« New Hampshire Rejects Real ID Act | Main | More PassPack News »
PassPack Password Manager
By jonathan | April 11, 2007
This is a long post, but I highly encourage you to read it all. If you can’t read it all, skim it, and then proceed to the bottom of the post where I list the pro’s and con’s of this awesome new web application.
I found out about PassPack the other day while I was scrolling through my daily blog feeds and I was immediately intrigued. PassPack is an online password manager. For those of you who don’t know what a password manager is, it’s simply a program or web based application that is used to manage the dozens of passwords you have to maintain and keep up with on a daily basis. I personally have over 47 passwords I keep in my manager; that’s probably minute compared to a lot of other people. The need for password managers arose from the security best practice of not using the same password more than once.
I know the majority of users do use the same password or some minor variation for everything from their online banking to favorite message board, but this is a bad habit for people to engage in. However, I am not writing today to discuss password policies; I want to highlight PassPack and why I think it rocks!
The first thing that caught my attention is that PassPack is completely anonymous. They gather NO personal information from you. The only information you submit to them is a user name, passphrase and a packing key. A packing key you say? Yes, a packing key. This is one of the great features of PassPack. First, you need to understand a little bit about how PassPack works. When you go to their website to login, you are prompted with a Username and Password field. This information gets you access to your “pack”. Your pack is your passwords all packed up in one single encrypted package. This AES government approved encrypted pack is all that is stored on PassPack’s servers, not the passwords themselves. This is why your passwords are truly secure and non-readable by ANYONE including the PassPack staff.
Once you have logged in successfully to your account, your pack is then sent over a secure connection using SSL to your browser. Mind you, your pack which has all your passwords and information, is still encrypted and never gets transmitted in the clear, so this encryption on top of SSL encrypted transmission is double security. Once your browser has received your pack, it then asks you for a packing key. This packing key is then used to decrypt the pack that your browser is holding for you. This means your packing key is never transmitted over the wire at all. Another bonus for security in depth approach.
When you add new passwords and usernames to your pack, they are never sent over the Internet. Once you are done adding new password information, you can save your pack. At this point, the pack is encrypted again and sent over SSL to PassPack’s servers. Simple enough right?
This new application is by no means without it’s opponents. Many people have already voiced staunch disapproval for any type of online password manager stating that the risk is just to great for the compromise of the stored passwords in question. While I agree with this — and never before PassPack have I considered an online password manager — I am comforted that my passwords are not stored on the server per se, only my encrypted password pack. This technology is still very vulnerable to a keylogging attack, so I’m not ecstatic about that. My number one request would be for PassPack to add some type of two-factor authentication. I would by all means pay for a token to have this added security. Then your packing key could be your two-factor authentication code. Until then, just be mindful of what computers you are accessing your PassPack account from and ensure they are trusted computers.
So to wrap up, here are my pro’s and con’s for PassPack:
Pro’s:
- Encrypted passwords are stored on a server accessible from any browser and any location in the world
- Complete secure transmission of password pack using AES encrpytion and SSL
- Anonymous
- Complete security even if PassPack servers get hacked
Con’s:
- Vulnerable to key logging attack that local password managers would not be susceptible to
- No two-factor authentication
- Not able to contain password pack on physical medium (ie. usb key)
For more information and further reading about PassPack check out the following links:
Popularity: 36% [?]
April 11th, 2007 at 10:49 am
Hello,
You’ve done a wonderful job describing how PassPack works. Your explanation is clear and precise. Thank you.
We have already started to work towards an anti-keyloggers solution composed of two components:
1. Disposable Logins (One time Pass and Packing Key)
2. An auto-login tool
Number one is live, number two is on the way.
Thanks for your suggestions, I will happily pass them along and see if we can’t grant your wishes.
Cheers,
Tara Kelly
PassPack Founding Partner
April 11th, 2007 at 12:45 pm
Hi,
thanks very much for your interest and enthusiasm.
I want to add some information to Tara’s comment.
About double-factor autenthication, it’s in the pipeline, immediately following the auto-login tool.
About local saving, actually, you can already make an encryoted backup and save it wherever you please. However, if you are feeling creative, you could actually create an account without ever saving your data on the PassPack server. Here’s how:
1) create an account
2) import or insert your entries
3) backup your data on file
4) exit PassPack without saving your pack
When you want to connect you would then:
1) enter in your PassPack account
2) restore your backup
3) modify your entries
4) backup your data
5) exit without saving
PassPack will work even without an internet connection. You need only connect to sign in, save or change your account settings.
Just some ideas…
Best regards,
Francesco Sullo
Software Architect of PassPack
May 1st, 2007 at 12:56 pm
[...] PassPack Password Manager | The Privacy Guy [...]
May 1st, 2007 at 2:50 pm
[...] PassPack Password Manager [...]
June 13th, 2007 at 11:28 am
[...] password manager, passpack, password safe, password vaultA couple months ago, I posted a brief review of PassPack, an Online Password Manager (OPM). When I posted the initial review of PassPack, I was aware of [...]
October 28th, 2007 at 2:58 am
PassPack released a full-working offline version in august.
April 2nd, 2008 at 3:08 pm
[...] Prepaid Credit CardsFacebook and the GovernmentThe a.K.a CardPassPack Password ManagerCaller ID Spoofing to be Made Illegala.K.a Card UpdatePassPub - Random Password GeneratorDirect [...]
July 8th, 2008 at 11:34 am
[...] of course, security. After googling around for some other opinions on safety, I found this link, http://www.theprivacyguy.com/2007/04/11/passpack-password-manager/, which seems to agree that it is [...]