The security of online password managers

Today, I learned about PassPack – Free Online Password Manager. PassPack appears to do everything right. The encryption/decryption happens in your browser, which means that the data simply cannot be decrypted by the people at PassPack or someone that gets ahold of PassPack’s data.  They also offer a reasonable technique for dealing with phishers.

Fundamentally, though, there is still a risk with a service like this. If someone manages to get into PassPack’s servers, they can modify the software that gets sent to your browser so that it passes along your encryption key, which they can then use to decrypt your passwords at their leisure.

Granted, the people running PassPack are undoubtedly security concious. They’ll run their servers as securely as they can, keep up with patches, and would disconnect the boxes as soon as they see a sign of a potential breach.  The risk is relatively minimal, but you still have to decide if it’s a chance you want to take.