By Patrick | April 11, 2007
This is a long post, but I highly encourage you to read it all. If you can’t read it all, skim it, and then proceed to the bottom of the post where I list the pro’s and con’s of this awesome new web application.
I found out about PassPack the other day while I was scrolling through my daily blog feeds and I was immediately intrigued. PassPack is an online password manager. For those of you who don’t know what a password manager is, it’s simply a program or web based application that is used to manage the dozens of passwords you have to maintain and keep up with on a daily basis. I personally have over 47 passwords I keep in my manager; that’s probably minute compared to a lot of other people. The need for password managers arose from the security best practice of not using the same password more than once.
I know the majority of users do use the same password or some minor variation for everything from their online banking to favorite message board, but this is a bad habit for people to engage in. However, I am not writing today to discuss password policies; I want to highlight PassPack and why I think it rocks!
The first thing that caught my attention is that PassPack is completely anonymous. They gather NO personal information from you. The only information you submit to them is a user name, passphrase and a packing key. A packing key you say? Yes, a packing key. This is one of the great features of PassPack. First, you need to understand a little bit about how PassPack works. When you go to their website to login, you are prompted with a Username and Password field. This information gets you access to your “pack”. Your pack is your passwords all packed up in one single encrypted package. This AES government approved encrypted pack is all that is stored on PassPack’s servers, not the passwords themselves. This is why your passwords are truly secure and non-readable by ANYONE including the PassPack staff.
Once you have logged in successfully to your account, your pack is then sent over a secure connection using SSL to your browser. Mind you, your pack which has all your passwords and information, is still encrypted and never gets transmitted in the clear, so this encryption on top of SSL encrypted transmission is double security. Once your browser has received your pack, it then asks you for a packing key. This packing key is then used to decrypt the pack that your browser is holding for you. This means your packing key is never transmitted over the wire at all. Another bonus for security in depth approach.
When you add new passwords and usernames to your pack, they are never sent over the Internet. Once you are done adding new password information, you can save your pack. At this point, the pack is encrypted again and sent over SSL to PassPack’s servers. Simple enough right?
This new application is by no means without it’s opponents. Many people have already voiced staunch disapproval for any type of online password manager stating that the risk is just to great for the compromise of the stored passwords in question. While I agree with this — and never before PassPack have I considered an online password manager — I am comforted that my passwords are not stored on the server per se, only my encrypted password pack. This technology is still very vulnerable to a keylogging attack, so I’m not ecstatic about that. My number one request would be for PassPack to add some type of two-factor authentication. I would by all means pay for a token to have this added security. Then your packing key could be your two-factor authentication code. Until then, just be mindful of what computers you are accessing your PassPack account from and ensure they are trusted computers.
So to wrap up, here are my pro’s and con’s for PassPack:
- Encrypted passwords are stored on a server accessible from any browser and any location in the world
- Complete secure transmission of password pack using AES encrpytion and SSL
- Complete security even if PassPack servers get hacked
- Vulnerable to key logging attack that local password managers would not be susceptible to
- No two-factor authentication
- Not able to contain password pack on physical medium (ie. usb key)
For more information and further reading about PassPack check out the following links:
Popularity: 25% [?]