Malta Info Security

Our post on PassPack last week attracted quite a bit of attention. We were able to have an interesting discussion over security concerns that have to do with most (and probably all) online password managers. Similar to PassPack there are other services like Clipperz and Just1Key, all of which would be subject to the same concerns that we raised - the basic question of trusting a 3rd party server with your passwords. If you missed out, check out the post to learn about the actual concerns.

One solution that PassPack seem to be seriously considering is the option to license their server technology to 3rd parties. In the case of a company that buys a license and installs PassPack on an internal server, this would shift trust concerns from the service provider (happens to be PassPack) to the company's own systems administrators. This assumes that proper code review is done by whoever is concerned.

We also picked on the One time passwords feature in PassPack, and why it is not a panacea solution to the keyloggers problem. The conclusion was that PassPack needs to clearly inform the users that passwords need to be generated ahead of time. Without doubt, making use of public computers such as the ones found in internet cafe's or kiosks, is a bad idea by itself. There are too many layers which an attacker can target - the computer's memory, the web browser by replacing the logout button with one that does nothing, and so on.

All that said - PassPack has a lot of potential, they put a lot of focus on both the user experience and security. Upcoming features such as being able to share passwords with other users can definitely be useful (although that is a bad practice and should be avoided most of the times).

From our part, we look forward to seeing how PassPack and similar services will change the way we threat our passwords.

Note: We posted a followup on this.

PassPack is a new service that addresses the ever growing problem of passwords.

PassPack is an online password manager for people who travel or change computers often. Unlike other password managers, PassPack is available 24/7 via internet, nothing to download or install.

Great! Problem solved.

But how do they achieve this?

With AES encryption (the same as used by the US Government) and an SSL Secure Connection, your data travels safely over the internet. But let's suppose a hypothetical "bad-guy" gets into our servers, all he'd find would be a bunch of illegible data (not even PassPack can read your data).

What caught my eye was the part where they state that not even PassPack can read your data, which reminded me of the Hushmail incident. The free secure email service makes claims that:

By using Hushmail, you can be assured that your data will be protected from that kind of broad government surveillance.

Which is simply not the case. In fact later on in their FAQ, Hushmail have a section which explains that they have to comply with the law just like everyone else. Same with PassPack - the encrypted data on their servers cannot be accessed off their servers without the password. The problem is that, if need be, PassPack is able to read your password and then use it to decrypt your information.

So what about the other claims?

Disposable Logins (OTP)

A Disposable Login is a one time Pass and Packing Key combination: you use it once, then it's thrown it away.

Disposable Logins come in handy when traveling and you need to use a public computer.

With Disposable Logins, you can outsmart keyloggers. Even if your disposable Pass and Packing Key were to get "captured", it doesn't matter: they won't work again.

Well - not today's loggers! Nowadays, both commercial and underground/malware keyloggers support screen capturing. This means that if you are in an internet cafe, there always is the chance that not only are your keystokes monitored, but also your all your activity on the computer, including screen captures and mouse clicks.

But it is not all bad - I do like PassPack's idea of tackling the problem of multiple passwords. Some of the features that they offer are also pretty interesting such as the "Anti-Phishing Welcome Message". While this is not nothing new and Yahoo and others have been using such features, it is good to see them more widespread. However, as you might have guessed, I won't be handing out my google, hotmail or amazon passwords to PassPack.