Comments on: RoboForm & RoboForm2Go Product Review http://www.technicallychris.com/2009/08/24/roboform-roboform2go-product-review/?utm_source=rss&utm_medium=rss&utm_campaign=roboform-roboform2go-product-review Technical and Personal Ramblings of a Bostonian Sun, 05 Sep 2010 12:46:45 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Bill Lawson http://www.technicallychris.com/2009/08/24/roboform-roboform2go-product-review/comment-page-1/#comment-357 Bill Lawson Mon, 02 Nov 2009 03:03:49 +0000 http://www.technicallychris.com/?p=425#comment-357 Reviewer wrote: "I copy the password to the clip board and use it to login once, allow RoboForm to remember it, and then I know I’m safer than using a pets name to login to Bank of America". I do not recommend using that "Copy" function if you intend to use RoboForm2Go on a public computer. That password you just "copied" is easily accessed by preinstalled hacking software that views your clip board. Reviewer wrote: “I copy the password to the clip board and use it to login once, allow RoboForm to remember it, and then I know I’m safer than using a pets name to login to Bank of America”.

I do not recommend using that “Copy” function if you intend to use RoboForm2Go on a public computer. That password you just “copied” is easily accessed by preinstalled hacking software that views your clip board.

]]> By: A http://www.technicallychris.com/2009/08/24/roboform-roboform2go-product-review/comment-page-1/#comment-339 A Thu, 08 Oct 2009 07:29:26 +0000 http://www.technicallychris.com/?p=425#comment-339 HMMMM... YES... This is definitely a security problem ETT. Still, you can encrypt this file and password protect it (ie folder lock) till you use it for the next time. What do you think about that? And another thing… an unauthorised user can also rename usernames, delete them, move them… DISASTER!!!! And I also realized that one (without loggin in) can also synchronize the roboform2go with the online password backups without using any login password. Imagine the result if this person first deletes all logins and then synchronizes!!!! I guess that this means bye bye backup... So I stick to my initial proposal… encrypt the folder that contains this sensitive area. The cheap way to do it is using winrar and setting a password before zipping. HMMMM… YES… This is definitely a security problem ETT. Still, you can encrypt this file and password protect it (ie folder lock) till you use it for the next time. What do you think about that?

And another thing… an unauthorised user can also rename usernames, delete them, move them… DISASTER!!!!

And I also realized that one (without loggin in) can also synchronize the roboform2go with the online password backups without using any login password. Imagine the result if this person first deletes all logins and then synchronizes!!!! I guess that this means bye bye backup…

So I stick to my initial proposal… encrypt the folder that contains this sensitive area. The cheap way to do it is using winrar and setting a password before zipping.

]]> By: ETT http://www.technicallychris.com/2009/08/24/roboform-roboform2go-product-review/comment-page-1/#comment-312 ETT Tue, 15 Sep 2009 16:47:04 +0000 http://www.technicallychris.com/?p=425#comment-312 Thanks for your reply ... " I like that I can simply open the browser and select a passcard, or have the passcard immediately available when I go to a site that has one available." - well, Roboform could still do all that, and in addition could potentially do it at least as securely as most other similar security products which put all the secure data inside one single "vault" file which is entirely encrypted and whose contents cannot be read. The current Roboform design is a bit lazy - I can see why they have done it that way, to allow them to easily sync, passcard by passcard, without thinking too hard, but they have definitely compromised users' security by doing it. If Roboform reworked the product a little to use one single secure encrypted vault file, then the security would be excellent because it would betray nothing at all, but, at the moment, it is just not secure enough. Unfortunately, the publisher's people just keep denying there's a problem. Thanks for your reply …
” I like that I can simply open the browser and select a passcard, or have the passcard immediately available when I go to a site that has one available.”
- well, Roboform could still do all that, and in addition could potentially do it at least as securely as most other similar security products which put all the secure data inside one single “vault” file which is entirely encrypted and whose contents cannot be read.
The current Roboform design is a bit lazy – I can see why they have done it that way, to allow them to easily sync, passcard by passcard, without thinking too hard, but they have definitely compromised users’ security by doing it.
If Roboform reworked the product a little to use one single secure encrypted vault file, then the security would be excellent because it would betray nothing at all, but, at the moment, it is just not secure enough.
Unfortunately, the publisher’s people just keep denying there’s a problem.

]]> By: Chris http://www.technicallychris.com/2009/08/24/roboform-roboform2go-product-review/comment-page-1/#comment-297 Chris Tue, 08 Sep 2009 18:52:40 +0000 http://www.technicallychris.com/?p=425#comment-297 <a href="#comment-295" rel="nofollow">@ETT </a> ETT - The thought has crossed my mind as well. On the one hand, I like that I can simply open the browser and select a passcard, or have the passcard immediately available when I go to a site that has one available. When I put my security hat on, however, I can see that any amount of information for a potential theif is too much. Knowing that I have a gmail account or that I bank with XYZ Corp is a good start into hacking their way into what I'm trying to protect. @ETT
ETT – The thought has crossed my mind as well. On the one hand, I like that I can simply open the browser and select a passcard, or have the passcard immediately available when I go to a site that has one available.

When I put my security hat on, however, I can see that any amount of information for a potential theif is too much. Knowing that I have a gmail account or that I bank with XYZ Corp is a good start into hacking their way into what I’m trying to protect.

]]> By: ETT http://www.technicallychris.com/2009/08/24/roboform-roboform2go-product-review/comment-page-1/#comment-295 ETT Wed, 02 Sep 2009 05:10:00 +0000 http://www.technicallychris.com/?p=425#comment-295 Unfortunately that list of passcards that you can see in the nice screen shot is available for anyone to view, in that same form, showing what services you log into and who the users are, unencrypted, in the Roboform Data folder on your PC and on your USB key. While Roboform encrypts the passwords, it crucially does not encrypt the list. This is a significant problem. Anyone "finding" your USB key can tell a lot about you and the sites you use, and the subject (although not the content) of your Secure notes - what you have written about. I look forward to Roboform's fixing this fundamental failing before we can use it more extensively in our business. Unfortunately that list of passcards that you can see in the nice screen shot is available for anyone to view, in that same form, showing what services you log into and who the users are, unencrypted, in the Roboform Data folder on your PC and on your USB key.
While Roboform encrypts the passwords, it crucially does not encrypt the list.
This is a significant problem. Anyone “finding” your USB key can tell a lot about you and the sites you use, and the subject (although not the content) of your Secure notes – what you have written about.
I look forward to Roboform’s fixing this fundamental failing before we can use it more extensively in our business.

]]> By: Chris http://www.technicallychris.com/2009/08/24/roboform-roboform2go-product-review/comment-page-1/#comment-294 Chris Tue, 01 Sep 2009 19:14:07 +0000 http://www.technicallychris.com/?p=425#comment-294 <a href="#comment-293" rel="nofollow">@roboform</a> Thanks for the product, Scott :) Hope no one over at Ciber minds the stolen screen shots! @roboform
Thanks for the product, Scott :) Hope no one over at Ciber minds the stolen screen shots!

]]> By: roboform http://www.technicallychris.com/2009/08/24/roboform-roboform2go-product-review/comment-page-1/#comment-293 roboform Tue, 01 Sep 2009 18:11:09 +0000 http://www.technicallychris.com/?p=425#comment-293 Thanks for the great review Chris :-) Thanks for the great review Chris :-)

]]> By: Lisa Cox http://www.technicallychris.com/2009/08/24/roboform-roboform2go-product-review/comment-page-1/#comment-287 Lisa Cox Tue, 25 Aug 2009 07:33:34 +0000 http://www.technicallychris.com/?p=425#comment-287 RoboForm is a fantastic tool and the password generator is especially convenient when you just want to get through the sign up process fast. I use the Billeo toolbar nowadays though because I make lots of online transactions and it has a really helpful transaction manager. They're having a contest and giving away an iPhone to US residents who sign up by the 26th. RoboForm is a fantastic tool and the password generator is especially convenient when you just want to get through the sign up process fast. I use the Billeo toolbar nowadays though because I make lots of online transactions and it has a really helpful transaction manager. They’re having a contest and giving away an iPhone to US residents who sign up by the 26th.

]]>