As far as I can tell Clickpass only works with 6 websites. Am I missing something? This is the mother of all chicken-and-egg problems... with no backwards compatibility mode to deal with websites that haven't gone along with a little two-guy startup's big scheme yet. Even Microsoft couldn't pull that off.
Wake me up when it can handle the 200-odd passwords I keep in PasswordSafe for 200-odd websites.
They are an OpenID provider, so yes you can use them with the 11,000 or so web sites that support OpenID.
Obviously it's a lot more slick if you set things up their way. This is the opposite of a chicken-and-egg problem. The fact that there are so few web sites on clickpass while it's getting so much attention motivates implementors to work with them. It sure motivated me.
There is a very big and rather obvious issue of trust with a solution like theirs. I am expected to entrust them with my passwords, essentially creating a single point of failure for a lot of sensitive information. Sorry, can't do. Not even if they were a spin-off of VeriSign.
The only passwords I am willing to share with them at the moment are those I am finding at BugMeNot :)
If you have different secure passwords at every single website and some how avoid email as a single point of failure then Clickpass/OpenID might not be the right solution for you. For everyone else its better then whats currently out there, and we are going to implement further security measures going forward.
Email is not a single point of failure as I just explained in another reply and Internet users with rudimental sense of security is not a rarity. I'm afraid the ignorant "everyone else" crowd you are planning to cater to might not be as big as you expect it to be.
Also you are tasking yourselves with handling confidential information, so stating that your "lips are sealed and encrypted" is not good enough. I fail to see how this is "better then whats currently out there". Sorry to be peeing in your punch on a launch day, but you do have a serious problem with a security disclosure.
1. If your email servers are compromised, than it makes them a single point of failure as most web accounts are accessible through forgotten password procedures.
2. Most people (66%) of users use the same password on all websites. Which is a far worse multiple trusted party single point of failure. Which is what I meant by "better than whats currently out there".
3. For services that really require a significantly increased level of security, like banks, it is very easy and likely that further security measures that don't rely on the OpenID provider will be built in on the websites.
4. It is important to figure out the security issue and make a rewarding web experience than hold up ones hands and decrease data portability and increase friction on the web. We are hoping to help that process along and are very open to suggestions on how we can improve that.
Wouldn't it be possible to create a site that remembers all your passwords but only has them in encrypted form? It would use JavaScript on the browser to encrypt and decrypt the passwords (using your master passphrase) before sending them to the server?
Client-side encryption wouldn't protect you against that site turning evil and deciding to steal your passwords - they'd just have to change their code to decrypt your passwords and then post them back to the server.
The only place where the email can actually be a single point of anything is either my local Inbox or an Inbox at my mail provider. Latter is temporary, so compromising provider's systems does not jeopardize all my web accounts. And compromised local Inbox is an indication of a far more serious security breach, not isolated to the email. So, no, your analogy is wrong.
I don't see your point. If I steal the password for your e-mail somehow, I can access your inbox (through webmail or POP or whatever) and then use "I forgot my password" on sites you use to steal your accounts there. If you use webmail and don't delete your e-mail I can search through your inbox to figure out what those sites are. Seems like a pretty serious single point of failure to me.
So, in a nutshell, you trust ClickPass security less than you trust your email provider's security. And, the margin is great enough to overcome whatever ease-of-use gains you might get from ClickPass over email.
There are attacks that specifically target me and there are attacks that are going after anyone with login credentials. The issue with ClickPass is that it wants to be choke full of latter guys. This makes it a fat and juicy target for someone looking to grab any credentials. The question of my trust in my email provider here is secondary. It is only relevant if I am personally the ultimate target. See the difference ?
The bottom line is that they want to manage my confidential information. This is very ballsy of them and it comes with a LOT of responsibility whether they realize it or not. Or, perhaps, they want to deal with passwords that are OK to be compromised. In former case they (currently) lack credibility, in latter case they misrepresent what their service is about. Hence my original comment.
If you're in San Francisco today, don't forget to come to the justin.tv office (36 Clyde Street) to see Peter talk about Clickpass. Talk starts at 12:30pm.
Wake me up when it can handle the 200-odd passwords I keep in PasswordSafe for 200-odd websites.