Tom Olzak

Review: New RoboForm Pro Online Service

In Password Management, Security Management on September 2, 2009 at 11:42

Need to access your passwords, secret questions, and personal ID information anywhere, anytime?  Then you need to take a look at the new RoboForm online service.  I recommend it.

RoboForm isn’t new.  A product by Siber Systems, Inc., the RoboForm desktop application has been helping users auto-fill forms and remember important information for some time.  What IS new is an online service (beta) which allows you to:

  1. Sync your passwords, secret questions, and other identity information with RoboForm servers.  All data shared with RoboForm is encrypted with AES using a password which only the user knows.  RoboForm cannot access your data.
  2. Access your online information from any computer with Internet access, without installing any software.
  3. Access your online information using selected smartphones, including iPhones and Blackberries. 

Before we get to the online capabilities, let’s walk through the RoboForm Pro client application functionality.

Client Functionality

The RoboForm Pro client, with a $29.95 price tag for the first license, is available for download.  There is a nice quantity-discount calculator at the site, but $15.95 seems to be as low as it goes.

I downloaded the client and installed it on my desktop (Windows 7 and Firefox 3.5).  After activation (see Figure 1), I restarted Firefox.  The toolbar shown in Figure 2 appeared.

Figure 1: RoboForm Activation

Figure 2: RoboForm Toolbar

The time-to-live setting for the RoboForm master password is an important setting during setup.  As you’ll see as we step through this section, maintaining an active login to the client provides access to passwords and other private information.  So you want the login to expire without having to think about it.  The default is 120 minutes.  I set mine to 10.

The core of RoboForm password management is the passcard.  A passcard contains login and address information for a specific site or application.  There are two ways to set one up.  First, you can navigate to the login screen of the target site or Web application and enter your account ID and password.  You can also pre-configure a site login.   

Figure 3: Create a Passcard

To create my Gmail passcard, I provided a name and left Password-protect checked, as shown in Figure 3.  This requires the encryption password before I can access it.  I then created an email folder in which to place the passcard.  I also checked Add Shortcut to Links Toolbar.  When I clicked save, a button with the passcard name appeared in the RoboForm toolbar (See Figure 4).  Also saved was the URL to the login page.

Figure 4

The button performs two functions.  If the Gmail login page is not currently displayed, RoboForm instructs the browser to go there.  The second function is the same whether you are at the page or not.  RoboForm auto-fills the account name and password fields.  If you’ve previously used this function , a persistent cookie exists on your computer.  When the cookie is present, clicking the button causes the browser to navigate to the page, enter the login information, and login.  You can disable the persistent cookie feature by removing the asterisk in the field shown in Figure 5.  (Note: When editing passcards, the password is displayed in plain text.  This is so you can retrieve an unremembered password.  So beware shoulder surfers…)

Figure 5: Editing Passcards

In addition to passwords, you can store all personal information–including credit cards, bank account info, and social security number–in an identity form.  See Figure 6.  Note that the identity information, like all passcards, is encrypted with AES.  When saved, the identity appears in the RoboForm toolbar, as shown in Figure 4.  You can use it to fill-in any browser-based forms, and you can create multiple identities.

Figure 6: Identity Form

Finally, you can create free-form safe notes.  I created one to hold a sample security question, as shown in Figure 7.

Figure 7: Creating a Safenote

This is a good time to talk about encryption strength.  The strength of the AES encryption used depends on the password used to protect your RoboForm information. 

  • Master password less than 32 characters – 128 bit
  • Master password from 32 to 47 characters – 192 bit
  • Master password greater than 48 characters – 256 bit

If you can’t decide on a password for an account, the create-a-password feature built-in to RoboForm can help.  There was a small issue with the sample password shown in Figure 7.  It contained a dictionary word.  While this might not be a huge problem, you should be aware this might happen.  Play with this a little.  You can watch the bit strength change as you change the provided parameters.

Figure 7: Password Generator

So far, this looks like something I can use.  However, what happens when I’m not in front of the computer with my client software installed?  Well, I can create a repository with software loaded on a thumb drive.  Or I can use the new RoboForm online service (beta).

Features of Online Service (beta)

The online service provides you with your passwords, identity information, and safenote data anytime, anywhere.  The data is encrypted with your master password, which only you know.  If you lose the password, you lose your data.  Not even RoboForm can help.

To synchronize your local information with the online service, you first have to create an online account.  RoboForm must be installed on your computer to use this service.

Once the account is created, and you have synchronized your computer with your online repository, you can access your RoboForm data using an SSL connection as shown in Figure 8.

Figure 8: Online Signup and Login

To sync your computer, click the Sync button in the toolbar.  If this is your first sync, RoboForm needs your online user ID and password, as shown in Figure 9.  Sync settings can be set or changed at any time by using the button shown in Figure 10.  Once configured, the prompt shown in Figure 10 is displayed, allowing you to manually sync your data and select auto-sync if you don’t want to worry about pushing future changes or additions to the online repository.  Note that you can also sync to local or network storage devices.

Figure 9: Sync Setup

Figure 10: Online Sync

There are differences between using the online service and the local client.

  1. Auto-navigation to the login page is not enabled, although the link is provided
  2. Auto-fill is not enabled, so you have to copy and paste your account ID and password, which is displayed in plain text, to the login fields

The online service is free to try while in beta.  No future cost information is currently available.

The last online feature I tested was access via smartphone.  This worked flawlessly when I tried using my iPhone 3GS.  Figures 11 and 12 show the screens provided.

Figure 11: Mobile Menu      Figure 12: Mobile Password Screen

Recommendation

I recommend both the client software and the online solution.  This is the best password, identity, and general sensitive information repository solution I’ve seen.  If you are worried about how RoboForm manages passwords in memory, check out the user manual.  Passwords are purged from memory during events you select.

  1. Thanks for the great review Tom! 🙂

    FYI We’re very close to an alpha for local support for Chrome browser on PC and Safari on Mac.

    In addition, there’s a javascript functionality in the works for beta release in the next few weeks which will allow RoboForm Online users to log in with their passcards when RoboForm is not present or installed…this will be great for when users are travelling or on a non-supported browser. Stay tuned 🙂

  2. But you don’t say that the Roboform Data Folder contains individual files for each login, passcard, securenote, etc, and all of these files have the same Windows name as you see in the above screenshot. If you name them logically, in the form
    http://www.website.com – loginID
    then anyone who looks in the unencrypted Roboform Data folder – i.e anyone who gets access to your machine or USB key – can tell what sites and systems you are logging into, a fair guess at the userID or e-mail address you are using, and what you are writing about in your “safe notes”.
    You can obfuscate the names of all these files by calling them silly names, but then you have to cope with those name within Roboform. If you use a good naming convention for all these – which you need to do if you have a nontrivial number of them, as any serious user will have – then anyone seeing the contents of that Roboform folder (which doesn’t require any password or login) can discover a lot about you.
    The review is superficial in not mentioning this important way in which Roboform security is weak.

    • Thanks for your comments, Tony,

      I don’t believe the ‘weakness’ you describe is a big risk. The master password, if properly constructed, protects these files with strong encryption. As to knowing sites visited by the user, this information is available to an attacker from various sources if he or she tries hard enough to get it. But if the user follows the best practice of assigning a random-character password, a different password for each site, the work associated with guessing your way into access is very high and not worth the effort.

      The purpose of an application like RoboForm is to help manage a host of impossible to remember passwords, protected by one very strong password that only the user knows. I think the software does this very well.

Comments are closed.

%d bloggers like this: