PassPub is a cool little website that allows you to generate all kinds of unique passwords. I do some private consulting and sometimes I need to come up with a new, unique password. Whether it’s a new WPA key or a router password I need, PassPub is extremely helpful for these types of situations.

PassPub offers predefined templates for creating passwords. It can create a random 6, 8, 10 or 12 character password. It can also create 64 and 128 bit WEP keys, as well as 256-bit WPA keys all with a single click.

For those times when you need a memorable, but still hard to guess password, there is a section entitled “Memorable Passwords” with a few cool choices. My favorite option from this section is the “Mnemonic” generator. This option creates an easy to read password, with alternate vowels and consonants and an appended 3 digit suffix. I like this one because usually it’s a lot easier for me to read and therefore easier to remember, but still hard to guess. I generally use Mnemonic when changing my login password for my PC, especially since I do that every 45 days. The Memorable Passwords section also offers password generators using keyboard combinations as well as chemical elements symbols that can be extremely useful as well.

As a personal example, when I’m configuring a new router or firewall password, this is when I use the standard 10 or 12 character password generator. I use this option because I want a very hard to guess, random password. Plus, I won’t be typing it in often, so I can afford to have one that’s not easy to remember.

Now many of you are probably asking why would I waste my time going to this website when I can just come up with some random letters and numerics on my own? This was the same reaction I first had when I looked at Martin’s product. However, I always try to commit to using a new program or application for a couple weeks before I totally disregard it, and I have to say that PassPub has come in very handy. You may find it’s not a great tool for your arsenal, but others might. I do know you need to check it out and decide for yourself. Thanks for a cool new tool Martin!

PassPub – Strong Passwords, Uniquely Generated

When I first signed up for Clipperz I did not use this feature at all. However, upon Marco’s suggestion that I should really try them out, I decided I would take a look. The first account I configured for Direct Login was one of my bank accounts. It was extremely easy to configure in Clipperz and within a couple minutes I had one-click login access to my bank account. I’m VERY sold on Direct Logins. I immediately started adding any other accounts that I could. Be forewarned, Direct Logins do not work for every site. I had a couple they would not work for, but that’s a minor inconvenience.

Clipperz definitely has a one up over PassPack in this area. Everyone knows I’m a PassPack evangelist because of it’s lightweight feel and it’s blazing speed. However, I also love Clipperz for it’s multi-field cards that can store custom data, not just usernames and passwords.

The solution to this multi-password-manager dilemma? I have accounts at both places. And to be honest, it will remain that way for as long as Clipperz is the only one with Direct Login.

First of all let me say that I will not be incorporating any screenshots into this post, so allow me to give you this link that has numerous screenshots for your viewing pleasure. Now, on to the review!

Upon first use, you obviously need to sign up. Clipperz makes registration a breeze. One thing I love immediately is that registration is anonymous. Their signup process asks for three things: a username, a passPHRASE and verification of the passphrase. That’s it. Just two pieces of information you have to remember. I capitalized phrase in passphrase intentionally a moment ago. That’s because your passphrase is the ONLY thing standing between no access and full access to your passwords. So a super strong passphrase is highly recommended.

One other thing that you might notice right off hand, and will definitely see throughout the Clipperz application, is a password strength meter. Whenever you are typing in a password or a passphrase, this strength meter is displayed beneath the text field in which you are typing. As your password becomes longer and more complex, the meter changes from bright red (least secure) to bright green (very secure). Most of us know what is and isn’t a good, strong password, however it’s a really cool feature to have and you’ll see why later.

Once you log in with your new account, you land on the “card view” screen. This is where you create your various cards that will hold passwords or information for various websites, companies, individuals, etc. Think of it as an online Rolodex per se. You might have cards for things like Gmail, Digg, MyBank, MyStockAccount, etc. When you click on “Add new card” you are given a number of predefined template cards to choose from. These templates consist of cards with certain fields already defined for you. Card templates for simple simple web password credentials, online banking information or even an address book entry card.

Now this is where Clipperz has a huge one up on PassPack. These cards have an unlimited number of “fields” that they can contain. And the predefined “template” cards can have any and all of their fields modified, added to, or even removed. Clipperz offers you full control and tons of flexibility on the type of information you can store in your cards. It’s virtually limitless on the number and type of data sets you can store.

Of the field definitions, the “password” type is one that will probably be most often used. When you store information in a password type field, the text is always displayed as stars. While great for that nosy coworker or curious boss, this is a problem. It’s a problem because there is no single click or otherwise convenient method to reveal the password that is behind the stars. Most password managers have a descramble or reveal button you can click to see the password in the clear. This is one of my biggest complaints of the application. Clipperz does allow you to click on the stars themselves which copies the field data (password) to the clipboard. This enables you to quickly paste the password into a waiting login prompt or webform. Still, I would love to see a one-click button that would change those stars into the clear text password when I needed to view a password quickly, and not necessarily copy it to the clipboard every time.

You remember how I said the password strength meter had another great use? Well, here’s where I give you a real life example. I have a number of clients I consult for at various times. Each client has their very own card in Clipperz. I store numerous passwords for each client in their respective cards. Passwords for their routers, firewalls, servers, etc. It would not be uncommon for me to have 10-15 password fields on one card. With the password strength meter, I can glance at a card for a client and get an overall idea how strong their passwords are for all their devices I have information for. It may seem small to some people, but it’s a feature I really appreciate.

My favorite feature of almost all real OPM’s (including Clipperz and PassPack) is the encryption and security aspect. All my information remains encrpyted safely on their servers and never passed in the clear. Encryption and decryption takes place on the client side in the browser, so even if the Clipperz servers were compromised, your data would be safe and useless to the perpetrators. Plus, there’s no worry if a Clipperz employee ever turns rogue and tries to walk off with all the sensitive information that is home to the Clipperz servers.

To wrap up, I like Clipperz. The interface isn’t as easy or simple as PassPack. But then again, you have a lot more flexibility and can do so much more in Clipperz than you can PassPack. I still give really big kudos to PassPack for having the unscramble button next to their password fields. Whichever OPM you choose, you Clipperz is definitely an option worth investigating.

You can read more about this feature at PassPack’s blog posting about OTP’s: http://passpack.wordpress.com/2007/04/09/passpack-disposable-logins-otp/

It’s a really, really cool feature and I’m very glad they have it. However, it’s a nightmare of a one-time-password to remember. All the better though I guess as that means harder to crack! Either way, I’m using PassPack non-stop now and have moved all my passwords from my previous manager, PINs, to PassPack. I love this app!

I found out about PassPack the other day while I was scrolling through my daily blog feeds and I was immediately intrigued. PassPack is an online password manager. For those of you who don’t know what a password manager is, it’s simply a program or web based application that is used to manage the dozens of passwords you have to maintain and keep up with on a daily basis. I personally have over 47 passwords I keep in my manager; that’s probably minute compared to a lot of other people. The need for password managers arose from the security best practice of not using the same password more than once.

I know the majority of users do use the same password or some minor variation for everything from their online banking to favorite message board, but this is a bad habit for people to engage in. However, I am not writing today to discuss password policies; I want to highlight PassPack and why I think it rocks!

The first thing that caught my attention is that PassPack is completely anonymous. They gather NO personal information from you. The only information you submit to them is a user name, passphrase and a packing key. A packing key you say? Yes, a packing key. This is one of the great features of PassPack. First, you need to understand a little bit about how PassPack works. When you go to their website to login, you are prompted with a Username and Password field. This information gets you access to your “pack”. Your pack is your passwords all packed up in one single encrypted package. This AES government approved encrypted pack is all that is stored on PassPack’s servers, not the passwords themselves. This is why your passwords are truly secure and non-readable by ANYONE including the PassPack staff.

Once you have logged in successfully to your account, your pack is then sent over a secure connection using SSL to your browser. Mind you, your pack which has all your passwords and information, is still encrypted and never gets transmitted in the clear, so this encryption on top of SSL encrypted transmission is double security. Once your browser has received your pack, it then asks you for a packing key. This packing key is then used to decrypt the pack that your browser is holding for you. This means your packing key is never transmitted over the wire at all. Another bonus for security in depth approach.

When you add new passwords and usernames to your pack, they are never sent over the Internet. Once you are done adding new password information, you can save your pack. At this point, the pack is encrypted again and sent over SSL to PassPack’s servers. Simple enough right?

This new application is by no means without it’s opponents. Many people have already voiced staunch disapproval for any type of online password manager stating that the risk is just to great for the compromise of the stored passwords in question. While I agree with this — and never before PassPack have I considered an online password manager — I am comforted that my passwords are not stored on the server per se, only my encrypted password pack. This technology is still very vulnerable to a keylogging attack, so I’m not ecstatic about that. My number one request would be for PassPack to add some type of two-factor authentication. I would by all means pay for a token to have this added security. Then your packing key could be your two-factor authentication code. Until then, just be mindful of what computers you are accessing your PassPack account from and ensure they are trusted computers.

So to wrap up, here are my pro’s and con’s for PassPack:

Pro’s:

• Encrypted passwords are stored on a server accessible from any browser and any location in the world
• Complete secure transmission of password pack using AES encrpytion and SSL
• Anonymous
• Complete security even if PassPack servers get hacked

Con’s:

• Vulnerable to key logging attack that local password managers would not be susceptible to
• No two-factor authentication
• Not able to contain password pack on physical medium (ie. usb key)

For more information and further reading about PassPack check out the following links:

Who is PassPack?
Password and Packing Keys