This blog can't be viewed on LiveJournal. Instead see

Passpack: Web-based Password Manager

3rd Sep 2008

I've been taking a look at a service called Passpack, which is an online password manager product currently in beta.

Passpack allows you to store your passwords for online services on their servers so that you can access them from anywhere. OpenID is supported as a login mechanism, or you can use a traditional local username and password or another one of those ill-advised "enter your Google/Microsoft password into a third-party site" things. I kinda forgive them for the latter because they support OpenID; presumably if Google and Microsoft offered OpenID Provider service they'd switch to using that instead.

I'm sure I'm not alone in being immediately sceptical about any online service that wants to store my passwords. How can I trust them? Passpack's solution is what they call host-proof hosting; in a nutshell, they do crypto in the browser and their servers only ever see encrypted blobs. You're required to create a passphrase, or a "packing key" as they've cunningly named it, which is in theory only ever in memory. Once you've signed in (with OpenID, perhaps) you need to enter your passphrase to decrypt all of the data. You will of course still need to trust that Passpack isn't going to alter their client-side code to send them your passwords on login at some point in the future; this is certainly technically possible.

Passpack ran into an interesting quandry with their OpenID RP support: turning the tables on the usual OpenID phishing concerns, Passpack's model is vulnerable to an OP doing a phishing attack. Essentially, a malicious OP can detect that the user is logging in to Passpack and present a lookalike page to capture the user's passphrase, thus obtaining access to all of their passwords. Passpack can be commended for going to great lengths to mitigate this without hindering the flexibility of OpenID; after some consultation with users, they went with a whitelist of "trusted" OpenID providers and a warning — which the user can dismiss and continue if desired — if an untrusted provider is used. As a nice addition, rather than simply doing pattern matching on the claimed identifier, they do discovery and then base the trust decision on the discovered endpoing URL. This means that the common approach of delegating to hosted services like MyOpenID works with no warnings..

Some might argue that if a user can't trust his OpenID provider then he has bigger problems than it gaining access to one RP, but when that RP effectively holds the keys to much of the user's kingdom I can understand the extra caution. It is ultimately up to the user rather than each RP to make this trust decision, though; it is unfortunate that this approach considers a provider endpoint run by the user himself to be less trustworthy than a third party, when clearly the user would have the opposite opinion.

Their OpenID login form is similar to the "choose a popular provider"-type ID selectors appearing on many RPs, though they've gone for a very slightly different flow where the user enters their username and then clicks a service button to transform that username into an identifier URL for the selected service. The difference is subtle, but I think it has the advantage that the full OpenID identifier is right in the user's face rather than in a separate box. I would however suggest that the URL be presented in abbreviated form rather than normal form, so that for example users will see "" rather than ""; I think the former will look a lot less scary to end-users and will hopefully be more memorable. The transform from the abbreviated form to the canonical form is spelled out in the OpenID specification, so all decent RPs should accept the short format. The providers listed in the selector are apparently those which are on Passpack's provider whitelist, so users of these providers should get a good user experience.

My one closing observation is that it seems strange for a product that is useful only because users have far too many passwords to support a technology whose goal is to reduce the number of passwords each user has. I hope they know what they're doing! ;)


  • (comment with no subject)

    Nice article, I work for Vidoop so I am biased but I really like the OpenID / password management solution we have at

    myVidoop is an identity provider that integrates a browser based password manager ( ) that will store all your traditional logins and passwords. You can store your passwords locally or online with myVidoop. If you store your passwords on myVidoop then they are accessible from anywhere and you dont have to worry about maintaining a local database/file. We explain our database security here:

    I would be interested to hear how you think myVidoop compares to Passpack...
    By ext_105626 at 07:26 pm on 3rd Sep 2008
  • Thank you! (from a Passpack founder)

    Great analysis Martin. I really enjoyed seeing Passpack from an OpenID perspective. As a password manager, we tend to be on the fringes of the community, something of a taboo the word "password". ;)

    We had to consider an OP phishing attack as a possibility, because, well, we have to consider every possibility with Passpack. There were a few raised eyebrows though as you saw in the comments on the blog. We do have an anti-phishing welcome message that we suggest that everyone set up, and in the future we'll add an (optional) second factor authentication as well.

    On the abbreviated URL -- we'll definitely look into that.

    On running full force forward into the openid-replacing-passwords debate [smile] -- our ultimate goal is to make the web safer and less painless. I don't see why we shouldn't facilitate that if it's in our power. People have OpenIDs, people have passwords, people have pins, codes, numbers, and tons of other bits of data they'd like to keep safe. We let them do that.

    Thanks again. I hope we'll get some opinions in the comments.

    By ext_120725 at 04:19 am on 4th Sep 2008