RoboForm

RoboForm securely stores your passwords with your Master Password, which is used to generate your encryption key. The Master Password is the one and only password RoboForm users are required to.

• Roboform Login
• Roboform Password Manager
• Roboform Free For Win 10

TL;DR - Your master password is sent to Siber Systems and the mobile applications are insecure.

Described by its creators, Siber Systems, as 'completely secure using military grade encryption', Roboform has been knocking about since 1999.

• RoboForm Military Discount. Get a 30% military discount off all new RoboForm Everywhere annual subscriptions. Get the Deals & Discounts Newsletter Get weekly military discounts on food, travel.
• Feb 11, 2021 RoboForm securely stores your passwords with your Master Password, which is used to generate your encryption key. The Master Password is the one and only password RoboForm users are required to.
• The good news is that Ai Roboform works well, has a number of other excellent features, and is free and easily installed. Some browsers like Firefox have built-in form filling functions. But they can be weak and others are not easily used.

Now, I have a rule when testing password managers. If the vendor describes it as 'military grade' or 'completely secure', I'll set aside 5 minutes to demonstrate why that's never, ever true.

Solid security is a mixture of security & usability; a balancing act made ever-more difficult as the attack surface increases. There are mobile apps, desktop apps, USB data silos, cloud storage and online portals... each one is a potential point of failure. To mitigate this, Roboform uses AES256 encryption; unquestionably strong and used as the basis for nearly all password managers today. Although it facilitates security, it doesn't naturally impart 'military grade' security.

Roboform Everywhere Portal:

Any encryption is only as strong as its weakest link. In this case, your master password **should be** all that stands in the way of someone gaining access to your digital life. It's absolutely crucial to pick a long, strong master password and most importantly, keep it private. If you believe the sales blurb, you're led to believe that you and you alone know your password.

So, let's login to the online portal and take a look what's going on in the background. (click to enlarge)

Hang on, those details are being returned in plain text... not encrypted! That means they're either storing them in plain text or they're encrypted and the server knows our master password.

I quizzed Roboform via Twitter.

@Rambling_Rant Paul, we decrypt the data locally, not on the servers.

— RoboForm (@roboform) June 9, 2014

Well that's clearly not the case here, so I dived deeper. A quick Google search revealed an interview with Vadim Maslov, CEO and Founder of Siber Systems, during which he said...

Something doesn't ring true here. They're absolutely adamant that your private master password remains as such, as it's never sent to Siber Systems. I ran the test again, this time watching the network traffic as I entered my master password. (click to enlarge)

Sure enough, there's the master password (see 'p' param in form data)... plain as day. No hashing, no KDF... it's sent in exactly the same fashion as any other authentication process. Note 'authentication', not encryption.

Now I'm pissed off. If you're going to store my 'private' password on the server for the life of the session, at least have the decency to be honest about it. It's a bad design and totally unnecessary.

If you're required to hand over a password, a phrase or indeed anything you know to gain access to your data, that's authentication... not encryption. They may encrypt the data at some point down the line and I see no reason why they'd choose to keep your key, but it doesn't alter the fact the entire process has been undermined from the outset.

Back to Twitter... this time over DM.

So they do decrypt on the server and they do receive a copy of your master password! What happened to 'never sent to the server' Vadim?

It's also worth noting, Roboform was installed throughout these tests. The application was running and the chrome plugin was enabled too.

Roboform Everywhere for Android/iOS

If you haven't yet seen enough to question how safe you are, let's move on to the mobile applications.

Like the desktop version, Roboform Everywhere for Android/iOS uses the same AES256-based platform. Unlike the desktop app however, it's laughably insecure. I spotted a review/giveaway offer on Twitter (see http://theysmell.com/roboform) and noticed this screenshot.

So you can access the application with a PIN number instead of the master password, sounds cool... right?

Think about it. Your data is encrypted and only someone with the master password can decrypt it. If you're not entering it, it must be stored on the device along with your data and 'protected' with a 4 digit PIN.

Let me make this clear from the outset.

Roboform Login

That's possibly one of the most stupid features I've ever seen.

If you're going to replace encryption with authentication, you'd better make damn sure you do it right. Better yet, don't do it at all.

On iOS, that 4 digit PIN has just 10,000 possible combinations. A modern PC can count to 10,000 in a heartbeat, but there's a rate limiter which prevents you simply trying every combination. That's easy to bypass though. On Android, there's no rate limiting at all, but you're not limited to just 4 digits either.

So if you lose your phone or it's stolen, you'd be forgiven for thinking this 'AES256, military grade, completely secure encryption' would be virtually impossible to break.

Yeah, about that...

So without knowing the master password or PIN, we've gained access to the data. Worse, it's synchronized with the cloud automatically, so any changes would propagate to every other device linked to that account.

Summary

As a cryptographic algorithm, AES256 is immensely strong... and therein lies the problem.

Anyone can incorporate AES into their application, but very few do so safely and securely. It's just as important to know how it's built, not just what it's built on. Crypto alone won't save you.

What's the source of entropy?
Which KDF is used, if any?
How are keys handled/transported?
What does the threat landscape look like?
Do you decrypt in segments or in bulk?
How do you obfuscate those crucial keys while in memory?
Are you clearing that memory securely when it's no longer needed?
Where does the encryption/decryption take place?
Do we use any techniques which aren't peer-reviewed or could be classed as 'out of the ordinary' or 'roll your own'?

... just some of the vital questions which Roboform (and many others) fail to answer.

So next time you hear 'completely secure' or 'military grade encryption', run a mile. It's a $20 password manager! It's OK...

Two enterprise-worthy password managers: LastPass and RoboForm http://t.co/uP0K2UAfbr by @edbott on @TechProResearch — TechRepublic (@TechRepublic) June 11, 2014

... but enterprise-worthy? I'm not sure.

Don't forget to Like, +1 and RT. Thanks!

Roboform Password Manager

If you’re a RoboForm user then you already know its value and spare a lot of time by filling forms and logins automatically. But there are some options that allow you to get the best out of RoboForm, and it would be pitty not to use them.
Here are several tips on using RoboForm, that helped me improve its usability:

1. Keyboard shortcuts. If you don’t use them yet, you should start to do so. Of course you don’t need all of them, but some turn out to be very useful for me, like: Fill & Submit (shortcut Alt+Z, it will fill the login details automatically and submit them), Save Forms (shortcut Alt+[, if you’re filling a form/login for the first time you can use this shortcut to save the details if RoboForm doesn’t ask you to do that) and My Identity (shortcut Alt + 1-9, which will fill the current form with the details saved in the identity that you choose).
   
2. Set as Default option. It happens usually that for the same site you have several logins, for instance for Yahoo you have 4 email accounts and you saved the logins for them all, but you use one of them more often. In this case you can set that passcard to be the default one, so when you’ll click on the matching passcards tab that login will be entered automatically. To set one passcard as default, visit the website that you have several entries for (Yahoo as an example), wait until the matching passcards appear, hover with the mouse, right click the one you want to save as default and select that option, just like you see in the image below. From now on whenever you’ll click on that matching passcards button the default login will be entered.
   
3. Passcard shortcut to desktop. If you have several passcards that you use more often you can create a shortcut for each of them on your desktop. However having to many it’s not recommended, but 2-3 shorcuts to your desktop are useful. To create a shortcut just right click a passcard and select Add Shortcut To->Desktop (if you have enough space you can add it to the quick launch too).
   Once the shorcut is saved on your desktop, you can simply double click it and it will open the webpage, fill in the logins and submit it, so it acts like a bookmark too.
   One more thing there would be the feature that I marked in the previous image, Fill Empty fields only. This is particullary useful when you’re using a browser such as FireFox that saves too the information you fill in. Thus, there’s no need to click on the RoboForm to fill a field that’s already been filled.
4. Fill and Submit as default action. A normal login page will have a Username (email address) field, a Password field and a Submit button. By default when you’ll click on the matching passcard in RoboForm it will only fill your details in, and you will have to click on Submit. There is however an option in RoboForm that once enabled it will fill in and “click” on the Submit button.
   
5. Autofill web forms. By default when you’ll get to a new web form RoboForm will not prompt any window to fill in anything. There is an option that you can check to have RoboForm prompt a window to fill in details from your identities and/or passcards to a new web form. This is useful with forms that are similar (like forum registrations, sweepstakes forms).
   
6. Recently used passcards/safenotes. I have many passcards and safenotes, and usually in a day I’ll use at most 8-10 logins (at home). So those are saved in a recently used list that you can easily access if you press the Logins/Safenotes button in the RoboForm toolbar. Instead of going through all the logins alphabetically you can just use the entry from the recently used list.
   
7. RoboForm on USB. Pass-2-Go is the portable version of RoboForm. It acts just like RoboForm does, but you install it on a USB drive and use it from there. It lets you use someone else’s PC and not have to remember your passwords because everything stays on the USB drive, so there’s never a risk of anyone on the host PC seeing them, plus that if you lose the USB drive everything is encrypted and nobody will be able to read the data without the proper password. Plus that if you don’t have a USB drive you can order one from RoboForm too.
   
8. Always on top. Don’t blush yet, this is an option in RoboForm. I love Opera, but one of the things that I miss in it is the fact that I cannot use RoboForm, and let’s face it that the Wand option in Opera is not very good. This is why I came up with a compromise, to use a Passcard editor window allways on top of all other windows when browsing with Opera. I can simply copy the username/password by clicking on the small icon in front of each field stored in RoboForm, and paste it in the Opera fields. It’s annoying sometimes but you get used to it.
   

Roboform Free For Win 10

Download the latest version here (approx. 2MB): RoboForm 6.6.5
Download portable version of RoboForm from here: Pass 2 Go 6.6.5