Note: We posted a followup on this.
PassPack is a new service that addresses the ever growing problem of passwords.
PassPack is an online password manager for people who travel or change computers often. Unlike other password managers, PassPack is available 24/7 via internet, nothing to download or install.
Great! Problem solved.
But how do they achieve this?
With AES encryption (the same as used by the US Government) and an SSL Secure Connection, your data travels safely over the internet. But let’s suppose a hypothetical “bad-guy” gets into our servers, all he’d find would be a bunch of illegible data (not even PassPack can read your data).
What caught my eye was the part where they state that not even PassPack can read your data, which reminded me of the Hushmail incident. The free secure email service makes claims that:
By using Hushmail, you can be assured that your data will be protected from that kind of broad government surveillance.
Which is simply not the case. In fact later on in their FAQ, Hushmail have a section which explains that they have to comply with the law just like everyone else. Same with PassPack – the encrypted data on their servers cannot be accessed off their servers without the password. The problem is that, if need be, PassPack is able to read your password and then use it to decrypt your information.
So what about the other claims?
Disposable Logins (OTP)
A Disposable Login is a one time Pass and Packing Key combination: you use it once, then it’s thrown it away.
Disposable Logins come in handy when traveling and you need to use a public computer.
With Disposable Logins, you can outsmart keyloggers. Even if your disposable Pass and Packing Key were to get “captured”, it doesn’t matter: they won’t work again.
Well – not today’s loggers! Nowadays, both commercial and underground/malware keyloggers support screen capturing. This means that if you are in an internet cafe, there always is the chance that not only are your keystokes monitored, but also your all your activity on the computer, including screen captures and mouse clicks.
But it is not all bad – I do like PassPack’s idea of tackling the problem of multiple passwords. Some of the features that they offer are also pretty interesting such as the “Anti-Phishing Welcome Message”. While this is not nothing new and Yahoo and others have been using such features, it is good to see them more widespread. However, as you might have guessed, I won’t be handing out my google, hotmail or amazon passwords to PassPack.