Review: RoboForm password manager
by Steve Ragan - Jul 20 2009, 10:30
Interested in a more interactive TTH? Join our Facebook Group
Want regular updates from The Tech Herald? Follow us on Twitter
Talkback
Add your comment (no registration required)
page: 1 2
It is great to see Tech Herald reviewing password managers. As a big fan of password managers in general and Roboform in specific, I have had one nagging question that you security experts at Tech Herald might be able to answer:
Is Roboform's claim that it defeats keyloggers accurate? I understand that the master password could be key logged if I enter it via keyboard and there is malware on my system already. But my specific question is what happens after my master password is entered - is it truly impossible for a javascript-based attack in a browser to capture usernames and passwords entered by Roboform?
I know it would be time consuming for you to do, but if you were able to test this claim, it would be incredibly helpful to consumers. If Roboform's claim is accurate, than password managers are an extremely valuable security layer. So far as I know, I have never had a username/password captured, and I am guessing that Roboform is one of the main reasons why (I wasn't even using NoScript until 8 months ago).
Another question about password managers in general: Are there any statistics out there showing how useful they are as a security layer? For example - I'd like to know the % of people who get their usernames/passwords stolen for both password manager users, and those who don't user password managers. And I'd like to know the % of password manager users whose master passwords get recorded by keyloggers.
On last comment: As a Roboform user, I would very much like to see two-factor authentication (on the master password), such as a USB stick required in addition to a password. I contacted Roboform last year (via e-mail) about this and was very unhappy with the response from a customer service rep who did not understand my question even after I tried to explain it clearly in a second go around. As the market leader, I do not understand why they have not added a second factor and why their customer service reps would know so little about security that they could not even intelligently answer a question about two-factor authentication.
That being said, I love Roboform and am very reluctant to change to one of the newer entrants with less of a track record - but lastpass and its extra security features has me awfully tempted (multi-platform, two-factor authentication, one time passwords, etc.). I may switch after waiting another 6 months or so to see if users report problems/bugs with lastpass.
Been using Lastpass for months. I can access my logins seamlessly at home and work...Best of all, it is free.
Some other decent desktop password managers are Keepass, 1Password, Password Safe, and SignUpShield. Some USB password management products are IronKey and ID Vault.
I personally prefer a standalone device (Atek's Logio Secure Password Organizer) so I don't have to worry about the keylogging mentioned in another comment as well as potential other security concerns. It's a little less convenient but gives me peace of mind knowing my password database can't be hacked via the Internet or my computer. It also has the benefit of being entirely portable.
Thanks for the great article :-) For users who are looking for USB version of RoboForm we also have RoboForm2Go.
The above review is typical of the large number of uncritical reviews of Roboform that abound on the web, usually on sites and blogs of people who earn a commission off promoting it with favourable reviews.
The reviewer does not mention that you have to be extremely careful not only to enable a master password, but to also enable the option to encrypt all the passcards, etc, with that master password. That option does not seem to be set on by default, and you could easily think that you were protected by a master password when, in fact, all or some of your passwords were unencrypted despite the appearance that they are secure.
How many Roboform users systematically re-force Roboform to encrypt them ALL from time to time to be sure ? I have looked in people's Roboform folders to find random logins unencrypted.
Roboform also tends to claim on its site and in documentation that it encrypts 'all' your secure data, when this is not literally true. Even if you have set a master password on, and even if you have set the option to encrypt everything with the master password, most users would be horrified if they used Windows Explorer to take a look in the Roboform Data folder where Roboform stores all the passcards and secure notes as individual Windows files.
Sure, at best, the passcards' contents are encrypted so that the passwords are not obvious, but each passcard, secure note, etc, is stored with its title in plain view in the Roboform data folder, and that tells anyone who looks in there a lot about you and what you are trying to secure.
This is particularly true if you have used the import function to import passwords from, say, your browser. The passcards, secure notes, etc will end up automatically named very logically in such a way that a casual observer will be able to see the names of the web sites you log into, and probably the e-mail addresses you use as a login (although not the password itself), the name of the banks you deal with, and the subject matter name of your 'secure' notes. This gives away a lot about you and sows the seeds of the possibility of some social engineering to access your confidential data.
This is an amazingly fundamental flaw that Roboform, which could otherwise be a good product, has totally failed to address. Almost every other password manager, including the free ones, store all their data in one secure file which is encrypted by the master password and which, if you edit it or dump it, will tell you nothing because the contents look randon. The fact that a product claiming to be the market leader, and assumed by many to be the market leader, does NOT do this is astounding.
I have had conversations with Roboform customer service who totally fail to see that there is the slightest problem here. They apparently have no intention of addressing this. They did say that, if you name your passcards logically then you are a fool, and that you should name them so their names give nothing away. Sure, you can do this, but then when Roboform displays a list of your passcards, instead of looking like
Paypal - me@hotmail.com
eBay - myaddr@gmail.com
BankA - checking account
they will look like
asjdhkajsdhkasdhkaj
dfjfsldkfjlskdfklsd
sdkjlsflskdklsdflksdjf
which is user-unfriendly and, if you have more than a trivial few logins and bank accounts, unmanageable.
@PrivacyMatters: Thank you for your input and comments. Please excuse the lengthy reply.
Hundreds of respected media outlets have written product reviews for RoboForm. These range from PC Magazine, PC World, and CNET to the New York Times and the Wall Street Journal. While we do have an affiliate program -as do virtually all software publishers- I do not see what this has to do with the current article.
Regarding the use of a Master Password, we agree that this is a very important security feature and this is why we strongly encourage users to create one during the installation process. In addition, this is featured prominently in our tutorial as well as mentions in our FAQ and manual. However, we allow the use of RoboForm without the Master Password as there are users who simply prefer not to use this feature. We do not recommend this, but we believe that the user should have the option to disable. In a nutshell, the Master Password is an opt-out feature.
Regarding the structure of RoboForm User Data within Windows, presumably you are referring to the fact that a user who has say a Yahoo password stored would display the file 'Yahoo.rfp' in her 'RoboForm User Data' folder. You are correct that the contents of the file are encrypted, so the username, password, and login URL are encrypted and therefore not known to anyone but the user. I think the operative phrase of your criticism is 'tells anyone who looks in there a lot about you and what you are trying to secure'. The same argument could be said of someone who gained access to your computer (by-passing regular Windows security) and opened your Outlook email or any other (non-password protected) Microsoft Office product for that matter, to say nothing of most browser implementations. The only difference is that we encrypt our files' content and require the use of a Master Password by default. So a RoboForm user's most sensitive data: ie their usernames and passwords, will be the best protected data on their system.
Our own feedback from most users on how RoboForm manages user data has been overwhelmingly positive. For a number of reasons, most seem to appreciate the transparency and flexibility of being able to manage their RoboForm files individually (eg the example in the current article). That said, masking RoboForm filenames is a feature that we see as advantageous in some deployment scenarios, so it is under consideration for future releases as an option.
Regarding the use of 'social engineering' to glean users' passwords from the file name, use of the random password generator for each site (referenced in the above article) would make such an endeavor a near impossibility.
@FilterJoe: Regarding the Master Password keylogging, I would refer you to our Virtual Keyboard option on the Master Password prompt.
Regarding the use statistics, we would also like to know the same thing :-) One thing we do know is that it is a widespread best practice to use a different random password for each site you access, since use of common words found in a dictionary is discouraged-along with username variants etc. RoboForm password generator helps greatly with this as well. We can say that by defaulting to AES -the industry standard in terms of encryption- there have not been any documented breaches of this to our knowledge.
Regarding dual authentication, this is something we are looking at as a potential option down the road. However to date very few users have actually requested it. I apologize if our supporters could not provide you a better answer on this.
@All: It is great that we are having a discussion about user security and convenience. In our opinion the most important thing is for users to seek out any software that will make their browsing experience faster and more secure. Our biggest challenge is to inform and educate users of the existence of password management software in general, since unfortunately most users either use the same password everywhere, write them down on a paper, store unencrypted in a text file/spreadsheet, or rely on their default browser. Surely we can agree that *any* password management software is light years ahead of those alternatives :-)
For any questions/clarifications feel free to email me s2davis (at) roboform [dot] com
-Simon Davis / Marketing Manager
I think its great to see Roboform being publicly receptive to criticism but I'd like to add that as an avid user of Roboform since it's infancy, it's a bit of a dissapointment to see them just now branching out of just two browsers (IE and FF). And now there's Chrome around the corner but what about Opera? The magic wand can't compare to RF but indeed Maxthon 2.5 is extremely fast and has lots of advanced features and tab management that make it my standard every day browser over Chrome or anything else. What about support for K-Meleon? I'd pay for a license all over again just if I could have the right password manager for my favorite browser but that seems like a distant dream.
Hello Nick,
Thanks for your note. Regarding Chrome, please note that they still do not have a final extension API-which is why you don't see almost any final extensions from anyone for Chrome yet. That said, we've been in touch with their dev team for a the last few months while they try finalize it. We hope to have a Chrome extension out in the next few months-assuming they deliver a final extensions API framework.
Regarding Opera, they have shown an unwillingness to allow outside extensions in general (with a few exceptions). We had reached out to them in the past about this to no avail after our users requested an Opera version. It's now up to Opera users to call them out on this.
FYI We're also close to launching a native app for Mac Safari. To see which browsers we're actively developing native versions for, please visit the 'Browsers' link on the left navigation bar of our website (Tech Herald does not allow links in comments)
For Opera, Linux, and other unsupported browsers we're also working on javascript functionality that can perform many of the same tasks as the toolbar.
-Simon
I've been using Roboform and Roboform2go now for a couple years. I wish I started much earlier. Coming from a SW Engineering background, I first thought the approach of storing passcard as separate files was lame ... but as I followed some advanced users approaches to synchronize passcards between different computers, I realized that this approach made it very simple to synchronize data between different computers even if you update miscellaneous passcards on different computers. Which brings me to my next thought/question ...
I noticed that roboform now has roboform online! The geek part of me loves the idea, but the paranoid part of me doesn't like the idea because the roboform server now 'paints a big red target' as a conquest for people with malicious intent. True, the most secure systems are those where you are willing to tell people how you encrypt the data because experts can fully vet the encryption algorithm ... but none the less ... concentrating thousands of passwords on a single server seems to 'invite' attacks. In the normal Roboform mode ... password storage is distributed to the end user and is their responsibility... which means the likelihood of your data being attacked would be significantly less then if you put it on a server with thousands of other users.
I'd like to hear critical thinking on this subject.
I also noticed that an iPhone app is in the works. that would be cool.
I've heard that roboform steals passwords. Is this true? Can someone back this up?
page: 1 2
Add your comment (no registration required)
Comment on this Story