A little background about this post: while I was vaguely aware of RoboForm, I never took a closer look at it until I saw the following post by Derek: Beware of fake shopping sites. What it basically says is that a password manager (such as Roboform) will help you avoid phising sites, because it will observe the different URL and will not pre-fill your contact details, thus providing you with an additional warning sign that something is phishy :-)
I have a great deal of respect for Derek so I did some quick checking around the product. Here are my findings:
- My first question was: how does the company behind Roboform make money? Because if they don't have a clear way of making money and they are giving away the product for free, you might start to wonder - aren't they giving away my information to make money? I was relieved to find that they have a pro version which costs money. This doesn't necessarily mean that they aren't giving away your information, but there is one less reasons for them to do so.
- The animated banner ad reminded me of some "smiley toolbar" advertisements which lead to adware, but taste is relative :-). An other marketing method of them which I personally found distasteful (although it is certainly legal) is the "Free Password Scan". This is a small tool which, when executed, shows the saved passwords from IE and Firefox. The purpose of this - I assume - is to show how "insecure" those browsers are (BTW, if you need such a tool, I would point you towards the NirSoft utilities). I dislike FUD and negative campaigning (sadly it works quite well).
- A quick test in a VM showed it working as advertised. I have one remark though: while it doesn't store the master password in memory (as the setup boldly points out), it stores the individual account passwords in clear-text when it is unlocked. You can check this out using something like Process Hacker or Process Explorer. You should point them to the actual browser process, since it is there where the passwords are stored, rather than the main RoboForm process.
- One thing which Roboform doesn't do is to differentiate between the HTTP and HTTPS version of the sites. It happily fills the secure version of the page with credentials saved on the insecure version and vice-versa, potentially exposing the user to and sslstrip type of an attack, which becomes more and more important because of the wide use of wireless technology.
- Finally, I would like to comment on something Derek wrote in his post (so this is not an official statement from Roboform as far as I know): "ROBOFORM ... keeps all passwords in a secure encrypted database that only you (not a keylogger or malware) can access and use it". This is and isn't true. It is true that keyloggers won't see your individual passwords, but it will see your master password (!!!). Also, while Roboform will protect you against malware which specifically targets the password store of browsers (and there are quite a few of those out there), it will not protect you against the ones which inject themselves in the browser and simply capture the contents of any HTML forms which have an INPUT element of type PASSWORD in them - of course neither will SSL/TLS. And there are quite a few out there which do this.
In conclusion: I wouldn't trust my sensitive passwords to a closed source program and I would always go with an open-source alternative. Roboform isn't vastly superior in any particular way and the marketing around it leaves a sour taste in my mouth.
BTW, the links on Derek's site are affiliate links - which is all nice and good, I too have affiliate links in my blog postings occasionally - but I would have liked a clear disclosure about this fact.
personally, i don't like my password manager to react in any way, shape, or form to web content (including the url).
ReplyDeletei don't trust programs to know when a password should or shouldn't be entered. i prefer to make that determination myself (though i'll still use a password manager to store and even enter passwords in an on-demand fashion). there are plenty of examples of sites that allow user-generated content that have been used for phishing attacks on those same sites (ie. think of a myspace profile page that looks like a myspace login page but isn't).
if you want to be sure you're on the right page when you enter your password, there's a really easy way to get that - it's called a bookmark.
Personally I don't like password managers, especially if written by others :D. I don't trust... Why use a password managers when exist mnemonic password formulas ?
ReplyDeleteHere some links:
Link1,
Link2,
Link3 .
@marco ramilli:
ReplyDeletehonestly, password formulas seem like too much work to me. i think most people would be happier with something that stored and entered their 200+ different passwords for them than having to solve a puzzle (the formula) each time they wanted to log in somewhere.
and if trust is an issue, i'm pretty sure password safe is open source so you can examine the code and compile it yourself.
i don't trust programs to know when a password should or shouldn't be entered. i prefer to make that determination myself (though i'll still use a password manager to store and even enter passwords in an on-demand fashion). there are plenty of examples of sites that allow user-generated content that have been used for phishing attacks on those same sites (ie. think of a myspace profile page that looks like a myspace login page but isn't).
ReplyDelete" (...) but it will see your master password (!!!). "
ReplyDeleteAND THEN ? What do you do with my master password ? I don't understand your whole post...
@Anonymous - presumably the malware can copy your encrypted database (since it is already running on your computer) and decrypt it with the captured master password.
ReplyDelete