Just for clarity’s sake, the idea only came into our heads because we were trying to keep consistent with level of security we like to offer Passpack users.

So What Is Our Take On the Issue Now?

We have decided that the OpenID providers that work well with Passpack will be presented on the Passpack Sign In Page.

*An important note – we have verified that logging in with a delegated name from one of these providers should be no problem.

But We Don’t Want To Limit You

As we have always stressed – your Pack is yours. Login with whichever OpenID you prefer but there are 2 things I would like to point out:

1. If you try to login to Passpack with any OpenID provider that has been submitted to PhishTank as a suspected phishing site, Passpack will warn you.

2. Even if you don’t see an icon for your preferred OpenID provider, you can still use it at your discretion by clicking the appropriate icon.

Let us know what you think!

We have linked to a few of the common threats OpenID poses and will talk more about them in the future. Now, I’d like to address one in particular, which has inspired this post and brought up a very important issue regarding Passpack’s support of OpenID.

Let’s have a look at the problem…

Here’s What Should Happen:

You type your OpenID into Passpack. Passpack directs you to a 3^rd party – your OpenID provider. Your OpenID provider authenticates that you are who you say you are and then redirects you to the Passpack Anti-Phishing Welcome Message Page. You verify your welcome message, click on the black box and then you are asked to type your Packing Key.

Here’s What Could Happen:

(*For all intents and purposes, we will call the Provider in this example “Malicious Provider”)

You type your OpenID into Passpack. Passpack directs you to a 3^rd party – your OpenID “Malicious Provider”. Your OpenID “Malicious Provider” realizes who you are and where you would like to login to – in this case Passpack. The “Malicious Provider” then redirects you to a fraudulent copy of the Passpack Anti-Phishing Welcome Message Page (so you would not see your anti-phishing message). Let’s say you somehow don’t notice that you’re missing your anti-phishing message or perhaps you have’nt set one up yet (set it up!) – so you click on the black box. Then you type in your Packing Key and in doing so you have just unknowingly given it to the “Malicious Provider”.

Always, always, always check your anti-phishing welcome message. It is there to protect you. If you do not see it immediately CHECK THE URL and make sure it is https://www.passpack.com. If either one or both of these do not match up, follow the steps on this page.

How Can This Risk Be Avoided?

First off, it’s important to emphasize that before creating an OpenID account, you should always do your research, check implemented security features, and if all this is not common practice for you – go with the brand you know.

It is probable that a single user will end up with various OpenIDs from multiple providers, some well known and some not.This is where things get tricky. With the growing number of OpenID providers, phishing scams are an immediate concern. It will become more and more difficult to understand the intentions of lesser known providers.

If you want to login to Passpack (or any site for that matter)  with a lesser known OpenID provider and that provider is actually a Phisher, you can find yourself in a difficult situation. (I by no means intend to imply that lesser known providers are Phishers. This is purely an example of a possible security concern and I use the lesser known sites as a prime example only because it is more difficult to verify their credibility.)

Passpack’s Question To You

Passpack has decided to create an OpenID Whitelist (which we are still putting together). This means that we will only be accepting OpenIDs from certain providers. We know this may be an inconvenience to some of you, especially if you are using an alias OpenID, a work administered OpenID or just an OpenID that you have created for yourself.

For example, if Francesco were to try to login to Passpack with his OpenID openid.sullof.com/me, he too would be denied. So the question is:

UPDATE: Some great ideas in the comments. Keep them coming!

Passpack has always dedicated itself to ensuring full user security and privacy and it always will. We thought long and hard before deciding whether OpenID was right for us and our users. We specifically have users choose long and strong Pass Phrases and Packing Keys to eliminate unnecessary risks, so why would we choose to support OpenID, an authentication system with quite a few publicized flaws? Because we will not compromise Passpack security.

How Can OpenID Be Considered Risky?

OpenID has a long way to go before becoming a standard in sign-on and some say an even longer way to go before it is considered a secure protocol. As an authentication system OpenID is gaining notoriety, but on a security level it’s being closely scrutinized. Issues range from traditional phishing attacks to those targeted more towards the OpenID users. (Here is an excellent demo of how a man-in-the-middle attack can phish your OpenID account.)

Some worry also lies in attacks such as DNS Poisoning or Cross Site Scripting or CSRF. If these are concerns, or if these terms are unfamiliar, it’s a good idea to go with some of the more well-known brands that usually have measures to bypass such risks.

Here are a few that we like here at Passpack because of their high security standards:

Passpack’s Safety Lies In The Packing Key

Even if your OpenID account is ever somehow compromised, your Passpack account will never be at risk because of that.  How can we ensure this? – Your Packing Key.

If you’re an OpenID user, you will be able to access your Passpack account by entering your OpenID instead of the usual UserID and Pass Phrase. Luckily, there is one step you will not be able to avoid. Your personally chosen Packing Key will ALWAYS remain necessary to “unpack” the info in your account. It is the key to decrypting each and every single one of your entries.

And remember all the same rules apply – NEVER enter your Packing Key unless you see your personal anti-phishing message (it’s a good idea to set one up if you haven’t yet). Keep this in mind, but not to worry there will be further posts on this and other potential risks…

Folks are often frightened away by reading uninvited technical explanations. They underestimate themselves, hear cryptography and host-proof hosting and think – “oh no, that’s too hard! run – run!”

We have therefore introduced a simpler (less scary) lexicon. Instead of talking about encrypted data, we talk about your locked Pack. Instead of 256 bit encryption keys, we call it simply the Packing Key that unlocks your Pack.

But if you’re one of those people that want to understand more – Great! We’re more than happy to give you that information.

A Look Under the Hood

Host-proof hosting is a public security pattern that allows Passpack to harbor your data without the company being able to access it. The information that passes through Passpack is encrypted and untraceable; nobody can see the data – not even Passpack.

By hosting sensitive data in encrypted form, only the user’s client can access and manipulate it. A typical client is an Internet browser with Javascript enabled but may also be a browser plugin, Java applet or installed software.

Once the user chooses a packing key (the encryption key used to encrypt his/her data), this packing key is never transmitted to the server. The server is limited to housing and retrieving whatever encrypted data the browser sends it. All encryption and decryption takes place inside the browser itself. When on the server the information is never in its unencrypted, visible form.

Login With Host-Proof Hosting

Host-Proof Hosting must be implemented with client-side technologies supporting non simultaneous data exchange between client and server, such as Javascript/AJAX, a Flash object or a Java applet.

In particular, Passpack uses a two-step process that separates authentication and decryption:

1. The user enters User ID and Pass to log into his account. The server receives this and authenticates the user, returning the user’s Encrypted Data (the Locked Pack).

2. The user inserts the Encryption Key (Packing Key) which is then temporarily stored in the browser’s memory (it’s not written to disk, or stored anywhere else) and will be used to decrypt the Encrypted Data.

It’s also possible to manage a one-step login in Host-Proof Hosting, but by using the two-step process Passpack is able to build in additional services like anti-phishing (which is inserted between the two steps) as well as provide customer support.

The Importance of Encryption

You could be wondering “OK, then what if a hacker gets a hold of the Encrypted Data, would he be able to crack the Encryption Key?”

User data is encrypted with the AES-256 algorithm. Each user’s data is encrypted separately (because each user has chosen his own secret Encryption Key). The strength of the Packing Key determines the strength of the algorithm, the longer the Key the longer it will take to crack it.

It could take upwards of 149 trillion years to brute force a 256bit Encryption Key.

Passpack requires users to choose a Packing Key at least 80bit (comparable to a typical SSL 1024bit certificate). Why not require a 256bit key, or even 128bit? Well, simply put, if the requirement is too high, people complain and usually give up.

Of course, we would be delighted if each user chose a 128bit (or higher) Encryption Key. Coming up with such a length is not too complicated, you can see it yourself if you type in a password into the password field in your entry window. The quality rating at the bottom indicate the bit encryption.

What all that means is: even if a hacker were able to come into possession of all the user data, he would not be able to read or use any of it. It’s all encrypted and every user has a different key that would need to be “guessed” separately – that’s up to 149 trillion years each, depending on the length of each Key.

The main element of Host-Proof Hosting is that the Encryption Key is not known on the server. The provider or host, in this case Passpack, has no way of decrypting the data.

More Definitions & Links

Wikipedia: en.wikipedia.org/wiki/Host-proof_hosting

Ajax Patterns: ajaxpatterns.org/Host-Proof_Hosting

Richard Schwartz: smokey.rhs.com/web/blog/PowerOfThe…

Yedda Answer: yedda.com/questions/Host-Proof_…

Host-Proof Hosting Library (MIT/LGPL): http://code.google.com/p/passpack/

Updated on Aug. 1, 2007

A quick recap

The Passpack It! button will automatically log you into a website listed in your Passpack account. Unlike browser specific plugins, the Passpack It! button will work regardless of what browser you are using. In essence, it’s a hyped-up Bookmarklet.

Is the button user specific?

Yes. Only you can use your button. Someone else’s button won’t work for you, you must use your own.

You can install it on as many computers as you’d like. There are no limits. You also have the option of activating, or deactivating, all of your buttons worldwide.

Will Passpack track what sites I connect to?

No, we’re not interested in your browsing habits. The button works off a common database that stores the URLs of recognized websites and their relative structure. The database enables the button to know how to log in to a specific website – no information on who visits that link is stored.

For security purposes, we need to be able to track down anyone who attempts to abuse the system. To help us do so, we store information that may help us identify the account that registered Passpack the site using the teaching process. No data is saved however, on those who simply visit the site, or login to it. Teaching is optional.

Can I use it without opening Passpack?

No. You must click on either the Go There button in your Passpack Entry, or the Go gutton in your password manager list (more info here). Doing this sets off a complicated process (see next question) which will allow the Button to work only for the specified website, and only for you.

How does my data get to the website?

It’s a very sophisticated process, with a bunch of twists and turns to keep hackers out. I’ll outline that process here for you to give you the general idea, but know that this is a highly simplified explanation:

1. You click through to the website from your Passpack account. Your browser makes an encrypted mini-pack and sends it, together with the URL for the website, over HTTPS to the Passpack server.
2. The Passpack server temporarily saves this and attaches a 100 second timer to it – like all of your data, not even Passpack staff can read it.
3. Simultaneously, but in a totally separate process, the link is opened in a new browser window – not directly though, first it passes (via HTTPS) through the Passpack server which does a little obfuscation so that the receiving website doesn’t know you clicked through from Passpack, let alone an open Passpack account.
4. Nothing else happens at this point unless you click your Passpack It! button. Once you do, a bit of Javascript is inserted directly into the webpage that you want to log into. There is an exchange with the Passpack server (via HTTPS) and if the URL is activated and the 100 seconds have not expired, then it gets the encrypted mini-pack and the instructions on how to fill in this particular website’s login form. Using Javascript, the button fills in and submits the form for you.
5. From here, the website takes over as it normally would, acting exactly the same way as if you had manually typed in your user and password and pressed “log in”.

Technorati Tags: Passpack, password manager, passwords, login, identity, lifehack, bookmarklet, autologin

Passpack’s anti-phishing solution is made up of three parts: a custom Welcome Message, IP recognition and hand-eye training.

Above, “gobble” is the User ID, and “do you always sound like a turkey?” is the Welcome Message

First and Foremost, Get Set Up

We’ll go over how the anti-phishing works in a moment, but first you might want to set up your personal Welcome Message. Just sign into your account as usual, click on the Security tab, then the Welcome Message link and follow the on screen instructions. It’s easy, read this article.

Now, onto how it works….

1. Personalized Welcome Message

You can decide how you want to be greeted when you sign in. This way you can make sure you’re connected to Passpack – and not to a look-alike, fraudulent website. You will see this every-time you sign in, so choose something that makes you smile, but also something that is personal to just you, maybe use some creative punctuation.

Unlike your Password and Packing Key, you don’t have to remember this, you just have to recognize it when it’s shown to you. So have fun!

2. IP Recognition

To further enforce this, Passpack only shows the Welcome Message to certain IP address. An IP address identifies the internet connection with which your computer is connected to the internet. Usually, you will only have a few of these, and you can activate as many as need be. So even if the phisher takes your newly acquired User ID and Password and tries to login to the real Passpack to read your welcome message – he won’t see it.

3. Hand Eye Training

Right after you sign in, and right before entering your Packing Key, you will see a rather ugly page with your Welcome Message, and eight squares, and a bunch of instructions.

Yes – we know it’s ugly, even a bit annoying, but that is precisely the point. You are forced to stop, look and find the black square to click on. While you are doing this, your eyes will get used to seeing your personal welcome message written above. You may not realize it, but you are training yourself. After a few days of using the Welcome Message screen, you will notice immediately if something changes.

How It All Works Together

Phishing is a technique of creating look-alike websites that trick you into inserting your User ID and Password. But what phishers can’t do, is guess some zany greeting that you’ve set up for yourself, and is attached to your IP address. It becomes impossible to truly make a copycat site. And since you’ve trained yourself to notice as soon as something is different – you’ll notice a copycat site from a mile away.

I know what you’re thinking: “What’s the point if I have to sign in? If it were a phishing site then they’d get my User ID and Pass anyway.” Yes, they would. But not your Packing Key. Without your Packing Key, they can’t get your passwords. No two ways about it (more info about the Packing Key).

Some of you may be thinking, “But if they have my User ID and Pass, then they can sign in and see my Welcome Message and reproduce it back to me in their phishing site.” That’s why we’ve added IP recognition. An automated phishing system will not have the same IP address as you do, so even if they partially sign in to your account, they won’t see your Welcome Message, and therefore can’t copycat it.

They will be forced to show you the default (not personalized) message, or skip the ugly Welcome Message screen altogether in the hopes that you don’t notice – and that’s why we use hand eye training. So you do notice. So be alert, protect yourself.

What if you don’t see your Welcome Message?

First, don’t panic. Stop, and look and see if you are connected to https://www.passpack.com (be careful of artfully similar domains like passspack.com). If the domain is correct, it’s just a false alarm.

If the domain is not correct, do not type in your Packing Key (if you already have, continue following these instructions anyway). Now, open a new browser window, manually type in https://www.passpack.com – stay calm, make sure you’re not mistyping – and sign in as usual with User ID, Pass and Packing Key.

Click the Account tab, then Pass. The screen that appears will allow you to change your Password to something new and very different. Do that. And PLEASE remember to write down your new Password.

Now you’re safe. The threat is gone.

If you are unable to complete the steps above, you should report an account theft immediately.

Can there be any false alarms?

Yes. If you don’t see your Welcome Message, it may also be that your IP address has changed. This is fairly normal, and may happen from time to time. If it happens frequently, you may simply select the “activate subnet mask” option in the Welcome Message section under the Security tab.

However, by following the steps above, you’ll have gone a little out of your way if it was just a false alarm – better safe than sorry.

Ready to get it set up?

Read this post for step by step instructions.

I just chose a User ID and Pass,

why do I need a Packing Key too?

At first glance the Packing Key may seem like a bit of a hassle. After all, Passpack is supposed to be a place to store your passwords so that you don’t have to commit everything to memory. So why the “extra” code? Why the Packing Key?

The short answer is: Double Data Security.

Unlike other Password Managers, Passpack uses a two-step access technique. Your User ID and Pass give you access to your Account. But the Packing Key is needed to actually access your data.

The “Pack” in Passpack comes from that bundle of locked up your passwords inside your Account. This way we can check your User ID and Pass when you Sign In, without exposing your passwords.

You unpack your passwords in your browser, and you pack them back up in your browser. Your Packing Key never travels over the internet. And it certainly never gets saved to our server.

Only the locked Pack gets sent to the server for safe storage. For good measure, it gets sent over a Secure Connection.

That’s a lot of extra protection in one little Packing Key. We thought it was worth the hassle.

Technorati Tags: Passpack, password+manager, encryption