Pass Phrase & Packing Key Requirements

Louise — Fri, 14 Nov 2008 14:59:47 +0000

Many of you have told us that the Pass and Packing Key requirement is too rigid. Ok, you speak and we listen.

We’ve now changed the minimum quality rating requirement to a minimum character requirement instead. The Pass now has a minimum requirement of 6 characters. And the Packing Key now has a minimum requirement of 8 characters.

This does NOT mean that now you should slack in security or creativity. It just means that, if you like, you can now use the Pass or Packing Key:

‘cho-co-late‘ instead of ‘chocolate ice cream is always better than vanilla’

This does not mean that we do not strongly recommend meeting the quality rating requirement for both your Pass and Packing Key. But if a high quality rating may be preventing you from using Passpack regularly and keeping your passwords safe, we prefer you secure your passwords.

If you want to change your Pass or Packing Key go to:

Settings > Account > Change Pass
Settings > Account > Change Packing Key

But remember – Long is Strong!

Security is always our top priority but we’ d like usability to be just as important.

Passpack Security Just As Strong With OpenID

Louise — Tue, 05 Aug 2008 15:04:30 +0000

Passpack’s recent announcement of soon becoming an OpenID supporter sparked quite a few questions. One of those questions in particular requires a post to be answered – “How will Passpack support OpenID and at the same time prevent phishing?”

Passpack has always dedicated itself to ensuring full user security and privacy and it always will. We thought long and hard before deciding whether OpenID was right for us and our users. We specifically have users choose long and strong Pass Phrases and Packing Keys to eliminate unnecessary risks, so why would we choose to support OpenID, an authentication system with quite a few publicized flaws? Because we will not compromise Passpack security.

How Can OpenID Be Considered Risky?

OpenID has a long way to go before becoming a standard in sign-on and some say an even longer way to go before it is considered a secure protocol. As an authentication system OpenID is gaining notoriety, but on a security level it’s being closely scrutinized. Issues range from traditional phishing attacks to those targeted more towards the OpenID users. (Here is an excellent demo of how a man-in-the-middle attack can phish your OpenID account.)

Some worry also lies in attacks such as DNS Poisoning or Cross Site Scripting or CSRF. If these are concerns, or if these terms are unfamiliar, it’s a good idea to go with some of the more well-known brands that usually have measures to bypass such risks.

Here are a few that we like here at Passpack because of their high security standards:

Passpack’s Safety Lies In The Packing Key

Even if your OpenID account is ever somehow compromised, your Passpack account will never be at risk because of that. How can we ensure this? – Your Packing Key.

If you’re an OpenID user, you will be able to access your Passpack account by entering your OpenID instead of the usual UserID and Pass Phrase. Luckily, there is one step you will not be able to avoid. Your personally chosen Packing Key will ALWAYS remain necessary to “unpack” the info in your account. It is the key to decrypting each and every single one of your entries.

And remember all the same rules apply – NEVER enter your Packing Key unless you see your personal anti-phishing message (it’s a good idea to set one up if you haven’t yet). Keep this in mind, but not to worry there will be further posts on this and other potential risks…

If anyone is interested in following and/or contributing to making OpenID safer this is a good place to start.

Passpack Blog » Packing Key

Pass Phrase & Packing Key Requirements

Passpack Security Just As Strong With OpenID

How Can OpenID Be Considered Risky?

Passpack’s Safety Lies In The Packing Key