Review: PassPack (v Clipperz) - passwords on the iPhone!
UPDATE: Marco (from Clipperz) just posted that they’re already hard at work on an iPhone version, hampered only by their lack of an iPhone. :) I’m excited, choice is good, competition makes everyone better.
So, one of the things I miss on my iPhone is a secure password management application. It doesn’t have one and Clipperz.com (an online app) doesn’t yet support the iPhone. I wept for awhile until I ran across PassPack on BlogCatalog, of all places. Here’s a site that seems very similar to Clipperz, without much hope I read a little about it, signed up for my free account and then fired up the iPhone. To my surprise and delight it actually works on the iPhone! The html is a little messed up, but it is definitely useable. So, I delved a little deeper into the site and it’s attendant blog and now I’ve got a better idea about.
The best news for me, the killer feature if you will, is that it works on the iPhone (one of my top 8 apps I wanted on the iPhone). As far as I know, it’s the only game in town, so I’ll definitely be using it. The site is nice, clean design, no complaints there. It has the features you expect it to have saves passwords, has autologin features now for various sites. Very interestingly in addition to encrypted backups to your local drive you can also simply export your data in csv format in case you want to move it somewhere else. You just don’t see that much confidence in products anymore where a ground floor feature is getting your data off the system in a non-proprietary format. Mad kudos to PassPack for that.
It’s got a lot of security features, there’s the standard name and login of course. Like Clipperz it actually stores an encrypted file on it’s server and sends that to you for local decryption - so the name and password you send to it (securely over https) only gets you access to that encrypted file. There is then a Pack Key that decrypts that file locally - so it isn’t sent over the internet. This is pretty much what Clipperz does as well. Interestingly, if you are travelling and worried about keyloggers at internet cafes you can set up a bunch of one time passwords and print them out. Then as you travel instead of typing in your name and password you can use one of these and not worry if anyone knows it because it won’t work again.
Click on to read what I didn’t like too much about it and my … dunh dunh dunh… stunning conclusions. Ok, not that stunning. But still…
Unfortunately there are some things I dislike about the app. As a web based app that wants to store some particularly sensitive information, information that I instinctively don’t necessarily want to store online, it needs to do a lot to convince me. Clipperz goes the whole nine yards with reams of pages about it’s security model, exactly how it works and providing access to it’s FOSS security libraries. This is very reassuring. PassPack doesn’t - it talks very little about it’s security model - that is, it talks about it’s security features like logging in, passpack key and one time passwords but it doesn’t talk much about the underlying model. This doesn’t give me nearly the same comfort level as I had with Clipperz.
Also, as an application it really wants to store website information. That is each entry wants a url and login and password information. There’s a free text area where you can store up to 1024 characters - but it’d be nice to have separate fields for each one as Clipperz does. The other UI thing I don’t love about it is that the viewing interface for an entry is also the editing one - it just isn’t pretty and potentially could lead to accidental changes.
Lastly the thing that could probably be seen as a win is somewhat of a lose. They enforce a certain level of security for both of your passwords (login and packing key). That is they have to be quite long, both mine had to be well over 10 characters and that is including numbers and punctuation. While I applaud the theory behind this, I think it’s a little too nannyish for me. There should be an option to have a weaker password - perhaps popup scary dialogues and what not to discourage it, but if I want a weaker password, it’d be really nice to have one. Typing all that on my iPhone takes awhile, plus it’s really hard to remember - and getting it wrong means starting all over again since you can’t see what you’re typing.
One interesting thing about the site is that they really are looking at these “packs” as discrete chunks instead of personal accounts. They encourage people to create new packs for all occasions, for example if you have clients that need login information to varoius servers you could create a pack for each client and send that around. What I would love to be able to do would be to have a pair of packs, one with only moderatly sensitive information and weak passwords (which are easy to type on my iPhone) and another with a strong password and strong passwords.
Overall, PassPack is a worthy application. I personally prefer Clipperz because I feel more comfortable with their full disclosure and I like their interface better. But most of the complaints I have against PassPack are very minor - they provide a lot of really powerful features and seem to provide more levels of security than Clipperz does. More importantly (for me) PassPack works on the iPhone and Clipperz does not.
Note, all this talk about full disclosure and the relative merits of security models is based just on my own intuition. I have no idea whether or not either of these is truly secure. I suspect that they are both as secure as is reasonably possible. But my position is this - there’s various ways a company can get me to trust their security model. One is if it is Free Software and it is reasonably popular, I feel that someone has looked it over and believes it to be ok (perhaps naive, but that’s how I roll). Another is (like Yodlee) they have big clients who would stand to lose money and clients in the event of a security breach - I cross my fingers and believe that they will have looked over the security model and approved it. That’s pretty naive as well, I’m sure, but I’m not a security expert so what other options are there?
August 17th, 2007 at 11:48 am
Hi,
First - thanks for giving PassPack a try, and for sharing with others. Let me jump right in and answer a few of your questions.
On Security Disclosure.
Agreed. We’re in the process of setting up an area dedicated to this, and to the various libraries that we’ve developed and will be released as open source. It’s coming.
On too much typing.
Have you tried the “Remember me” feature? This will keep you logged in for a week so you’ll just enter your Packing key to get in - much less typing. Here’s more info: http://tinyurl.com/2bgncm
On the entries.
Only the Title is required - and one other filed of your choice. The link isn’t mandatory. On custom fields, we talked about that a little bit here (scroll down to the “Custom Fields” section): http://tinyurl.com/2nbqvn
I hope I didn’t come off as short, just trying not to leave an endless comment. :) Please let me know if you’d like any more, or different, information. I’ll be happy to provide it.
Cheers,
Tara Kelly
PassPack Founding Partner
August 17th, 2007 at 4:26 pm
Yeah, I’m a user of it. :)
I’m glad to hear your going for full disclosure! That’s my only real complaint. Everything else was just little preferency things.
I had enabled remember me - and it’s cool. My fear about this, though, is my memory sucks so that if I don’t log in every time I won’t remember the login when I next need to. (I don’t like carrying the info around with me). So as a safety measure I didn’t use it on my iPhone. Again, just a personal quirk. I do hope, though, that you’lll allow a means to put in a weaker password - I should be allowed to shoot myself in the foot for the sake of convenience. :)
Thanks for your suggestions! I’ll be following development and seeing how things.. develop.
September 7th, 2007 at 2:35 pm
Online password storage “apps” are a very bad thing. The nature of a security model is to protect valuable assets. The moment you push your “key” out to a web-based site is the instant that your security model designed to protect your most valuable assets is compromised.
September 7th, 2007 at 2:59 pm
Brian, you are right, of course that if you had to send a site your key it would security would be greatly decreased. But both of these apps do not actually send your key over the net, decryption is handled locally on your machine, at worse you send over a name and password over ssl that gets you the encrypted file that you still need to decrypt locally.
So, as I see it, in the worst case where you don’t trust the application provider, they would need the ability to brute force your decryption key - same goes if they are compromised and bad guys get access to your encrypted blocks. If you do trust them, then someone would first need to be able to eavesdrop on your ssl connection or watch your keyboard - the same sorts of problems online banks are dealing with today. The end result of which is still them needing to be able to break AES encryption.
That at least is my broad understanding of the way these services work.
September 9th, 2007 at 3:30 pm
@felix,
Yes, you understood perfectly. That’s exactly the way it works.
If you wanted to, you could sign in, then disconnect from the internet before inserting your key. You’d simply need to go back online to save any changes you’ve made (ie. send your encrypted pack of data to the server for storage).
Cheers,
Tara
November 12th, 2007 at 11:34 am
[...] secure but more convenient plain html interface. Now this is distinct from the html interface that Clipperz and PassPack use - their model is much closer to the java version but they use javascript instead of java - all [...]