Talking with Marco Barulli about zero-knowledge online password management

A couple of years ago I was enamored with a clever password manager that pointed the way toward an ideal solution. It was really just a bookmarklet — a small chunk of JavaScript code — that used a simple method to produce a unique and strong password for the website you were visiting. The method was to combine a passphrase that you could remember with the domain name of the site, using a one-way cryptographic hash, in order to produce a strong password that would be unique to the site — and that you’d otherwise never be able to remember.

It wasn’t perfect. Sometimes the passwords it generated wouldn’t meet a site’s requirements. And sometimes the login domain name would vary, which broke the scheme. But it introduced me to two powerful — and related — ideas. JavaScript could turn your browser into a programmable cryptographic engine. And that engine could be used to implement protocols that relied on cryptography but transmitted no secrets over the wire.

To my way of thinking, that’s a killer combination. For years I’ve been using Bruce Schneier’s Password Safe, a Windows program that keeps my passwords in an encrypted store. There are many such programs, another example being 1Password for the Mac. This kind of app lives on your computer and talks to a local data store. That means it’s cumbersome to move the app and your data from one of your machines to another. And you can’t use it online, say from a public machine at the library or a friend’s computer.

Imagine a web application that would encrypt your credentials and store them in the cloud. It would deliver that encrypted store to any browser you happen to be using, along with a JavaScript engine that could decrypt it, display your credentials, and even use them to automatically log you onto any of your password-protected services. You’d trust it because its cryptographic code would be available for security pros to validate.

I’ve wanted this solution for a long time. Now I have it: Clipperz. My guest for this week’s Innovators show is Marco Barulli, founder and CEO of Clipperz, which he describes as a zero-knowledge web application. What Clipperz has zero knowledge of is you and your data. It just connects you with your data, on terms that you control, in a way that reminds me of Peter Wayner’s concept of translucent databases.

Clipperz is immediately useful to all of us who struggle to manage our growing collections of online credentials, But it’s also a great example of an important design principle. We reflexively build services that identity users and retain all kinds of information about them. Often we need such knowledge, but it’s a liability for the operators of services that store it, and a risk for users of those services. If it’s feasible not to know, we can embrace that constraint and achieve powerful effects.

26 thoughts on “Talking with Marco Barulli about zero-knowledge online password management

  1. Sounds like there’s room for a new microformat: a way to mark up a password field in an HTML form with a regular expression (or other machine-readable rule) that describes the site’s password rules so that in-browser engines can generate suitable strings.

    1. a way to mark up a password field

      That’s a good point. One thing that Clipperz struggles with, Marco admits, is the auto-login.

    2. I proposed to Marco to work together on a password microformat definition in early 2007. He and Giulio Cesare didn’t like the proposal, so it remained an idea. I recently reprised it and I am working on a RDF approach. If someone is interested, let me know.

      1. Please contact I am just a customer, but I think they would be open to promoting a standard. I will point them here. Maybe also contact the developers of RoboForm. They would have a vested interest as well as promoting a standard.


    Ah, good tip, thanks Chaim.

    BTW, one interesting consequence of Clipperz in-browser appoach — maybe Passpack’s too? — is that it works offline too, at least in read-only mode. Being a single-page app you can just do Save As HTML and then have the use of it offline.

    1. Clipperz offline copy does not work with a simple “Save as” command (from the browser window); you have to download the offline version using the special link provided in the application interface.

      The file downloaded with the specific link includes all the user’s specific data; this data is not included in the regular page, as the whole page is loaded before performing the login step.

      Other than the data, the two pages are almost identical.

      1. Clipperz offline copy does not work with a simple “Save as”

        Oh, right, forgot I had done that. Thanks Giulio.

  3. Passpack handles that via Adobe Air.

    Free Desktop Password Manager

    An optional tool to accompany your online account. This utility will allow you to access your Passpack data without having to access the website. Handy when dealing with an intermittent internet connection, or as a reader for Passpack backups. Built with Adobe AIR technology, the Passpack Desktop must be installed on your computer to work, but does not require a browser.

  4. Thanks for recommending clipperz, which I’ll look at. My first question is how this compares to Sxipper, which I’ve been using for a while, albeit only on Firefox

    1. how this compares to Sxipper

      Sxipper’s still a Firefox plug-in only, right? Clipperz is a browser-independent JavaScript app.

  5. I’ll definitely take a look at clipperz. Early this summer I found a solution to finally replace KeePass ( — a fine and secure tool, but not as portable and browser-centric as I desired): LastPass ( .) It has a rich feature set, a roadmap to additional functionality, what appears to be a mindful development team, and it improves on IE and Firefox security. It’s a rare bit of software beyond the basic productivity tools that I quickly came to consider an essential tool on the 4-5 machines I work on.

    But again, from your recommendation I’m curious about clipperz, as I am surprised to find so many credential management solutions (SSO from the big guys, security-minded tools like these, OpenId, etc.) with no clear breakaway winners — and especially because of my JavaScript addiction.


    1. LastPass

      It sounds like you use it to synch across a set of machines, and that the only missing piece is the kiosk or borrowed machine scenario?

      1. LastPass also has a One Time password options along with Virtual Keyboards for kiosks and borrowed machines. However it looks like the One Time Passwords are generated for you.

  6. i’m going to give a few a try. right now i’m using sxipper for firefox but need a real app for protection and auto generation of passwords.

  7. Seriously: Why on earth should I put my sensitive passwords (and here even all in “one bunch”) into a web application that is not under my own control?

    Don’t get me wrong: The idea of a distributed password manager is great! But this thing has to be open source so that the users can put them on their own webservers.

    One comment about the feature “Anonymity”:
    Yea, sure. Of course the operator of “clipperz” does not need any personal information when users want to register: He gets them “delivered free”, as soon as the user puts the first passwords into “clipperz”.

    As Bruce Schneier once said in one of his Crypto-Gram’s:

    “In the cryptography world, we consider open source necessary for good security; we have for decades. Public security is always more secure than proprietary security”

    And this was already 10 years ago:

  8. @foo

    Hi, you can definitely install and run Clipperz on your own web server. You just need to download Clipperz Community Edition (AGPL license) and a PHP/MySQL box.


  9. A much slicker and easier to use JavaScript bookmarklet that will generate a hashed password is SuperGenPass (

    SuperGenPass doesn’t just hash the site address, but combines it with your personal password, so each site can have a unique password and you only have to remember a single password. It’s also portable, so as long as you have the bookmarklet on all of your browsers, it works everywhere without having to store any information other than the core password that you need to remember.

    1. The only drawback to this approach is that it doesn’t work for affiliate networks with differing domains (i.e. ZDnet).

Leave a Reply to Marco BaruliCancel reply