Comments on: Review: PassPack (v Clipperz) - passwords on the iPhone!

By: The Dangers of Online Encryption

The Dangers of Online Encryption — Mon, 12 Nov 2007 16:34:57 +0000

[...] secure but more convenient plain html interface. Now this is distinct from the html interface that Clipperz and PassPack use - their model is much closer to the java version but they use javascript instead of java - all [...]

By: Tara (PassPack)

Tara (PassPack) — Sun, 09 Sep 2007 20:30:16 +0000

@felix,
Yes, you understood perfectly. That’s exactly the way it works.

If you wanted to, you could sign in, then disconnect from the internet before inserting your key. You’d simply need to go back online to save any changes you’ve made (ie. send your encrypted pack of data to the server for storage).

Cheers,
Tara

By: felix

felix — Fri, 07 Sep 2007 19:59:00 +0000

Brian, you are right, of course that if you had to send a site your key it would security would be greatly decreased. But both of these apps do not actually send your key over the net, decryption is handled locally on your machine, at worse you send over a name and password over ssl that gets you the encrypted file that you still need to decrypt locally.

So, as I see it, in the worst case where you don’t trust the application provider, they would need the ability to brute force your decryption key - same goes if they are compromised and bad guys get access to your encrypted blocks. If you do trust them, then someone would first need to be able to eavesdrop on your ssl connection or watch your keyboard - the same sorts of problems online banks are dealing with today. The end result of which is still them needing to be able to break AES encryption.

That at least is my broad understanding of the way these services work.

By: Brian W. Rainey

Brian W. Rainey — Fri, 07 Sep 2007 19:35:41 +0000

Online password storage “apps” are a very bad thing. The nature of a security model is to protect valuable assets. The moment you push your “key” out to a web-based site is the instant that your security model designed to protect your most valuable assets is compromised.

By: felix

felix — Fri, 17 Aug 2007 21:26:35 +0000

Yeah, I’m a user of it. :)

I’m glad to hear your going for full disclosure! That’s my only real complaint. Everything else was just little preferency things.

I had enabled remember me - and it’s cool. My fear about this, though, is my memory sucks so that if I don’t log in every time I won’t remember the login when I next need to. (I don’t like carrying the info around with me). So as a safety measure I didn’t use it on my iPhone. Again, just a personal quirk. I do hope, though, that you’lll allow a means to put in a weaker password - I should be allowed to shoot myself in the foot for the sake of convenience. :)

Thanks for your suggestions! I’ll be following development and seeing how things.. develop.

By: Tara Kelly (PassPack)

Tara Kelly (PassPack) — Fri, 17 Aug 2007 16:48:05 +0000

Hi,
First - thanks for giving PassPack a try, and for sharing with others. Let me jump right in and answer a few of your questions.

On Security Disclosure.
Agreed. We’re in the process of setting up an area dedicated to this, and to the various libraries that we’ve developed and will be released as open source. It’s coming.

On too much typing.
Have you tried the “Remember me” feature? This will keep you logged in for a week so you’ll just enter your Packing key to get in - much less typing. Here’s more info: http://tinyurl.com/2bgncm

On the entries.
Only the Title is required - and one other filed of your choice. The link isn’t mandatory. On custom fields, we talked about that a little bit here (scroll down to the “Custom Fields” section): http://tinyurl.com/2nbqvn

I hope I didn’t come off as short, just trying not to leave an endless comment. :) Please let me know if you’d like any more, or different, information. I’ll be happy to provide it.

Cheers,
Tara Kelly
PassPack Founding Partner