video chat plugin (only recently was it released).
Chrome was also very delayed on Mac and Linux and initially had LOADS of Windows-specific code. Why?
Then Google began offering services only on Android (Google Goggles).
Then they went on discriminating me by offering new stuff only on iOS4.
Then they went on discriminating me by offering new stuff only on Google Chrome OS.

What the hell, Google.
What the hell.

Sorry, blog readers, I had to get this out of my system. And who knows, maybe someone from Google will actually come and read this, and start to wonder what end users might think about it. You can’t compare yourself to Apple: Apple is dedicated to a single platform, but grudgingly supports another. You, Google, support “everything” — you are a web company, remember? You want to support everyone.

In the end you don’t.

Google, get your shit together. I hope I won’t have to move to my own setup. But maybe worrying about backup, setting up open source solutions, et cetera is less trouble than having to worry about in what way will I next be looked down on by Google, because of the place I live in, because of the computer I use, or because of the phone I use. Of course that it is not so yet, but …

Google’s built-in page previews — reason for releasing Chrome?

After all the years we’ve had Firefox plugins to insert page previews into search results, Google finally added their own. They dubbed it “Instant previews”. These previews are vertically larger than what any of the plugins did before, they include enlarged select portions of text relevant to your query, and they appear only when you click on a search result text (not on the link). After that, you can just hover the mouse above search results.

So what I wonder is: could it be that Google embarked on a journey to build a hyperfast browsing experience in order to provide a better search experience? Or was Chrome really just a part of a larger scheme to collect customer data and statistically analyze it, as was thought previously? I’m not sure; probably it was “let’s build a browser first” and then “what can we use the browser for?” — but the idea that Chrome might be the developed in order to alleviate performance issues that using some other browsers might create running on Google’s servers does not strike me as impossible. This way, they can generate previews without creating a horrible, horrible impact that using some other browser might create.

I just wonder when we’ll be able to see the codebase they use for creating the previews, and will they even release it, considering that WebKit’s LGPL (derived from KHTML’s LGPL) does not require source code release unless the binaries are released; even then, if libs are dynamically linked, source code release is required only for modified library binaries. Still, having a free, usable off-screen rendered WebKit would be very useful. But oh — there is already such a thing, for example Origyn Web Browser (site seems down, here’s a wikipedia link)