I’ve been jealous of my Windows friends running Roboform for a long time, so when I first bumped into 1Passwd and started to use it, I was delighted. A lightweight, secure password storage utility that let me easily switch between Safari and Firefox on my Mac with nary a glitch? Excellent!
In the last few weeks, however, I was a bit dismayed to find out that the developer, Roustem Karimov, had completely changed his license scheme and actually forced me to reregister the software and get a completely different kind of registration key: a JPEG graphic with the reg data embedded in the comments (see right).
Curious what had prompted this change, I sent off some questions to Roustem and received back the following interesting information from him…
(My questions are in bold in the Q&A below)
Hi Roustem! What’s going on with this license change?
Hi Dave! First off, you can find out more about the license cards and see people’s reaction to our announcement on our blog.
Q: Previous versions of 1Passwd just used the Apple Keychain for internal security. That hasn’t changed, I presume?
Q: Yes, all of our data is stored into the Keychain. We use the Apple API to create our own keychain and store all your information in there.
Q: What was your old license scheme? Was it something you invented, or was it a common licensing system for Mac shareware?
A: We would use the user’s email (plus some other “secret” word) and create an MD5 hashcode from it. If the entered email and calculated hashcode matched, then the user would be authorized.
It is a fairly common technique because it is so simple. The problem is that anyone with a debugger can step through the code and see exactly what we do, and thereby figure out exactly how to create their own keys.
The new algorithm not only uses images, but also uses a public/private key based signature to verify the license. In theory, this makes it mathematically impossible to generate a license without a private key which is never included with the program.
Q: You reference “the old license scheme broken by thieves”: I presume that’s a reference to a crack formula in a program like Serial Box?
A: Serial box was one source. But there are many places on the web (like demonoid.com) that listed us along with the pirated license. These sites do a good job of stripping http referral addresses, but ever so often they make a mistake and that’s when we find them.
Q: How did you find out that your scheme had been cracked?
A: We saw it cracked in serial box first, and then on several other web sites. This was not too bad b/c we could black list the emails.
Later, a ‘customer’ was kind enough to tell us that our algorithm was posted on an unnamed website. This was much much worse b/c now we couldn’t blacklist the email. This was when we realized we had to do something.
The funny part about this story is that this exact same ‘customer’ emailed us when the new license system took effect and asked why he couldn’t have the new license resent. When I mentioned we had no record of him in the DB and GMail only listed him as telling us about the cracked system, we didn’t hear from him again.
Q: Did you see a visible drop in sales against downloads? And do you think that a cracked password for a utility like 1Passwd really hurts sales in the long run?
A: It is hard to say. I think that having 1Passwd listed in SerialBox helped us to get “casual pirates” to download and try the product. I am not really worried about the piracy as I would rather have people use 1Passwd even without paying for it than not using our product at all. At the same time, replacing the license key algorithm certainly helped the sales, at least in the first two days after release.
Q: Finally, it seems like a feature-complete application. What’s next for 1Passwd?
A: We made a lot of progress since releasing the first beta in May 2006. However, we have a lot of very cool ideas that will make 1Passwd much much better. I can’t really get into the details because we do have several competitors watching us closely, but expect to see some fireworks throughout this year and next.
Thanks for the inside scoop, Roustem. I look forward to seeing the evolution of 1Passwd, as do many other Mac users! if I could put in a feature request, by the way, I’d love to have it let me use something like Gmail as a sync home so I could have 1Passwd stay in sync across multiple computers, not just multiple browsers on a computer. And then Mac and PC cross-compatibility too. 🙂
What’s that? You’re still struggling with passwords or trapped with a single browser on a single computer? You really need to check out 1Passwd now, while you still have a tiny bit of sanity remaining!