David Szpunar: Lead Engineer, PC Help Services

David's Church Information Technology

August 13th, 2007 at 1:08 am Print This Post Print This Post

PassPack Your Passwords: Get Them Anywhere, Securely and Freely

On Saturday (OK, it was after midnight, so technically it was Sunday — but I tend to count time before I sleep as one day, time after I wake up in the morning as the next day — since I stay up past midnight often enough this just makes it easier) I discovered a service called PassPack. The basic premise is this: Create an account, store all your passwords in it, log back in as-needed to retrieve them. But wait! you might say, that’s stupid, why trust a random website to secure your passwords, just run one of the countless free Windows apps to store your info, and a lot of them will even automatically log you in via your web browser to websites.” Normally, I’d agree with you. But PassPack is doing things a bit differently.

PassPack gives you a free account (did I mention it was free?). You create a user ID, a passphrase, and a Packing Key, all distinct. PassPack creates an encrypted container using your Packing Key, which is encrypted on your web browser using JavaScript and standards-based encryption. Only this encrypted “bundle,” without your Packing Key, is then stored on the PassPack servers. Want a password? Log in, enter your Packing Key if it’s timed out (5 minutes by default, up to 15 minutes), find the relevant account alphabetically, by tag, or search (all very Web 2.0 and AJAXy-smooth), and click it to…reveal your login name and a scrambled-looking (unreadable) password field. Click in this field and use the Ctrl+C keyboard shortcut to copy the password, and paste in to the site in question (URL also saved as an option to make it easy). This means the password never appears on the screen, it’s just stored directly in your clipboard, and you don’t have to retype it.

So you can copy and paste the password, so what? Well, they also have an auto-login bookmarklet you can save in your browser. Save the URL of the login page along with the password at PassPack, and then just click the Open and Login link within PassPack to open the website in a new window. Then, click the “PasssPack It!” bookmarklet you previously set up. If the site has been “trained” before (even by another user), it fills in the username and password fields and clicks Login to get you into the site! If it’s not been trained for this site, you are walked through a very simple process of clicking the bookmarklet, clicking the username field, then the password field, then the Login button to train the system. So far out of about twenty sites, only two have had issues and not been trained successfully (a Plesk 7.5 dedicated server control panel and the ZoHo group of sites, including the Church IT Podcast Wiki, were the malfunctioning sites, which have been reported to PassPack); these can still have their login information memorized like any other account, on- or off-line, they just won’t auto-login with the bookmarklet.

The folks at PassPack have implemented a few other nice features besides the slick and speedy interface and somewhat novel readable-only-by-you encryption scheme:

  • They have a nice anti-phishing setup in place to prevent your PassPack credentials from being phished easily.
  • If you keep the site open, it functions offline and can be saved to their server the next time you connect (it also auto-saves if you don’t disable this option).
  • One-time keys are available for you to print out and carry with you. If using a public internet terminal, log in to PassPack with one of these one-time-use keys, and copy-and-paste the scrambled password you need. Then you never have to type a usable password into the insecure computer (for PassPack or the target site).
  • Export and Import of your data, in unencrypted format, if you wish to switch between other password-saving applications that also give you access to your data in text format.
  • Backup and Restore of your encrypted data, so you have a copy on your computer in addition to on their server (you choose whether the backup will use your regular Packing Key or a unique one).
  • They will generate a unique password for you to use when registering a new account somewhere, which they will of course remember for you.

You may be wondering where this Packing Key thingy comes from. (I can hear you now, “David, this thing is awesome, sign me up, but what the heck is a Packing Key anyway?!”) PassPack has some of the best help I’ve ever read, which is even available contextually when you click Help within the site. They handily have an answer about Packing Keys and why they’re so handy. They do a much better job of explaining that and just about everything else about the service than I could, given that they wrote it and I’ve just used it for a day. But I’ve found it to be exciting, apparently secure, well-designed, and actually fun.

It should go without saying that besides the great interface, being able to access your passwords from any web browser very easily, along with the off-site storage, is probably the single biggest benefit to using PassPack over a Windows utility. Even the auto-login bookmarklet it cross-platform, cross-browser code and is a simple JavaScript bookmark — no need to install a Firefox Extension, IE Add-In, or any other code running on your machine outside of JavaScript.

I do see one potential downside: their Terms of Service contain several limitations (yes I read it! Well, the parts they highlighted at least…):

  1. You are not allowed to store information about financial accounts (banks, etc.), although this may be legal CYA considering I don’t know how they could possibly enforce this given they don’t have access to your data.
  2. If you don’t login at least once every six months, your account is “inactive” and they delete everything.
  3. You only get 32k of storage per account (they estimate 75-100 entries worth of entries), with no upgrades available yet. Accounts active before August 1st (missed it by less than two weeks, darn!) got 128k of storage (150-200 estimated entries).

I’m sure PassPack intends on offering upgraded service with more storage at some point, but those three conditions may limit my use of their service, and possibly yours. I know I have 23 entries already saved, and I’ve barely scratched the surface with the quantity of online accounts I maintain. It’s at least worth a shot in my opinion. If you like the concept and want an alternative, Clipperz is worth a look, it’s also free and PassPack even has a comparison of their two services. It doesn’t do the anti-phishing stuff like PassPack but it does have many other similar features, which I have not tested extensively. They also do not prohibit the storage of financial details and actually provide a template to hold credit card and bank account information. They also keep the data from leaving your browser unless it’s encrypted so they have no access when it’s on their servers.