A while back, I started looking for a FOSS solution for keeping track of my passwords. I did so as a result of Michael Kassner’s strongly stated preference for FOSS. MPK’s bias seemed to be supported by the implied belief that proprietary code is prone to too much reliance upon “security by obscurity”.
While I don’t completely disagree with that, I recently had occasion to correspond with Siber Systems about my reasons for not recommending RoboForm 7 for my clients (primarily my lack of interest in trusting the cloud based features). I also expressed concern about their statement that RoboForm 6.x code was frozen and would not be developed any further.
In their response, Siber Systems explained that 6.x would continue to be supported and pointed out that RoboForm has never required any patches for security vulnerabilities. All updates were developed for enhanced function or stability, not lack of security.
This reminded me of several threads here, where it was assumed that RoboForm was not good enough because it isn’t FOSS. After reading the reply from Siber Systems, I decided to perform a vendor search on Secunia’s database of advisories for vulnerabilities.
I was quite pleasantly surprised to learn that none of the five pieces of software listed for Siber Systems has EVER been the target of a single Secunia advisory between 2003 and 2011. It seems that Siber Systems has apparently been capable of publishing secure code long before Microsoft’s big effort began in this area. Either that, or their security by obscurity has been extremely lucky.
I will continue as a satisfied user of Roboform, feeling at least as safe with high quality (albeit proprietary) software, as anyone choosing to shun it in favor of FOSS. It’s only free for 10 or fewer passwords, but it’s worth the price to secure my 200-300 sets of unique credentials, as well as my personal information for completing forms. I even trust it with my SS number and a CC number, its expiration date & authorization code, because it pops up a warning, whenever it fills a field in a form with those critical items of information.
Being unable to PM Micheal Kassner, I decided to post this in the hope he sees it. I would be interested in anyone’s feedback on alternative solutions. I am still interested in using an additional factor, aside from the biometrics I already use on my laptop, my SecureTouch mouse and my MXI ClipDrive Bio.
Michael got me interested in the YubiKey. However, I haven’t convinced Siber Systems to link it up with RoboForm directly, although there is at least one FOSS Password Manager which supports it. I haven’t gotten around to trying to implement it in tandem with RoboForm myself yet. Any ideas or feedback on this?