Pack Up Your Passwords with Passpack
April 26th, 2007 by David Bradley >> 10 Comments
Tara Kelly from passpack.com commented recently on our passwords for scientists post. To draw your attention to a novel approach to storing your passwords.
Now, we have all been through the pains of storing and retrieving passwords for all those millions of social network sites, our various MySpace and YouTube accounts, everything from Digg to HotDiggedy needs a unique username and password combination.
With our passwords for scientists post, we gave you an idea on how to create strong passwords, which Ms Kelly kindly expanded on by offering the suggestion that rather than use a single chemical formula you add a couple of words, so that, for instance your passphrase might become C6H12O6 rots teeth or something slightly more cryptic the meaning of which only you would be aware.
Unfortunately, this still leaves wide open the problem of how to keep tabs on all these passwords, strong as they might be and to remember which username is associated with which. There are lots of online and offline password managers available and almost everyone I know as a USB storage key they password protect within which they could store a master list of their passwords.
But, what if you forget your USB key when you are traveling, or cannot access a particular storage site because of a browser incompatibility in your library or cybercafe?
Passpack.com seems to have the answer. You register with the site for free (although it’s only in beta, so don’t rely on it 100% just yet), create a user ID, a login pass, and cleverly a packing key. Only your user ID is sent to the site to login, your password is modified so that it is not sent back to Passpack in an exposed state. Login then triggers download of your encrypted password briefcase.
A script running in the browswer window (with no info sent back to passpack from this stage onwards) then uses your packing key to unpack the case in your browser window. This gives you and you only (unless someone is peering over your shoulder) access to your collection of usernames and passwords, each combination associated with the appropriate website URL.
So far, so good.
Having tried it a couple of times, it’s very easy to set up and use. When you first login you see an array of black squares which are part of a unique anti-phishing mechanism associated with a phrase you get to choose that only you can ever see and that verifies that you are on the passpack system not a spoofed site. “It combines a custom Welcome message, IP recognition and hand-eye training,” Ms Kelly says.
However, I had a seriously nagging feeling that there is something missing from passpack – namely automatic login to your various websites. So, I dropped Tara at Passpack’s head office a line to see what she had to say about this fundamental issue and she came straight back to me, to tell me that this very feature – an auto-login tool – with a Smart Button – that does not rely on plugins is just about to be signed off and released (you can watc a demo here – http://passpack.wordpress.com/2007/03/22/passpack-auto-login-no-plugin-needed/). They’re also adding inline help to the application to make it easier to use. She also told me that, “We have a few small interface improvements almost ready to roll, as well as a few updates that handle some cosmetic issues in Mac Safari.”
The Smart Button is not yet implemented (it has been security validated, but needs some cosmetic fixes), so check back here again soon and I’ll update via the comments on this post so you get to hear as soon as it goes live. As it stands, Passpack just looks like a clever password storage facility with double encryption and a neat line in anti phishing bait. Once the Smart Button is enabled, however, it will steam ahead of the pack.
If you start using Passpack and then change your mind about it, you can always take your data with you. “We support complete export of your data,” Tara told me, “as well as encrypted back up copies.” The developers obviously want users to stay with them because they like the site not simply because of inertia or being locked in.
You can sign up for passpack.com here. Before you ask, no they aren’t paying me to promote the product (10% commission for a free product is $0, after all). It just seems to be a unique approach to a perennial problem that could help you.