The first question new Passpack users ask during sign up, without fail, is:
I just chose a User ID and Pass,
why do I need a Packing Key too?
At first glance the Packing Key may seem like a bit of a hassle. After all, Passpack is supposed to be a place to store your passwords so that you don’t have to commit everything to memory. So why the “extra” code? Why the Packing Key?
The short answer is: Double Data Security.
Unlike other Password Managers, Passpack uses a two-step access technique. Your User ID and Pass give you access to your Account. But the Packing Key is needed to actually access your data.
The “Pack” in Passpack comes from that bundle of locked up your passwords inside your Account. This way we can check your User ID and Pass when you Sign In, without exposing your passwords.
You unpack your passwords in your browser, and you pack them back up in your browser. Your Packing Key never travels over the internet. And it certainly never gets saved to our server.
Only the locked Pack gets sent to the server for safe storage. For good measure, it gets sent over a Secure Connection.
That’s a lot of extra protection in one little Packing Key. We thought it was worth the hassle.
Technorati Tags: Passpack, password+manager, encryption
27 Comments
Dear Tara,
at Clipperz we are working on a similar project.
It’s nice to see other people betting on the success of “browser cryptography”!
With regard to authentication, we opted for a more sophisticated approach that does not require to send the password, or even an “hashed and salted” password to the server. Our registered users will have just one password (better a passphrase) that can be used for both authentication and encryption.
Hi Marco,
I actually paid a visit to your site yesterday. Nice work – and thanks for the link on the home page. :)
We opted away from single key authentication for a couple of reasons. Not the least of which is to allow us more flexibility towards the future. Just as AES replaced DES, something will, someday, replace AES. The double key approach allows us to evolve and change our algorithms as time goes by – without having to cancel the user data. You can do that since you’re in sneak preview mode, but we’re moving towards a commercial system and that’s just not a viable option for us.
The page you linked is a wonderful resource for those looking to better understand the algorithms used, so thats for taking the time to post that. Have you had a look at Passlet.com yet? Parvez has found some nice solutions and is quite nice and helpful. It’s great to see that this field is so open to collaboration. I’m looking forward to bouncing ideas off you in the future!
Hi, nice work, but
“Your Packing Key never travels over the internet. And it certainly never gets saved to our server.”
Where is it keeped ? in a cookie ?
thanks
@Joe
Using a cookie to store the Packing Key would be very unsafe. We don’t do that.
The Packing Key is not saved anywhere. The system is able to check that the Packing Key is correct by trying to unpack the data with it: if the result is a jumbled mess, then the Packing Key was incorrect; if the result makes sense, then the Packing Key was correct and you are shown your data. All of this happens in the browser.
Once the Packing Key has been correctly entered, it is temporarily stored in your browser’s memory. It is removed from memory as soon as: (a) you sign out, (b) you “pack it up” or (c) after 2 minutes of inactivity the application automatically locks up.
Let me know if you’d like more info.
Thanks for the “nice work”!
Glad to know that you don´t use cookies, although I saw that you have writed some cookie on my browser with some key, maybe only needed by the website ?
“if the result makes sense”…I suppose you check this with a flag along the data ?
Thanks :)
@joe
Yes, the cookie you see is automatically set by the browser when a server-side session is opened and it contains the sessionid. These cookies expire as soon as the browser window is closed.
Without going too much into detail, here’s how we handle server-side sessions: On the server, no other information is associated with this session – for example, many sites also store variables like User ID or Password in the session, we don’t do that. The session is used exclusively to thwart attempts at forcing the Ajax functions to run outside of the Passpack application itself. I hope that makes sense.
Re: “if the result makes sense” – The system takes the results, and check to makes sure that it conforms to a specific syntax. in particular, it should look like a JavaScript object. If the results do not adhere to this syntax and therefore the system deuces that the Packing Key was incorrect. Rest assured, we don’t use any eval() in that process as that would be unsafe.
What are the character limits (the length and acceptable character sets) for the user name, password, and packing key?
Hi Bob.
Here’s some info…
Character set:
The full UTF-8 character set is fine for all three.
Maximum Lengths:
User ID: 32 characters
Pass: 32 characters
Packing Key: 64 characters
Minimum Lengths:
User ID: 2 characters
Pass: 64 bit (quality)
Packing Key: 80 bit (quality)
You’ll notice the minimum requisites for the Pass and Packing Key aren’t expressed in number of characters, but rather a quality rating.
How quality ratings work
Let me know if you have any other questions.
Hello,
I have got a question for you :
what is the most important ? The packing key or the password ?
I explain : by comparing my password and my packing key, I noticed that the PWD quality is better than the PK one (110/83).
I suppose the PK is most important (the real way to see my passwords). Do you advice me to change this ?
David
@szdavid
The Packing Key is absolutely, positively the most important.
The easiest way to make a good one is to use a sentence. For example:
That’s easy to remember, easy to type, yet scores 154 quality. Non-english languages are usually easier to score higher with since they use accented letters. Here’s an Italian sentence:
That scores a 188 quality.
Hi, thank you so much for the answer and having tell me by email.
Okay, so I will change my packing key.
The problem with letters with accents such as éèê,… is when you are abroad : difficult to get these characters
Bye
@szdavid
You’re quite welcome.
When you’re traveling, you can also try using Disposable Logins:
http://tinyurl.com/26c74l
Those don’t use accented letters :)
Cheers,
Tara
Hi,
I had a few questions regarding the unpacking of data. How does the unpacking work? When I enter the packing key, what happens? Does my packing key leave the browser in plain text (albeit over HTTPS)? If it doesn’t, how does the process work?
Thanks,
Pritesh.
Hello Pritesh.
The Packing Key *never* leaves the browser. The Packing Key is used by the application in your browser window to encrypt your passwords. Once that’s complete, then the encrypted pack gets sent to the server for storage – but not the packing key.
When you sign in (User ID and Pass), Passpack sends the encrypted pack back to your browser. This you is when you are asked to insert your packing key.
Again, the Packing Key doesn’t get sent to the server, it’s only used by the browser to try and unpack your data:
* If the result is nonsense, then it knows that the Packing Key was incorrect and tell you so.
* If the result makes sense, then it knows the Packing Key was correct and shows you your passwords.
Does that help? Let me know if something isn’t clear.
Cheers!
Tara
Hi,
When the packing key is used to encrypt and decrypt data on the client, is the AES algorithm used, or is that just on the server side? If not, what strength encryption algorithm due use prior to transmitting data down the wire?
Regards
Rob Gardner
Hello Rob,
Yes, we use a Javascript implementation of AES-256 in the browser:
http://www.movable-type.co.uk/scripts/AES.html
You can find a list of all the libraries we use here:
http://www.passpack.com/info/thanks/
Cheers!
Tara
Hello,
I just tried the Passpack it tool and it’s really neat. Good stuff guys! Just wondering how it logs me in without asking to enter the packing key though, is the packing key stored in a cookie as that seems to be the best bet. If it’s saved in a cookie, when does the cookie expire? How safe is it?
It’s really neat, but is it safe?
Thanks,
Pritesh.
Hello Pritesh,
Thanks, glad you’re enjoying Passpack (I love hearing that).
The autologin does not use cookies, nor does it store your passwords in the button. It’s in full compliance with Host-proof Hosting, which means that even during auto-login, not even Passpack is able to intercept or read your login information.
There’s some more info here.
Read throguht that artcile, then let me know if you have any more questions. I’ll be happy to answer.
Cheers,
Tara
Hello,
I’m confused about something. You say
“The Packing Key is not saved anywhere. ”
and then
“Once the Packing Key has been correctly entered, it is temporarily stored in your browser’s memory.”
This seems like a contradiction?
And once the passwords are unpacked, where are they stored? I’m guessing they’re stored in Javascript variables so you don’t need cookies since you’re doing everything with AJAX?
thanks,
jerry
Hi Jerry,
Yes, everything is maintained in Javascript variables for the time that your pack is “open”.
“The Packing Key is not saved anywhere.” — Once you sign out, or lack up your account, it’s removed from memory, not saved in a plugin, file or cookie. It’s never sent to the server either.
I hope that makes sense. Let me know if you’d like me to clear that up further for you.
Cheers,
Tara
Tara, You say “These cookies expire as soon as the browser window is closed” in your Jan. 10th exchange with @joe.
Now that tabbed browsers are normal, does the cookie expiration linger after a tab is closed even if no other tabs remain connected to the same domain with an ongoing need for the same cookie?
Thanks,
PP
Wow I stumbled across this service while looking for a way to save passwords at work. As bookkeeper I won’t be able to use this service for work but decided to give a shot at home. I’m feeling pretty dumb since I have spent the last couple hours reading help files and tutorial videos just to understand some basics. In the past, to access my 150+ passwords remotely, I would keep a password encryption program in Briefcase and download it where I needed it. That didn’t work at cybercafés and libraries. This service would work anywhere and seems safer and maybe after more reading I might actually be able to use it without bringing a manual along. One would think after working as tech support for 7 years I’d get it quickly but I didn’t. It looks like it has some nifty possibilities. It’s after 1 AM and had no luck with Passpack Offline Version so I will save that for another day.
I want to ask that how can i confirm that my packing key is not leaving my browser and everything is being implemented on client side. If everything (all encryption and decryption) is done on client side then how it is safe. Hackers can hack the client side code if any intruder is working on my pc.
I am a bit puzzled as to why you need to bother your users to choose and remember a password? Could that not be, too, derived from the “packing key passphrase” as in, e.g. pass=Hash(userID, passphrase)? (just an example; many alternatives are possible here).
(of course calculated by code on the client side, just to be consistent with your “HPH” approach)
Weird…..
@anonymous
I think I just answered you here.
Hello
A small question:
Since browser has the packing key,if your browser or
computer is hacked and packing key found, can all
passwords be stolen??
Hi Sriram,
Your Packing Key is not stored on your computer. It is used by the browser for as long as you are logged into your Passpack account, then it disappears.
But you do want to keep your Packing Key safe. Whoever has your Packing Key (ideally only you) has the key to unlock your data.
10 Trackbacks
« [...] Filed under: Products & Services (- Betas) , Web Sites , Security, Flaws ... »
« [...] For more information and further reading about Passpack check out the following links: Who is Passpack? Password and Packing ... »
« [...] approved AES encryption over a secure SSL connection. The same architecture which enables Double Access Data Retrieval also allows ... »
« [...] which is even available contextually when you click Help within the site. They handily have an answer about Packing ... »
« [...] vous devez avoir 2 mots de passe [...] »
« [...] vous devez avoir 2 mots de passe [...] »
« [...] vous devez avoir 2 mots de passe [...] »
« [...] particular, PassPack uses a two-step process that separates authentication and decryption: 1. The user enters User ID and Pass ... »
« [...] Here’s the rundown – so we know that Passpack securely stores your username, links, tags and of course password. ... »
« [...] Even if your OpenID account is ever somehow compromised, your Passpack account will never be at risk because of ... »