Twitter
Feb
21
Our post on PassPack last week attracted quite a bit of attention. We were able to have an interesting discussion over security concerns that have to do with most (and probably all) online password managers. Similar to PassPack there are other services like Clipperz and Just1Key, all of which would be subject to the same concerns that we raised - the basic question of trusting a 3rd party server with your passwords. If you missed out, check out the post to learn about the actual concerns.
One solution that PassPack seem to be seriously considering is the option to license their server technology to 3rd parties. In the case of a company that buys a license and installs PassPack on an internal server, this would shift trust concerns from the service provider (happens to be PassPack) to the company's own systems administrators. This assumes that proper code review is done by whoever is concerned.
We also picked on the One time passwords feature in PassPack, and why it is not a panacea solution to the keyloggers problem. The conclusion was that PassPack needs to clearly inform the users that passwords need to be generated ahead of time. Without doubt, making use of public computers such as the ones found in internet cafe's or kiosks, is a bad idea by itself. There are too many layers which an attacker can target - the computer's memory, the web browser by replacing the logout button with one that does nothing, and so on.
All that said - PassPack has a lot of potential, they put a lot of focus on both the user experience and security. Upcoming features such as being able to share passwords with other users can definitely be useful (although that is a bad practice and should be avoided most of the times).
From our part, we look forward to seeing how PassPack and similar services will change the way we threat our passwords.
One solution that PassPack seem to be seriously considering is the option to license their server technology to 3rd parties. In the case of a company that buys a license and installs PassPack on an internal server, this would shift trust concerns from the service provider (happens to be PassPack) to the company's own systems administrators. This assumes that proper code review is done by whoever is concerned.
We also picked on the One time passwords feature in PassPack, and why it is not a panacea solution to the keyloggers problem. The conclusion was that PassPack needs to clearly inform the users that passwords need to be generated ahead of time. Without doubt, making use of public computers such as the ones found in internet cafe's or kiosks, is a bad idea by itself. There are too many layers which an attacker can target - the computer's memory, the web browser by replacing the logout button with one that does nothing, and so on.
All that said - PassPack has a lot of potential, they put a lot of focus on both the user experience and security. Upcoming features such as being able to share passwords with other users can definitely be useful (although that is a bad practice and should be avoided most of the times).
From our part, we look forward to seeing how PassPack and similar services will change the way we threat our passwords.
0 Trackbacks