If you’ve downloaded Passpack Desktop and like it, we’re glad to hear that. If you haven’t, here are a few tips and tricks on how to make your Passpack Desktop more than just a password manager.

1. Back Up And Read

Passpack has always let you make backup of your passwords. Just go to Tools > Backup Your Account, continue the process and you have an encrypted backup of your Passpack.com.

But what do you do with backups?

Most people have them set aside (as backups) in case they ever need to restore their Passpack Account. But there is one other option…

What if you don’t necessarily want to restore your account but just take a peak into the past at one or two old passwords?

Since you can create as many Passpack Desktop accounts as you like, go ahead and set up separate one, choosing another User ID and Packing Key — et voilà — you have just created yourself a backup reader.

2. Its Freedom Is Limitless

Let’s say you have 108 passwords in your online account (as opposed to the 100 password limit) – Passpack Desktop has more than enough space for those extra 8 passwords! Now you could just create another online account, but who wants to remember two Packing Keys? In Passpack Desktop, space is limitless.

Of course we wouldn’t mind if you went Premium once we introduce paid upgrades, but if you have under 100 passwords and aren’t looking for fancy features, Passpack Desktop may be the right fit for you.

3. Share And Share Alike

As personal as passwords are, some of them (sometimes) are shared. You may find yourself working with others on a project which requires the joint use of accounts. Your spouse/children/family and yourself very likely have web accounts in common in which you share the same password. It can be unavoidable but it doesn’t have to be unmanageable.

We realize that sharing is important and it is something we are working on but for now, here’s a neat trick that can help:

First, set up an account at Passpack.com and share it amongst yourselves. Add ONLY the necessary shared passwords/info.

Then, each person downloads a copy of Passpack Desktop and can sync all the online passwords/info to the desktop application itself.

So how is this different from just sharing the online account?

When you need to add or make chages to the shared online account, each Desktop can sync from web to client with just a click. Since Passpack Desktop is well…on your desktop, whatever else you add to your account is yours and yours alone.

So make some space on your desktop, because there’s a new software in town and it’s just waiting to be installed. Feel free to let us know of any other Passpack Desktop tips or tricks of your own.

Traditional methods of keeping lists and writing things down will always remain tried and true but all too often, fail the real test of time (-saving).

[youtube=http://youtube.com/watch?v=Zjc7syolpOE]

Organization! Organization! Organization!

Simply put: password managers help organize all of your accounts, safely storing them in one place so you never have to go searching through drawers or papers every time you want to login or sign up for a new account.

Here’s the best part – you only have to remember ONE Pass (phrase) and ONE Packing Key to access it. Your memory will thank you.

Once in your Passpack account, you’ve got all your passwords alphabetized and all your account needs with a touch of a click… 1 Click to be precise.

1 Click Login

So you’ve got your passwords saved in one neat little place but what happens when you come cross a site that you want to login to while browsing? Passpack has made this easier than you may think.

Just activate your auto login and from then on, any account info and password stored in Passpack can be used by just clicking your Passpack It! button.

And you can keep doing this with every other account you have stored.

How much time will this save you? A lot.

Password Generator

Now you may be thinking…“Well I still have to go through all of the trouble of creating passwords”. You don’t. Passpack offers a password generator which creates unique passwords for each of your accounts.

Click to choose the letter/number/capital/symbol combination to meet the website’s password requirements. Now that’s easy.

Security

A secure password manager may not de-clutter your work space but it will surely de-clutter your mind of unnecessary worries.

Passpack offers host-proof hosting sending only encrypted (on your own browser) data to the server. So you don’t need to worry about any of your sensitive data getting into the ‘wrong hands’, giving you peace of mind while browsing your accounts.

Technorati Tags: Passpack, password manager, passwords, security, lifehack, gtd, getting things done, productivity

Thanks to Louise for writing this article – Welcome aboard!

One of the more ingenious ideas I’ve come across is David Bradley’s Passwords for Scientists where he proposes using the molecular formula for various pharmaceuticals.

However, most of these home grown formulas, are all some variant on the same theme: take the first letter of every word in a song/title/quote/sentence, mix up the upper and lower case letters, throw in some numbers and perhaps add the a prefix representing the website name.

… folks, this is not as safe as you would think. Really, it’s just not.

The Proof is in the Password Pudding

Roger A Grimes launched this password hacking contest a few months ago. Here’s Roger’s theory:

I proposed that shorter, so-called “complex” passwords were easier to break than less complex, longer passwords. I know this to be true because I frequently password crack for a living, and I know that most people’s “complex” passwords aren’t really that complex. When told to pick complex passwords, 80% of all end-users will use the same complexity tricks. [my emphasis]

Yup. I didn’t run the contest, but I can surely say this is true in my experience from reading blog posts and comments.

The contest gave out three passwords hashes, and guess which one was cracked first?

“S10wDr1v3r” was cracked six months before “myengagingwives“.

Does S10wDr1v3r look like any of your passwords? If so, it might be time to change to something longer.

But why do all that work?

I know everyone hates passwords. I do too. We all do. Passwords are so hated that “password fatigue” is now considered a syndrome!

So, if you hate passwords – why spend so much time making them up? Why apply so much of your creative energy inventing a password that will be no more complex than the ones that 80% of all end-users will use?

Think of all the time and energy you could save by just forgetting about your passwords. Yes, I said forget them. Free up your memory. Take all those password and stick them… ehem… in a password manager.

Choose, and use, a Password Manager

Once you have a password manager, you can pack up your passwords away in there, forget them, and look them up whenever you need them.

See? Isn’t that much easier?

Of course, you’ll need a master Pass (and Packing Key) and you’ll want to pick something nice and strong. I know, I know… but consider it the last and final necessary password evil.

Here’s a tip: pick a sentence and use that. This is called a pass phrase. It’s just a sentence. A plain and simple sentence with spaces and punctuation. As Roger’s password hacking contest has shown, the longer the better.

Hippity Hop, the rabbit ate the carrot.

That’s a pass phrase. It’s easy to remember and 39 characters long (and strong). Some more examples here.

So Get Packing

If you’re ready to start packing up those passwords, follow the instructions for Getting Started with Passpack.

If you have any problems whatsoever, just let us know. We’ll do what we can to help.

Technorati Tags: Passpack, password manager, passwords, security, lifehack, web2.0, tips

OpenID = public authentication
Passpack = private, secure storage

You can see right off the bat that these two technologies supply different, though very complimentary, services.

Granted, here at Passpack, we’re also releasing an auto-login tool (yes, it’s coming) that pushes us into the realm of authentication as well, though that’s not our primary function.

Actually, we’ll be introducing various new and exciting features that will push us into various different realms, but Passpack will always be private, secure storage at heart.

A Non-Ideal World

Alas, there will always be places OpenID can’t log you into. In fact, a major challenge facing OpenID is an excess of providers (folks that give you an OpenID, like AOL and WordPress) and a lack of consumers (sites that actually let you log in with OpenID).

All the logins and passwords for non-OpenID sites will still need to be kept secure. You can do that with Passpack.

Not Just for Passwords

There are an infinite amount of codes, registration numbers, software keys, frequent flyer miles, order numbers, confirmation codes, pins, etc that need to be safely stored and organized.

None of those things can be handled by OpenID.

However, all of those things can go into a Passpack account.

Security and Phishing

OpenID has no innate security. It was built to solve the problem of authentication, not security. For example, Phishing is a major problem for OpenID users, and providers are not required to use HTTPS (though most thankfully do).

Right now, a bunch of services are sprouting up around OpenID. That’s great news! But just remember, it’s up to these services to build security layers on top of OpenID. So choose your OpenID provider wisely – make sure they offer HTTPS and some sort of anti-phishing mechanism. MyOpenId is a viable option.

Starting All Over Again – Multiple OpenIDs

OpenID aims to reduce the problem of “too many logins”. Fabulous! …um … but … I already have more than one OpenID. I now need to remember (and protect) these too.

Guess where my multiple OpenID’s went? Yup, straight into my Passpack account. Just tag them “openid” and they’ll be easy to find.

Will Passpack Ever Support OpenID?

Yes. Signing in with an OpenID has been in the pipeline for a while now, and will be added in one of the upcoming releases. I know, I know… I can hear your thoughts right now:

“You just said how unsecure OpenID is, and now you say you’ll support it?”

Yes, remember – it’s up to services that use OpenID to build in security layers. Passpack can do that. It’s got anti-phishing built in already and, thanks to the Packing Key, should your OpenID account ever be compromised, the pack inside your Passpack account would still be locked up with your Packing Key.

Now the Million Dollar Question…

How many of you would actually want to sign into your Passpack account with OpenID? And how many of you that don’t already have a Passpack account would sign up for one if there was OpenID support?

What you say counts – especially when we sit down to review the release schedule. So let us know your thoughts.

Technorati Tags: Passpack, password manager, passwords, security, lifehack, openid, login

Comparison table and features descriptions of two online password managers. Updated with the release of Passpack’s Beta5.

Like Passpack, Clipperz is an online password manager and personal vault. The crypto foundations, and general architecture of the two applications are fundamentally the same: A blend of industry standard algorithms, including AES-256, in a Host-Proof Hosting pattern. This combination ensures that the users data can’t be read on the server.
.
The primary difference in the two architectures is that Passpack uses a double access technique. Beyond just User ID and Pass, we’ve added an additional Packing Key. This structure allows us a great deal of flexibility in handling our algorithms, and without which our anti-phishing pattern would not be possible, nor our “remember me” feature, nor many more to come.

Anti-phishing

Clipperz has no anti-phishing measures in place.

Passpack has defined an Anti-phishing technique that combines a custom Welcome Message, IP recognition and hand-eye training.

“Remember me” (with anti-phishing)

Clipperz encrypts with your password, thus can’t “skip” that step.

Passpack encrypts with the Packing Key, so you can skip User & Pass if you’d like.

Account Rollbacks

This is an important distinguishing feature. Passpack maintains a backup copy of your most recently saved pack – encrypted of course! Should you change (and promptly forget) your Pass or Packing Key, then we can restore your most recent backup and let you access it with your previous Pass or Packing Key – you need to remember at least that. It’s a real life saver!

Clipperz doesn’t perform Rollbacks.

Passpack can perform Rollbacks under certain conditions, read more here.

Checksums

As mentioned, we’re a bit skeptical on how useful a checksum could be in an internet context. Here’s why: I must go to Clipperz’s home page to see the values that my checksum should be producing. However, if I am in a phished version of Clipperz, it’s a moot point because the phisherman can falsify those values as well so that they match his spoofed version.

In theory, the user could circumvent this problem by saving a copy of the checksums from the homepage, then comparing the application to this local copy every time he connects. This would only work, however, if the Clipperz application has not changed in the meantime.

I just don’t think anyone would really do that – always, every single time, many times a day.

Clipperz uses checksums.

Passpack debates the usefulness of checksums, nonetheless has implemented them for the offline version only.

On-screen Security Features

Caution needs to be taken to hide sensitive information from passer-bys particularly in an Internet Point or open space office. This may include simple measures like scrambling the password field and locking the application manually, or automatically when left unattended. Also a password generator is a useful tool to break the password reuse cycle, as well as a pass strength tester to check the quality of your passwords.

Clipperz has most of these features, except auto-locking (manual locking only) and your password list is visible even when it’s “locked”.

Passpack has all of these features, all data is completly removed from the screen and memory when locked (either manually, or automatically).

Disposable Login (also known as OTP)

A Disposable Login is a set of Pass and Packing Key that can only be used once, then never work again. This is useful when you must connect to your Account from a public computer. Even if the Disposable Login is recorded and saved by malware, it will be useless and your real Pass and Packing Key will remain completely secret.

Clipperz has recently added Disposable Logins.

Passpack supports Disposable Logins.

Data Portability

Another differentiating point is data portability. Clipperz’s previous lack of an export feature potentially lead to a vendor lock-in, they’ve now added import and export. (Good job guys!)

Clipperz supports import, export and Printing.

Passpack allows you to freely Import, Export, Print, Backup and Restore your data.

Working Offline

Passpack can be used in Offline Mode as well as with an Offline Version. For example of what offline mode is: suppose I connect to Passpack on my laptop. Once I’ve logged in, I can disconnect from the internet, put the laptop in standby and leave for the day. As long as I keep Passpack open in a browser tab (or window) I can continue to use Passpack – no internet connection needed. When I get back online, I can press the Save All button and all my changes will be saved.

Clipperz must have an active internet connection in order to work. However, they offer a fully functioning downloadable version for offline use – this is in read only and you can’t make any changes.

Passpack has also released an Offline Version. It runs on Google Gears, is fully functioning (ie. not read only) and is a Google Code Featured Project. Synchronization with online accounts is planned.

Clipperz has a downloadable Offline Version, you can’t make changes.

Passpack has a downloadable Offline Version, changes are fine, and will also work in Offline Mode.

Custom Fields

Passpack opts for speed, Clipperz for advanced templates. Clipperz allows you to create your own “card templates” which may include any number of custom fields. Once open, you can fiddle with many different fields, options and buttons. Passpack uses a simplified approach with no extra clicks – just open, fill it out, and save. There have been a lot of requests forcustom fileds for Passpack — it’s being considered, but no final decision is in yet.

Clipperz requires two clicks and some choices before entering any data, higher customization.

Passpack uses a one-click Entry window, for speed and a lower learning curve, lower customization.

Navigation

What happens when you have 50+ entries and need to find something quickly? Personally, I have over 200 entries in my Passpack account, so I find that the feature I use most is the Quick Search. I just type in a few letters and the list filters my entries in real time. I don’t think I could manage without it.

Clipperz lists all entries on a long, scrolling page.

Passpack has three powerful navigation tools: Alphabetical Paging, Quick Search and Tagging. You can also set the number of rows in your list.

Auto-login

Both systems offer auto-login. Clipperz’s “Direct Login” posts forms to websites. They use a bookmarklet to help you capture the information needed to configure a new Direct Login. The configuration process requires some copy and pasting and must be done singularly for each and every “card” in your account. A description can be found here.

Passpack offers a single tool (a bookmarklet) for both auto-login and configuration. The tool can be used in either standard or 1 Click mode. Teaching Passpack a new auto-login is a very simple process: just point-and-click. A common library of “learned” sites is populated by the users themselves, and is available to all – saving users lots of time. Passpack’s technique supports a wide variety of login forms, which Clipperz’s approach simply can’t cover.

Clipperz’s auto-login is one click from the sidebar, one at a time configuration required.

Passpack’s auto-login is 1 Click while you surf, configuration is fast and often not even necesary.

Summing up

Really, the choice is yours. The two systems offer much of the same base level security. We can say that both services offer these same benefits:

• Free with Open Source Libraries.
• Access anytime from any computer.
• No software to download and nothing to install.
• Avoid keeping secrets on your PC or on paper.

In addition, and I personally feel this is important, Passpack offers Anti-phishing.

The primary difference lies in ease-of-use and target audience. Passpack employs a click-and-go philosophy and can be used by the average person, while Clipperz targets the more advanced user, requiring a larger learning curve to get up and running: no import function, building cards with custom fields and manually pasting in the auto-logins. However, I’ve heard of some people that prefer Clipperz’s approach – so who am I to really judge?

My suggestion would be to try both for a while and see which feels better to you. Afterall, accounts are free and easily deleted.

In the end, the only truly important thing is that you choose – and use – a password manager.

Of course, I’m thrilled if you choose Passpack, but even if you don’t, Clipperz is a well built application and a valid alternative.

A Note
I did my best to be objective and accurate in this post. As always, corrections and suggestions are welcome. You can write me directly or post a comment below.

Technorati Tags: Passpack, password manager, passwords, security, lifehack, clipperz

Here’s the problem as Billy puts it:

“… you are unable to use the same complexity for your passwords to various sites. Hence the reason why sites always have the “I forgot my password…” option prominently available on their log in page. It’s because people, myself included, can’t remember all of these damn usernames and passwords.”

And here’s his solution:

“I recommend that there be a strict, yet reasonable, username and password standard that all sites support and recommend.”

Hm, that’s a pretty good idea: a standardized password policy.

Yes, we all know using a password manager (like Passpack – shameless plug!) will take the burden off remembering all those passwords. But abiding by an openly defined standard would certainly help raise the security bar on many sites which now have lackadaisical password rules.

Just something to think about while you await the new Beta 4 release of Passpack – 2 days left! The Beta 4 release is online. Sign up for Passpack here.

Tags: Passpack, password manager, passwords, security, lifehack, standards, password policy

Offline Password Managers

These are desktop applications that you download and install on your computer (browser plug-ins would also fall into this category). The primary problem with offline password managers is that they are not available anywhere outside your computer (or your browser). The desktop applications are often light-weight and many people choose to solve the portability problem by keeping a copy of the software and data file on a USB drive that they carry with them – this is not possible for browser plug-ins.

Pros:

• Your data never has to leave your computer
• Your data may be kept on a USB drive (if you have one) for portability

Cons:

• Not available outside your computer (unless you use a USB drive)
• When using the USB drive, syncing issues arrise
• The USB drive may get lost, stolen or dropped in a puddle
• You may not always be able to insert your USB drive on public computers or mobile devices

Products:
There is an abundance of this type of application.

ONLINE Password Managers

There is nothing to download or to install, no syncing necessary. By nature, online password managers solve the portability issues associated with the desktop applications. Needles to say, being available over the Internet, extensive security measures need to be in place. The first (successful) service in this field was/is Agatra.com. However, a new wave of online password managers has added another layer of security to the Agatra model which is known as Host-Proof Hosting.

In a nutshell, that means that your data is encrypted on the server in a way that not even the Host (ex. Passpack) can read it, break it, crack it or do anything other than just delete it.

Pros:

• Your data is available wherever there is an Internet connection (including mobile devices)
• No need for USB drives or any software installation
• With Host-Proof Hosting, the key to your data is never sent over the Internet

Cons:

• You need to trust the service and its reputation (Passpack and trust)
• You need an alternative when there is no internet connection (Passpack offline version)

Products:
Here is a frequently updated list of Online Password Managers that employ Host-Proof Hosting (that is an outside link – often their server is slow, sorry).

About Passpack

Passpack is an online password manager and 1 Click Login for people who travel or change computers often. Unlike offline password managers, Passpack is available 24/7 via internet, nothing to download or install.

Think of Passpack as a password manager, automatic login and personal vault all in one. With Passpack you can quickly login to websites, as well as organize and store logins and private notes. Save up to 100 entries for free!

Technorati Tags: Passpack, password manager, passwords, security, lifehack

… then I’ve got another question for you:
You sure about that?

Let’s look at who would not need a password manager:

1. People with less than three passwords (usually not Internet users)
2. People with more than three passwords and a fantastic memory

I know what you’re thinking – you think I forgot:

3. People who use the same passwords for everything
4. People who use some sort of nifty and (supposedly) fail-safe formula

Sorry to disappoint you, but those are the very people that need a password manager – and pronto!

The Big, Scary News

I recently came across a fabulous article by the authors of PRTK – a “password guessing program”.

Say a a hacker, let’s call him Mr. Nasty, wanted to break into your webmail account. In order for PRTK to work Mr. Nasty would need to have a copy of your login data (he might be able to get this by stealing it off of an encrypted cookie in your browser). Then he’d set PRTK to work, go out for a coffee, and come back later to see if the password has been guessed.

As Bruce Schneier puts it:
“So the first attack PRTK performs is to test a dictionary of about 1,000 common passwords, things like ‘letmein’, ‘password’, ’123456′ and so on. Then it tests them each with about 100 common suffix appendages: ’1′, ’4u’, ’69′, ‘abc’, ‘!’ and so on. Believe it or not, it recovers about 24 percent of all passwords with these 100,000 combinations.”

24 percent of all passwords!! In a matter of minutes.

Does this apply to you?

Of course, PRTK doesn’t work every time: if your password is “strong” enough, and the program you use is built well enough, than Mr. Nasty is out of luck. But how strong is your password really?

Raise you’re hand if you use some combination of names of people or animals in your family and tack on a number or two for good measure. And how many of you use simple substitutions like ‘$’ for ‘s’, ’3′ for ‘e’, ’0′ for ‘o’?

Ok, if your hand is raised – you should know that “Eric Thompson estimates that with a couple of weeks’ to a month’s worth of time, his software breaks 55 percent to 65 percent of all [those] passwords.”

55% – 65% of the time!

Why little ol’ me?

You see, re-using the same passwords (or formulas) over and over again is very dangerous. But most folks think:

“Why would anyone want my passwords anyway – I’m nobody special.”

Mr. Nasty isn’t concerned about your social status – he just wants access to that juicy list of contacts in your webmail account.

Or worse, he can click the “lost password” link at your bank, have it sent to your email, then READ that email, login and wipe you out. (though I hope your bank doesn’t really use such a system)

That’s not very fun.

Or what if you use some variation of that same password for your bank account? Mr. Nasty doesn’t care how rich you are either: even if he get a few hundred bucks off each person… times the amount of passwords he’s cracked… it’s worth his effort to try.

So what to do?

1. make strong passwords – (here’s how)
2. don’t reuse them – (even the UN says it’s a bad idea)
3. Can’t remember all that nonesense? get a password manager

(Ok, I admit, Passpack is my favorite Password Manager, but there are plenty of others out there, and you should always shop around. And only choose someone who inspires your trust.)

Technorati Tags: Passpack, passwords, password manager, security, Bruce Schneier