PassPack is a new service that enables you to store your passwords online. You can access them from anywhere using your ID and master password, in this case called “Packing Key”. According to the folks at PassPack, the data is encrypted on the server in such a way that noone (not even them) can see it, except you.
You can read about the details here.
Now, I’m not suggesting that you should try out this service. I’m saying that, if you use a password to access more than 5 sites on the web (in my case, it’s several hundred), it’s a must. When you need a password to access several sites, chances are you’re either:
a) using the same password in all of them
b) constantly forgetting your passwords
c) have your passwords written on a piece of paper or in a file somewhere
For obvious reasons, none of these three options are any good from the security point of view.
Personally, I use a system of passwords which enables me to create a dozen or two variations on the same - relatively strong, from an encryption point of view - set of characters. I use the simple variations for less important services, and more complex one for important ones. This is good, but sometimes I forget which one I’ve used and I have to try out 5-10 combinations to see which one I used in a particular case.
But, now that I’ve found this little service, I’m going to switch to PassPack. It’s simple, it’s helpful, and it works. Register with them, choose a master password, and add your logins and passwords (you can add a note to each one), so you can finally start forgetting them and stop worrying about them.
I’m suggesting two possible ways of using PassPack.
1. You trust them 100%, and you keep all of your passwords there. Simple.
2. If you’re not really convinced that keeping your really important personal information online or in this particular service, then you just use it for non-critical passwords. You know, passwords for all those services you’ve stumbled upon on the web, and you use them but you don’t keep any really important data there. On the other hand, you keep your absolutely critical personal stuff locked in a safe.
I’m going to do the latter. If you’re a Web 2.0 enthusiast, you should try it out too - or suffer eternal damnation in the hell of forgotten passwords.
Great find. I’m sure the service will find some takers.
Me personally I have around 3 - 4 different variations of passwords and I only register with a service I really really want to. Also I use firefox password manager to remember all my passwords.
So far it has shown to be secure. Let’s hope it stays that way. I might still try out this service to have a look.
Thing is though that it’s less secure than using 1 password for every service you’re registered with.
Using passpack - If someone finds your passpack password they not only know all your passwords, they also know which services you’re registered with
Not using passpack, and using one password for everything - If someone finds your one password they know the password for all your services, but they don’t know which ones you use. Actually, they won’t even know they have the password for all your services provided you don’t tell them you use only one password.
Me - I use 2 passwords.
1 that is difficult to guess or remember at a glance for anything highly sensitive
A second password for more trivial applications
My personal feeling is that as more and more people switch more of their lives to being online, adopting a system of having a handful of passwords for different categories of service will become common.
Now, a webservice that could change the password for all services within one category simultaneously - that would be useful! If different services adopted a standards based login & password setting process it could become a reality.
@Rhys: you’re forgetting one big security issue. If you use 1 password for every service, than if someone finds out that 1 password (and have in mind that admins of each of those services can do that easily) they can access all the other services you use.
Example: if you have the same password for PayPal, GMail, Traineo, and some forum, than the weakest link is probably the forum, whose admin can abuse his/her power, find your password out and cause you big damage on your PayPal account. In this case, you’re practically giving away your most important (and only) password to a bunch of unknown people. Security-wise, it’s a really bad idea.
But they will have no way of knowing what those other services I use are. If I used passpack they would. The one exception - I grant - is that most services would probably know my email provider.
But as I explained I have 2 levels of password - one I use only for very important things e.g. email; the fact that they’re so important means I implicitly have to have to put a lot of trust in the service providers anyway. The fact I have an account with these providers for such important things means I have to Trust them to look after my data in a secure and responsible way… otherwise I wouldn’t be with them. There is no ‘weakest link’ because I use a different password for sites which are less important, and whom I place less trust in.
Another downside of Passpack is that presumably it reminds you of your passwords by displaying them on screen, so people can look over your shoulder. If you have a minimal number of passwords system you never have to write them down, and when they’re typed in they appear as *****.
By the way, I subscribe to your blog. Pretty good read for someone interested in social software.
@Rhys: Well, I get your point of view. It was my point of view also for a long time, but recently I’m beginning to change my mind.
You’re right that “they” whoever they may be will have no way of knowing what services you use. But if you think about it, it’s trivial: if someone wants your money or personal info, they’ll check PayPal, Gmail, and a dozen other logical ones.
In my personal case, as I practically subscribe to every possible web service out there, using two or three levels of passwords is simply not enough any more. I have to have at least 10 or so different passwords for various services, and that can be hard to remember (especially because some services don’t give you a choice of user ID, forcing you to use an email). But, I guess I’m not really a typical user.
Oh yes, thanks for subscribing (;.
Hello,
I’m glad to see a little discussion has grown around PassPack and passwords. Sorry I missed it for so long, but here I am to chime in now…
Rhys wrote >>
“If someone finds your PassPack password they not only know all your passwords, they also know which services you’re registered with.”
PassPack uses a double access technique, which means the standard User ID and Pass, plus what we call a Packing Key. So that someone would also need guess/know your Packing Key to get at your data:
http://passpack.wordpress.com/2006/12/14/password-security-packing-keys/
To make things a little harder, PassPack supports Pass Phrases. These are much stronger than simple passwords: http://passpack.wordpress.com/2006/12/29/passpack-strong-passwords-times-three/
But in the end, you should *definitely* use a completely new and unique pass for your password manager - no matter which one you choose.
Rhys wrote >>
“Another downside of PassPack is that presumably it reminds you of your passwords by displaying them on screen”
PassPack actually uses a scrambled field for stored passwords to avoid shoulder surfing. This way you can click-and-copy without every displaying it on screen: http://passpack.wordpress.com/2007/04/06/how-to-copy-the-scrambled-password/
I hope I haven’t been too wordy (I tend to do that, sorry). Cheers to all,
Tara Kelly
PassPack Founding Partner