« links for 2007-03-20
links for 2007-03-21 »
Mar 20 2007

The security of online password managers

Posted by: Kevin Dangoor in Technology

Today, I learned about PassPack - Free Online Password Manager. PassPack appears to do everything right. The encryption/decryption happens in your browser, which means that the data simply cannot be decrypted by the people at PassPack or someone that gets ahold of PassPack’s data.  They also offer a reasonable technique for dealing with phishers.

Fundamentally, though, there is still a risk with a service like this. If someone manages to get into PassPack’s servers, they can modify the software that gets sent to your browser so that it passes along your encryption key, which they can then use to decrypt your passwords at their leisure.

Granted, the people running PassPack are undoubtedly security concious. They’ll run their servers as securely as they can, keep up with patches, and would disconnect the boxes as soon as they see a sign of a potential breach.  The risk is relatively minimal, but you still have to decide if it’s a chance you want to take.

This entry was posted on Tuesday, March 20th, 2007 at 6:42 pm and is filed under Technology. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

4 Responses to “The security of online password managers”
  1. Peter Stibrany says:

    March 20th, 2007 at 10:52 pm

    I’ve started using pwdhash, it’s brilliant.

    It takes your password, and hashes it. Instead of sending your real password over the wire, your browsers sends only hashed value. This hashed value is used as password, as seen by server.

    Hashing uses domain of server, so resulting hash is unique for each server.

    This way, you can use same password anywhere, and pwdhash will make it unique, and hard to guess/crack.

    This all happens in your browser.

  2. Jason says:

    March 21st, 2007 at 1:05 am

    pwdhash is also open-source, which is a plus. There’s both a FF extension and a Javascript form version (all client-side) in case you’re away from home.

  3. James says:

    March 21st, 2007 at 12:56 pm

    PassPack has product failure written all over it.

  4. Tara says:

    March 23rd, 2007 at 3:21 am

    Hello,
    Tara from PassPack here. Thanks for the article, I appreciate your concerns over security and I’m glad you bring them up. Right now PassPack is in Beta and we specifically state in our TAC (in bold red letters): no financial, banking or otherwise critical passwords. Once we are out of beta we’ll take on that kind of responsibility, but not before. Right now, I think just having a place for the zillions of logins, frequent flyer numbers, software registration codes, etc etc will help take the burden off of the average user.

    The bigger issue that we’re going to have to face will be phishing. We’ve got a couple of things in place right now, and they’ll surely get improved upon as time goes by. Suggestions are welcome.

    @Peter, @Jason
    Yup, pwdhash is a pretty popular tool. It’s not a password manager but it does solve the same problem: not remembering passwords. PassPack is more like an organizer that you can access even when away from your normal computer.

    @James
    Sorry you feel that way. :)
    We’re always open to suggestions, so pop by the blog and drop us a comment if you’d like: http://passpack.wordpress.com

    We’ve also just announced the beta testing for a new auto-fill login tool, so if anyone is interested, let me know.

    Cheers to all,
    Tara

Leave a Reply