Search


 Subscribe in a reader

Recent Posts

« | Main | »

PassPack Password Manager

By Patrick | April 11, 2007

Tags: ,,,,,

This is a long post, but I highly encourage you to read it all. If you can’t read it all, skim it, and then proceed to the bottom of the post where I list the pro’s and con’s of this awesome new web application.

I found out about PassPack the other day while I was scrolling through my daily blog feeds and I was immediately intrigued. PassPack is an online password manager. For those of you who don’t know what a password manager is, it’s simply a program or web based application that is used to manage the dozens of passwords you have to maintain and keep up with on a daily basis. I personally have over 47 passwords I keep in my manager; that’s probably minute compared to a lot of other people. The need for password managers arose from the security best practice of not using the same password more than once.

I know the majority of users do use the same password or some minor variation for everything from their online banking to favorite message board, but this is a bad habit for people to engage in. However, I am not writing today to discuss password policies; I want to highlight PassPack and why I think it rocks!

The first thing that caught my attention is that PassPack is completely anonymous. They gather NO personal information from you. The only information you submit to them is a user name, passphrase and a packing key. A packing key you say? Yes, a packing key. This is one of the great features of PassPack. First, you need to understand a little bit about how PassPack works. When you go to their website to login, you are prompted with a Username and Password field. This information gets you access to your “pack”. Your pack is your passwords all packed up in one single encrypted package. This AES government approved encrypted pack is all that is stored on PassPack’s servers, not the passwords themselves. This is why your passwords are truly secure and non-readable by ANYONE including the PassPack staff.

Once you have logged in successfully to your account, your pack is then sent over a secure connection using SSL to your browser. Mind you, your pack which has all your passwords and information, is still encrypted and never gets transmitted in the clear, so this encryption on top of SSL encrypted transmission is double security. Once your browser has received your pack, it then asks you for a packing key. This packing key is then used to decrypt the pack that your browser is holding for you. This means your packing key is never transmitted over the wire at all. Another bonus for security in depth approach.

When you add new passwords and usernames to your pack, they are never sent over the Internet. Once you are done adding new password information, you can save your pack. At this point, the pack is encrypted again and sent over SSL to PassPack’s servers. Simple enough right?

This new application is by no means without it’s opponents. Many people have already voiced staunch disapproval for any type of online password manager stating that the risk is just to great for the compromise of the stored passwords in question. While I agree with this — and never before PassPack have I considered an online password manager — I am comforted that my passwords are not stored on the server per se, only my encrypted password pack. This technology is still very vulnerable to a keylogging attack, so I’m not ecstatic about that. My number one request would be for PassPack to add some type of two-factor authentication. I would by all means pay for a token to have this added security. Then your packing key could be your two-factor authentication code. Until then, just be mindful of what computers you are accessing your PassPack account from and ensure they are trusted computers.

So to wrap up, here are my pro’s and con’s for PassPack:

Pro’s:

Con’s:

For more information and further reading about PassPack check out the following links:

Who is PassPack?
Password and Packing Keys

Popularity: 30% [?]

Topics: Anonymity, Password | 1,963 Comments »

1,963 Responses to “PassPack Password Manager”

  1. Tara Kelly Says:
    April 11th, 2007 at 10:49 am

    Hello,
    You’ve done a wonderful job describing how PassPack works. Your explanation is clear and precise. Thank you.

    We have already started to work towards an anti-keyloggers solution composed of two components:

    1. Disposable Logins (One time Pass and Packing Key)
    2. An auto-login tool

    Number one is live, number two is on the way.

    Thanks for your suggestions, I will happily pass them along and see if we can’t grant your wishes.
    Cheers,
    Tara Kelly
    PassPack Founding Partner

  2. Francesco Sullo Says:
    April 11th, 2007 at 12:45 pm

    Hi,
    thanks very much for your interest and enthusiasm.
    I want to add some information to Tara’s comment.

    About double-factor autenthication, it’s in the pipeline, immediately following the auto-login tool.

    About local saving, actually, you can already make an encryoted backup and save it wherever you please. However, if you are feeling creative, you could actually create an account without ever saving your data on the PassPack server. Here’s how:

    1) create an account
    2) import or insert your entries
    3) backup your data on file
    4) exit PassPack without saving your pack

    When you want to connect you would then:

    1) enter in your PassPack account
    2) restore your backup
    3) modify your entries
    4) backup your data
    5) exit without saving

    PassPack will work even without an internet connection. You need only connect to sign in, save or change your account settings.

    Just some ideas…

    Best regards,
    Francesco Sullo
    Software Architect of PassPack

  3. PassPack's April 2008 Buzz Round up « PassPack - The Blog Says:
    May 1st, 2007 at 12:56 pm

    [...] PassPack Password Manager | The Privacy Guy [...]

  4. More PassPack News | The Privacy Guy Says:
    May 1st, 2007 at 2:50 pm

    [...] PassPack Password Manager [...]

  5. Clipperz Online Password Manager | The Privacy Guy Says:
    June 13th, 2007 at 11:28 am

    [...] password manager, passpack, password safe, password vaultA couple months ago, I posted a brief review of PassPack, an Online Password Manager (OPM). When I posted the initial review of PassPack, I was aware of [...]

  6. Alex Says:
    October 28th, 2007 at 2:58 am

    PassPack released a full-working offline version in august.

  7. Direct Login Feature in Clipperz | The Privacy Guy Says:
    April 2nd, 2008 at 3:08 pm

    [...] Prepaid Credit CardsFacebook and the GovernmentThe a.K.a CardPassPack Password ManagerCaller ID Spoofing to be Made Illegala.K.a Card UpdatePassPub – Random Password GeneratorDirect [...]

  8. *-tron » Blog Archive » Store your passwords with PassPack? Says:
    July 8th, 2008 at 11:34 am

    [...] of course, security. After googling around for some other opinions on safety, I found this link, http://www.theprivacyguy.com/2007/04/11/passpack-password-manager/, which seems to agree that it is [...]

  9. MK Says:
    July 22nd, 2009 at 11:53 am

    What happens if someone hacks passpack.com?

  10. MK Says:
    July 22nd, 2009 at 12:29 pm

    Anyway I suggest people to not to enter the complete password.

    If your are thinking your password will be bigapple, passwordize it something like b1g@appl3(here i is 1, a is @, e is 3)

    When you enter it in passpack, enter it something like b1***l3 hiding few char w/ *. This gives another wall just in case if anything compromised.

  11. MK Says:
    July 22nd, 2009 at 12:31 pm

    IF you are using offline method, crypt the database w/ something like truecrypt so it provides anothee layer of defense.

  12. Bella Belinen Says:
    July 28th, 2009 at 11:49 pm

    Good answer, I am looking for the solution of the same question. Find the movies or mp3 you are looking for at your-download.org the most comprehensive source for free-to-try files downloads on the Web

  13. Michael P Says:
    July 1st, 2010 at 5:04 pm

    I wonder if this is still worth getting.

  14. Lena Says:
    October 16th, 2010 at 12:24 pm

    I’m using Paranotic Password Manager – http://paranotic.com – this is great and is really very useful. I know LastPass and KeepAss too. It’s just too bad I didn’t know about these stuff back when my Paypal account was given limited access because of alleged intrusion in my account as per Paypal. I had to change my password, provide proof of address and stuff to lift the limitation and fully restore my account. Thanks for the post.

  15. JR Says:
    November 15th, 2010 at 4:29 pm

    Lena,
    I hate to worry you, but your description of your PayPal incident sounds more like a phishing attack. My guess is that the email from PayPal was fake and you just gave away your password to a fake PayPal site. (on the other hand, maybe you know all of this and were making a joke?)

  16. dumbidea Says:
    September 3rd, 2011 at 8:13 am

    You got the add this to your con list:

    Your passwords to sensitive information is stored on a OUTSIDE SERVER!!!!!

    Facebook, Sony, Citibank is just few companies who servers were hacked exposing customer personal and financial information. You have to be a lazy retard to go along with this ridiculous idea.

  17. dumbidea Says:
    September 3rd, 2011 at 8:15 am

    You forgot to add this to your con list:

    Your passwords are stored on a OUTSIDE SERVER!!!!!

    Facebook, Sony, Citibank is just few companies whose servers were hacked exposing customers personal and financial information. You have to be a lazy retard to go along with this ridiculous idea.