Support us by visiting our sponsors and win a €20 Amazon Voucher every month
Computime

Follow maltainfosec on TwitterTwitter or RSS 2.0 feed

Feb 13

PassPack and why it does not work

13 Comments »
Note: We posted a followup on this.

PassPack is a new service that addresses the ever growing problem of passwords.

PassPack is an online password manager for people who travel or change computers often. Unlike other password managers, PassPack is available 24/7 via internet, nothing to download or install.


Great! Problem solved.

But how do they achieve this?

With AES encryption (the same as used by the US Government) and an SSL Secure Connection, your data travels safely over the internet. But let's suppose a hypothetical "bad-guy" gets into our servers, all he'd find would be a bunch of illegible data (not even PassPack can read your data).


What caught my eye was the part where they state that not even PassPack can read your data, which reminded me of the Hushmail incident. The free secure email service makes claims that:
By using Hushmail, you can be assured that your data will be protected from that kind of broad government surveillance.


Which is simply not the case. In fact later on in their FAQ, Hushmail have a section which explains that they have to comply with the law just like everyone else. Same with PassPack - the encrypted data on their servers cannot be accessed off their servers without the password. The problem is that, if need be, PassPack is able to read your password and then use it to decrypt your information.

So what about the other claims?

Disposable Logins (OTP)

A Disposable Login is a one time Pass and Packing Key combination: you use it once, then it's thrown it away.

Disposable Logins come in handy when traveling and you need to use a public computer.

With Disposable Logins, you can outsmart keyloggers. Even if your disposable Pass and Packing Key were to get "captured", it doesn't matter: they won't work again.


Well - not today's loggers! Nowadays, both commercial and underground/malware keyloggers support screen capturing. This means that if you are in an internet cafe, there always is the chance that not only are your keystokes monitored, but also your all your activity on the computer, including screen captures and mouse clicks.

But it is not all bad - I do like PassPack's idea of tackling the problem of multiple passwords. Some of the features that they offer are also pretty interesting such as the "Anti-Phishing Welcome Message". While this is not nothing new and Yahoo and others have been using such features, it is good to see them more widespread. However, as you might have guessed, I won't be handing out my google, hotmail or amazon passwords to PassPack.

Posted by Sandro Gauci

9738 hits

2 Trackbacks

Trackback specific URI for this entry
  1. Malta Info Security
    02/21/2008 11:56:40 AM

    A followup on PassPack and online password managers
    Our post on PassPack last week attracted quite a bit of attention. We were able to have an interesting discussion over security concerns that have to do with most (and probably all) online password managers. Similar to PassPack there are other services li

  2. Malta Info Security
    02/21/2008 11:56:44 AM

    A followup on PassPack and online password managers
    Our post on PassPack last week attracted quite a bit of attention. We were able to have an interesting discussion over security concerns that have to do with most (and probably all) online password managers. Similar to PassPack there are other services li

13 Comments

Display comments as(Linear | Threaded)
  1. Tara Kelly (PassPack) says:
    02/13/2008 08:36:46 PM

    Hi, sorry I need to correct you.

    Re: Seeing Encrypted Data
    You said "The problem is that, if need be, PassPack is able to read your password and then use it to decrypt your information."

    This is totally incorrect. You need your Packing Key in order to decrypt your data. PassPack does not have your Packing Key, it never gets sent to the server. ... No Packing Key, no data.

    Re: Hushmail
    We're not Hushmail. And we're not a US company where the government can get away with such things.


    Re: Keyloggers.
    The Disposable Logins get you into your account and they can never be used again. Once inside your PassPack account, none of your passwords are shown on screen. So screenshots and click tracking are not a problem. If you use the autologin bookmarklet, then you can log in to other websites from inside your PassPack account without showing, clicking, typing or copying your passwords (Autologin does not use the clipboard).

    That doesn't mean that there are NO risks whatsoever. If you have a virus or a malware browser plugin. Unfortunately, there's a limit to how much anyone can protect against (PassPack, Google, whoever). We do our best.

    I'm more than happy to answer any questions that you may have, but please make corrections to the post, or point people down here to my comment.

    Thanks,
    Tara Kelly
    PassPack Founding Partner

  2. Tara Kelly (PassPack) says:
    02/13/2008 08:54:55 PM

    Sorry - my bad. My fingers went faster than my brain: Hushmail is of course not a US company, it's Canadian.

    Regardless, we're much farther away in the EU, Italy to be precise, and the servers are in Switzerland. There are very tough privacy laws here, all heavily in favor of the end user.

    Cheers,
    Tara

  3. sandro gauci says:
    02/13/2008 10:22:53 PM

    My replies:
    1. PassPack by default does not seem to be able to read your password. And I admit that the way this is done by PassPack is pretty interesting. But IF NEED BE, it can read the password(s). It is as easy as changing the javascript or html files to display the same exact user interface, but instead of only doing what it is supposed to do, it adds a password logging function between the time that the user enters the password on your web pages and the time he can access his data. Is there anything to keep PassPack from doing that? Now I'm not saying that you guys are evil or have any intention of doing that. I'm just saying that it is possible and there are things such as the law which can bend even the most privacy zealous.

    2. It is true that in the EU people protest more. But Govts have been known to get away with things anyway. http://www.schneier.com/blog/archives/2007/08/new_german_hack.html

    3. The one time passwords typically have to be shown on screen so that they can then be used next time. In fact in the case of PassPack this can be seen in the "disposable login" part. So (again) screen captures can indeed a be problem.

    4. I agree that there is are limits when it comes to protecting your users. In the case of an internet cafe/public computers, these limits are extremely stringent. So for PassPack it might be quite a challenge to protect against the described attacks.

  4. srcasm says:
    02/14/2008 09:20:34 PM

    Sandro,
    You make many valid points. I like the view that you took on this service. It has quite a bit of potential. In response to your first point, the ability to change the JavaScript or HTML code to allow this to happen can not be overcome in any scenario. In this case, using any web app could be a bad idea. And one could take it a step forward and say that even storing your password into KeePass on your local computer is a bad idea because KeePass could implement a back door that emails your passwords off. In the end, it's more of a trust issue than anything else. PassPack is a great idea and will hopefully be able to gain the trust of the individuals that want to use it.

  5. Sandro Gauci says:
    02/15/2008 11:03:49 AM

    My 1st point: what I was addressing was the claims on the PassPack security page. The idea that not even PassPack can read your data is not accurate. My response to that is that if they wanted/needed to, they can read your packing password and then decrypt your data (as explained in my previous post).

    Regarding KeePass:
    One difference between KeePass and PassPack is that KeePass is open source. This means that I can inspect the source and compile the code myself. Will most people do that? Hell no! But if I'm going to use KeePass to store passwords that are of importance to me, then I'll make sure that I do that. If I do find a backdoor, then I'll be sure to publish that information so that others know about it.

    While that does not make KeePass the response to all password related issues, it does add a good level of trust when compared to a service (such as PassPack) that the end user has no control over.

    Some references ..

    PassPack security page:
    http://www.passpack.com/info/security/

    KeePass source code:
    http://tinyurl.com/2uhzuq

  6. Tara Kelly (PassPack) says:
    02/18/2008 12:45:44 AM

    Hi Sandro,
    Any coder can inspect any code executed by PassPack. It is fully visible in the browsers DOM (you'll need something like Firebug to see it).

    In the case of Hushmail, that was hard because it was a Java applet, but PassPack is Javascript, so it all happens in the clear, in the browser's DOM.

    I know that not everyone is able to understand what gets passed back and forth through the DOM, but it's the same level of expertise one would need to understand Keepass' code.

    So if PassPack were ever to change the code, anyone watching the DOM could catch it and alert the community, just as you described for Keepass.

    PassPack can not read anyone's data. Your Packing Key never gets sent to the server.

    One last quick comment - on the disposable logins. The assumption behind that is that you must have at least ONE clean computer from which you will set up your disposable logins. They need to be set up ahead of time.

    This is clearly a limitation. We're working on other solutions, in particular a two factor authentication that will be introduced after the Beta 6 release:
    http://passpack.wordpress.com/2008/02/14/beta-6-a-bridge-to-better/

    In the end, I think srcasm hits the nail on the head - it's about trust. If you don't trust the makers of an application, then you shouldn't use it. Whether it's web based or not becomes a non-issue at that juncture.

    Cheers to you!
    Tara

  7. Sandro Gauci says:
    02/18/2008 04:43:49 PM

    Code inspection:
    Yes any coder can check the code. However no one (not even the most paranoid) will be checking the code every time they need to use the service; even if that is possible. Instead he or she is going to switch to another product. Peer source code review does not apply to PassPack simply because the code from PassPack's side can be changed for just one user and for one time.

    Sidenote: java code can be inspected with tools like jad (a java decompiler).

    Trust issue:
    So, as you and srcasm said - in the case of PassPack it is a matter of just trusting the people behind the service. In the case of other solutions such as KeePass it does not have to be that way. I can do review the code myself one day, then compile it. After that it is easy to ensure that the code that I compiled the other day did not change. The reason is that this code is on my computer and not on a server that I have no control over.

    Disposable logins:
    The idea of OTP in PassPack is great. But you do need to let your users know that they should be generating these passwords ahead of time.

    As a sidenote: I liked the fact that when using a disposable login, the user cannot go to the "security" tab to view the OTP or generate new temporary passwords.

    Disclaimer:
    No I'm not funded by KeePass (but it would have been nice) - it is just a good example for me ;-)

  8. srcasm says:
    02/18/2008 05:06:42 PM

    Great points by all. We're all far off from a good solution but I'm glad people are out there thinking up new and innovative ways to help everyone else out.

  9. sandro gauci says:
    02/18/2008 09:31:51 PM

    Hi srcasm:
    true - we should be thinking of solutions :-)

    Making the service available as a product (i.e allowing users to install PassPack on their own servers) might be a way to greatly reduce the trust issues that I described. Now that of course involves changing (or adding a new) the business model from service based to either going open source or commercial license based (or a bit of both).

  10. Tara Kelly (PassPack) says:
    02/19/2008 02:43:49 PM

    Hi Sandro,
    Sure - we can try and make it more clear on the site about how Disposable Logins work. One of our biggest challenges is getting enough info out, in the right place, at the right time. Thanks for the feedback.

    On installing PassPack on you own server - yup that's in our plans a bit further on. We'll be offering it under a commercial license.

    Cheers,
    Tara

  11. sandro gauci says:
    02/19/2008 03:04:49 PM

    great =)

    Looking forward to that && goodluck with the product. I hope to find some time to publish another post =)

  12. alex says:
    02/20/2008 09:42:09 PM

    Very interesting discussion.

    I suggest you to change the title in something like: "Passpack and why it MIGHT not work" instead of "Passpack and why it DOES not work".

  13. sandro gauci says:
    02/20/2008 09:44:26 PM

    Hi Alex,

    I won't do that - instead I'll post another blog entry and summarize the outcome.

    Thanks for the suggestion

Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

Please consider sending us a small donation to keep this site going. Click the PayPal logo below. Thank you!