We all live in the same world (well, most of us anyway) and we all have 20 different passwords at any given time. Sometimes sites/services don’t allow more than 8 characters, others require at least 9 characters, some do allow special chars and others don’t. It’s a nightmare trying to figure out a password scheme that works and allows you to use the same one across the board… And then there is the all problematic issue of using the same password everywhere means if one is compromised then they all are. What to do? A password manager might be the answer.
There have historically been three main options for managing passwords with regards to the computer. First there was memory (not the RAM kind). That worked well for 1-3 passwords. Then there was the pencil and paper. This was a fail-safe method was had no security, could get lost or thrown out and eventually got dirty if you erased it too many times. Finally there was the computer. Using programs like KeePass and RoboForm users could record their passwords in a secure, recoverable environment that never got dirty due to too many eraser marks on a piece of paper. It seemed like all the issues were solved but then the internet came and blew it all up.
How many times are you at one of your 15 computers and that one doesn’t have your KeePass container. You either have to guess/reset your password for that specific service (and then remember to update it later in your password management software) or you would have to get to the computer that the password was on. In addition to that, you might not even have your computer available. Maybe it was stolen, lost or MIA (in transit with that pesky airline luggage). What can you do then? Recently a couple new services have popped up that allow secure password management online — that’s accessible from almost any computer. PassPack and Clipperz are both startups that are trying to fix the need for remembering too many passwords and other pertinent information. While you can check out PassPack’s “unbiased” comparison chart and blog entry to compare the two services, I’m just writing about PassPack today.
PassPack uses client-side (JavaScript) encryption to protect your information. You get to setup an account on their servers that stores your encrypted file that has used a pass key called your “packing key” to uniquely and securely (AES) encrypt your information. While there are trust issues that have to be overcome when storing your information almost anywhere, the guys (and girls) at PassPack have been open and honest about what they’re doing and how they’re doing it.
In addition to offering its users an online storage area (while currently limited to 32k) for their information, PassPack has also unveiled some pretty neat features. Their “1 Click” logon allows a user to add a bookmarklet to their browser and simply go to a page that they have saved information for and with a single click (get it?) log into the site. It uses JavaScript layed over the actual site and doesn’t use the clipboard to log the user in. Pretty neat, huh?
Some of the new features that they’re coming out with are even more impressive. The ability to share certain passwords securely with other users will be a big help if they want to break into the commercial/small business area. Having the ability to share a password with a colleague on a temporary basis without emailing it to them or sending it to them via mail or the dreaded fax machine would greatly increase productivity as well as security (if they build it right, the end user would never even have to see the password with 1 Click logon).
While PassPack has a long way to go before they accepted by most users or better yet the corporate environment, they’re on the right track. The possibilities are endless with the configuration that they have so far. Maybe encrypted document storage, better offline support or secure transmitting of information (like encrypted email) that can not be broken by anyone (I know, a far-off wish). What do you think? Would you store your passwords online? If they were encrypted? What would a company have to do to prove to you that they were honest and could do what they said they could do?
