A review for the online password manager Intuitive Password.

Disclosure: I was requested to look at Intuitive Password, I generally don’t look at online password managers due to a lack of self-interest in them, but I’d figure I’d give it a go if a reader suggests it.

Intuitive Password is a software as a service platform for storing and managing your passwords, similar to KeePass or PasswordState, but out on the internet where you don’t have to manage it and it’s nearly always available.

Registering

Registration page

Registration page is really straight forward, just one minor complaint, the “security question” is an open-ended free form text field. This leads to people putting in things like “how many cubes away from John am I?” (I have actually run into this one before), which after a few guesses you’re into their account. Though honestly this is less Intuitive’s fault and more of how security questions can be broken. Just make sure you pick a really solid security question.

Gmail used to do the same thing, now they have more secure password reset options (phone call, recovery e-mail, or a Google-enabled device).

Logging In

On-screen keyboard, an attempt to fool keyloggers.

One thing I noticed during the log-in process was a Javascript driven keyboard for password entry, on one hand this will fool a lot of keyloggers, on the other hand I have seen keyloggers that tracked enough to pull your password off of this (some take screenshots, others mouse positions on clicks). I couldn’t really imagine myself using it really.

Password Management

All that you’d really want.

Password management is really straight forward and like every other password manager, give it a title, set the password. These fields are driven by what category your password resides in.

Password ratings give a quick visual cue on your password’s security.

Organization

Password category management is nice.

The slick UI really helps with this, and the default layout shows that Intuitive Password isn’t just for logins, but any other encrypted information you want to keep. You can create additional custom categories, each with their own custom fields, leaving it up to you how much or how little you want to keep in here.

This software by default has security questions for general logins, domain/machine name, IP address, etc. for network logins. So a bit of thought was put into having a nice starting configuration for your categories.

Sharing

You can share individual passwords with other people, it’s as simple as inserting an e-mail address. Not exactly useful for larger teams without a lot of tedious work, but it’s good if you want to share a handful of passwords with another person.

Account Management

Account management is straight forward: ability to reset your password, your security question, set up two-factor authentication, pretty standard stuff. Biggest thing I like here is the display of the currently running version of the software. I always like to know when my SaaS platforms get updated (and push for this to be an option on projects I work on).

An interesting feature I’ve observed was login restriction by country, pretty cool little feature.

Additionally they do support the concept of downloading all of your passwords in case you want to move to another platform which is always an awesome option (may be required by law in Australia, not sure), and have the ability to download/restore your own backups in case you’re paranoid about Intuitive Password’s team to be able to do that.

UI/UX

Intuitive Password has a pretty slick UI, I like the look and feel. The only complaint I have is that the textured background that permeates through all UI elements can sometimes make certain letters not the easiest to read (only had that happen once on a specific field), but generally the chosen font size and style makes everything really clear.

As for UX design, everything is pretty accessible and intuitive (heh), the only feature that wasn’t immediately apparent was sharing passwords (I was always mentally driven to the “shared” tab to try to figure things out, not to the bottom of your currently selected password). The integrated help is unobtrusive and very informative and is available throughout the software.

Quick Login

This is similar to your auto-type you have on similar software, this only applies to web based software (so no auto-logging into your games). It consists of a bookmarklet that pulls scripts from Intuitive Password’s servers and will attempt to log you in.

If you attempt to quick login on to a page that Intuitive Password doesn’t know how to log into, it’ll ask you to train it to understand what the login process is. So instead of just jabbing at currently selected fields like KeePass does, it is actually somewhat aware of the website layout (though this wont work for those multi-step banking sites that have a massive amount of security theater going on).

Offline Storage

Offline storage is pretty cool, right now they only support sending you an HTML document with everything embedded. Your passwords sit in a base64 encrypted blob to be decrypted with an AES key derived from your offline password. They’re also looking at add Dropbox, Box, and OneDrive support in the future.

Mismatching password lengths.

One thing I thought was a problem but figured out it was a major benefit was this password screen. Here I’m trying to type a 32 character long password (longer than the 20 character limit), here they only truncate the confirmation password field. This prevents silent truncation of passwords, which is a major thing I complain about in my up and coming post about password security theater causing massive user experience issues.

I like these little details that prevent me from accidentally doing dumb things.

Online Storage

Well if I was to investigate how passwords are stored offline, it only made sense to figure out how passwords are being transmitted online. Due to offline storage I had a lot of hopes for this, until I ran across this:

Password being sent embedded in the JSON response.

I’m kind of surprised that with all the care passwords are given on client-side storage that the server still handles decrypting/encrypting your password for you, meaning a breach at the cloud provider can put your passwords at risk.

This is why I generally like the option like CrashPlan provides — a second password so that the Software-As-A-Service provider CAN’T decrypt it even if they wanted to. There are methods that involve using a single password where this method could be viable (use a derived key from your password to sign something to verify your login instead of sending it to the server, send encrypted data to client to be decrypted with derived key… something of the sort).

Master Password

They do have the ability for you to add additional security to your passwords, via a “master password”, this is still sent to the server and decrypted server side, it really just adds a layer for if someone gets your account password on your desktop.

Overall

Intuitive Password is a pretty slick product, if you’re not paranoid and don’t mind storing your passwords online (and the provider having access) I’d definitely recommend it. I’ve been recommended to eyeball LastPass being as they apparently handle online password transmission differently, so keep an eye out for that review too.

As we use more and more applications online, it becomes more important to be able to stay secure after a data breach at any one of them, last thing we want is to find out one of the sites you subscribe to has had a data breach and uses weak encryption, and a hacker uses that password you’ve reused to gain access to other accounts of yours!

Why Use A Password Generator?

One of the main security recommendations is to use a unique password for every application we have. In my case I’d have to remember over 100 passwords! There are some methods that I’ve seen out there to memorize that many passwords including PasswordCard, but even remembering 100+ combinations of colors/symbols can be difficult. Even when I had rotations of passwords it was hard to remember which sites used which passwords.

Until we move onto something like Public-key authentication (Linux has an option to use this), it is best for us to find a software suite that will assist us in following this very important security guideline.

What Is Keepass?

KeePass is a desktop application (there are mobile versions for Android and iPhone available) that allows you to manage your passwords via a heavily encrypted file. This password can be encrypted using a master password, a keyfile, your Windows account, or any combination of the three. Because your KeePass file is encrypted, you can share it using really simple methods such as storing it on a web server, however I’ve found it best to drop it on something like DropBox or your own cloud using SharePlan or OwnCloud.

Creating a new KeePass database file.

Managing passwords is a snap, it also comes with an auto-type feature, where you put your cursor in the box on the website, go to KeePass, and click “Perform Auto-Type”.

Right click menu, showing auto-type, editing keys, etc.

Additionally KeePass will generate very long and complex passwords, you can tweak the password generation options depending on your need (some sites limit you to a maximum length, very annoying when you have a more secure password you’d like to use).

A long range of options for password generation.

You can store a lot of relevant data with your KeePass passwords, don’t ever forget a username again (for those pesky sites that don’t use your e-mail address)!

New password screen, showing a very complex password length you couldn’t memorize.

Other Options

LastPass / RoboForm / 1Password / Dashline

All of the above applications follow the same general idea: store your passwords on the public cloud. They typically have better integration with browsers to auto-fill form fields (KeePass can get “confused” at times due to form layout, and not fill it out properly). Additionally you don’t run the risk of losing your passwords because you lost your KDBX file, and the sharing of your passwords between your multiple devices is simplified.

Software like LastPass offer local-only decryption, which I find is a requirement before I even consider a cloud offering. However LastPass has had a data breach before that resulted in all master passwords needing to be reset, so it’s hard to gauge how secure the system can be when everything is hinging on your master password that you regularly communicate to LastPass with.

PasswordState

PasswordState is a web based application that provides similar features to the above systems, but for a corporate environment on a private cloud, where password lists may need to be shared or be able to be transferred in the event of a staff member leaving. On top of that you’d want a full audit log of users looking up passwords, and PasswordState provides all of this in a slick interface. This doesn’t seem to have the nice accessibility tools for mobile devices that some of the offerings above have, but the price is cheap (free for up to 5 users, and ~$400USD will cover 10 users for a year, with support being ~$70USD) and for stuff like corporate passwords I strongly recommend private cloud solutions, especially where the sharing of passwords between multiple accounts makes it easier for outsiders to crack into it.

Tag Archives: LastPass

Intuitive Password Online Password Management Review