We're big believers in complex, hard-as- a-nut-to-crack passwords at Techworld, but that can mean amassing a telephone directory of 20+ character alpha-numeric strings, each one different, each on changing on a reasonably regular basis, and each one impossible to remember.
The solution is to store password and user names in a secure database, but which program to choose? We're reviewed several in the past, all standalone applications that live on a single PC. The databases themselves can be backed up and moved to other computers, but this can be clunky and creates the obvious problem of replicating changes between machines.
Passpack is one of what we'll dub the ‘Password 2.0' generation, the defining feature of which is their web-based design and automation of logins. Using a remote encrypted store for passwords solves the replication and backup issue because the store is accessed from any PC, and in the case of Passpack, cleverly, includes a desktop stub (built on Adobe's Air platform) for the times that a PC is unable to access the Internet. This works in parallel with the online account (more on this later), but can also be used without it, although that defeats some of its benefits.
The anchor of Passpack is the ‘packing key', which is used to encrypt the entries using AES. This is created during a registration process that involves choosing a master password of 6 characters or more, user name, followed by the key itself. Users are able to create weak ones if they so choose (you are informed of this), which seems rather forgiving. As the company stresses time and again, this key is known only to the user, and the data stored by the user is not accessible to Passpack staff itself.
Logging to Passpack itself is straightforward and swift for the sub-100 entry database we tested it on, and can even be customised with a user-chosen text field to confound phishing. Clearly, one of the weaknesses of using an online password system is the possibility of attackers attempting to fool users into entering their Passpack login on bogus web pages. This message will only be seen on the correct site, in effect authenticating it.
The database display entries in list format - it would have been nice to be able to group them into categories - although it is possible to highlight important ones with a star icon. In common with the best password apps, each entry supports an automated login, which jumps the user straight to the web page or location to which it relates. Better still, with Passpack open, a user can automatically log into a site mentioned in the database simply by pressing an installed browser icon.
Passpack also allows for integration with a range of third-party logins, including OpendID, Google, Windows, Yahoo or Facebook. For anyone who currently uses scripts, Passpack might be worth it for these automation features alone.
By default, passwords in each entry field are greyed out to foil shoulder surfing, and the app will suggest better passwords based on the same key length, useful when changing keys from time to time. One especially good feature is that backups can be made using either the default packing key or a totally new one keeping them secure even when sitting on backup drives.
The import/export functions well enough, and will suck in fields from several other password database apps, or just CSV or tabbed documents. It won't accept html imports but does allow this file type to be used to create exports. We encountered some problems getting to accept the CSV we created form a third-party database, and it wasn't until we tried plain text using a rather crude cut and paste that we tasted success.
Passpack's main innovation is that it is primarily intended as an online password store, tied to a prodigious ability to automate the monotony of logging in to multiple sites, both of which give it an edge when set against standalone apps. For the sake of flexibility, it complements this up with a desktop version, which allows the convenience of offline access.
The negative is that the two worlds are not integrated (the software is still beta, strictly speaking), and at times having to remember a user ID, a user password, and up to two separate packing keys can become a bit or a burden. Synchronising still requires that a password database is saved in CSV format and exported/imported. While adding a degree of complexity, a synch feature would solve this and does appear to be in the works.
Passpack, then, is part login store and part browser login helper, which acknowledges that people not only struggle to remember their passwords, but now use so many in a single session that simply logging in has become an impractical chore on its own. Anyone worried about keylogging on a public PC will also appreciate the disposable logins which can be generated and used on a one-off basis.
One issue with this ‘1 click login' mode is that the software can't log the user out automatically, as it would normally do. If another person gains access to an unattended PC in this mode during a session, in principle they might be able to log in to any website in the database. For reasons that weren't clear, at times we also struggled to get the auto-login to work properly, but this might simply require more investigation.
All in all, however, Passpack is more than worth looking at for anyone with a growing list of passwords and logins, and nowhere to store them securely. Although still in a beta cycle, it holds great promise as long as you are willing to commit to it. Integration between the online and desktop elements of the software would be the welcome icing on this cake.
The service can be used free of charge for the first 100 entries, but on reaching three figures a pop-up asks the user to upgrade to a paid-for account costing 10 euros per annum (including a 5 euro discount), which allows them 1,000 entries. If anyone has that many passwords then paying under a tenner a year to keep them secure strikes us as a bargain.
It's worth mentioning out one further use for the desktop version; if a user fails to log in for six months, an online account will be wiped. Having the desktop backup version would make it easy to re-activate this without re-keying entries.
When it becomes available, the best option for small businesses will be the Passpack server. Details are few and far between, but this will allow a managed repository for multiple users. Prices have not been confirmed.