1. Most likely, the bad guy is not targeting you, and don’t have time to try your specific combination algorithm on your specific password. They’ll just use the list to brute force their way into as many accounts they can, and ignore the rest. Variations are not that bad.

    For significant sites, password management tool would allow you to use long cryptic passwords that are hard to brute force, but also impossible to remember, and let you crypt the password list itself.

  2. Oh, yes, that’s what I meant, perhaps wasn’t clear: use bots to acquire login credentials from “low-stakes” sites, that are perhaps less protected, then also use brute force to try those very same credentials on financial sites.

  3. The thing is, there are so many techniques being used by professionals with large computing power, that I don’t feel any password you can remember is good enough. The ones I use are large sequences of random letters, numbers and symbols, impossible to remember (unfortunately) but hard to crack.

    For low stake sites, variants are good enough. If you’re worried about someone stealing NYT passwords and using them to hack WSJ subscriptions, I think a variant is good enough protection. They won’t try that hard.

    But the most important thing to remember is that “low stake” is very subjective. I don’t use Flickr enough to care for a crypto-strong password there, but if you’re a professional photographer with a strong presence there, you should be concerned.

    The two questions to ask are:
    1. Would an account compromise hurt me in any way? Even if it’s just a spambot uploading porn to your blog, or someone impersonating you on Twitter.
    2. Would someone target my account directly? Spambots go after low hanging fruits, but if someone is targeting you directly, they’ll focus all these resources on a single account.

    Password managers, as painful as they are to use daily, are much less painful than cleaning up the damage.

  4. Assaf,

    Separating low/hi-stakes sites makes sense to me. As for password managers, if not entirely controlled by you (e.g. on PC, USB stick, etc.), but on the Web, what do you think of the risk of the service being compromised?

  5. If you take PassPack for example, all the data is strongly encrypted on their servers and in transit, so I’m not worried about their servers being compromised … the data is useless to hackers.

    PCs and USB keys can be stolen, lost, or hacked into when you leave the room (or if you’re running some network services, even when you’re in the room). And most people don’t encrypt their home directory, password lock their computer, or even close their password manager after using it.

    I’m a big fan of PassPack for one reason. It’s annoying as hell to use, but only because they force you to follow security practices. The login procedure is complicated for a reason, as is the auto-logout. And by taking you to the login form, they prevent the accidental typing of passwords in clear text, when you focus on the wrong field.

    So in terms of usability, they’re much more secure than other password managers I tested, which let you break all the rules. Only downside is that you can’t use it offline, otherwise, I’d say go for it.

  6. Assaf,

    I guess the “golden path” is then:
    – separate low/high stakes sites
    – variation for low stakes
    – PassPack for high stakes (i.e. financial sites).

    This feels like a reasonable compromise to me: I don’t log in to the financial sites too often, and avoid the PassPack annoyance with the others.

    I’ll wait a bit for other feedback, then update the post.


  7. Hi all,
    Tara from PassPack here. Wow, I knew we had some user interface changes to make (in the pipeline) but you seem to have a really strong reaction.

    Can you guys point me in the right direction — what is the part you find most annoying about using PassPack? I’d like to find it and make it better for you.

    I use PassPack daily and know what *I* want to change, but getting your feedback would be really helpful, especially since we have an update coming up.

    Thanks! Much appreciated.

  8. Tara, I only used PassPack briefly before reverting back to KeePass.

    Some suggestions for improvement:
    1. Use my e-mail address, not login name. I rely on password managers to remember all the different login names.

    2. Remember me on my main computer, so I don’t have to enter my login name. It’s annoying and doesn’t add security.

    3. Allow for login with a short password, see below.

    4. With that password I should be able to view most items and create new ones, no need for a second password (packing key).

    5. Use secondary, longer, password for accessing high stake credentials, the ones I’m really protective of.

    6. Quick copying of passwords to clipboard. I like how in KeePass I can click on an item, and Ctrl-C to copy the password to the keyboard.

    Most of my passwords are not for bank accounts or anything sensitive, they’re for accessing hundreds of not-that-important sites, so they don’t need to be guarded closely.

    The weakest link for most passwords is my e-mail account, you can use it to retrieve lost passwords, by being more demanding than my e-mail login, PassPack annoys but doesn’t make me more secure.

    It needs to be really simple to access credentials for low-stake sites, and only get insistent for high-stake sites.

  9. If you think there is no problem with one trivial site being compromised, just think of the single red paper clips story. A hacker could use the cred they gain from access to one account to verify their identity in a more substantial part of the net, gradually working their way up till you suddenly notice this b*st*rd has taken over your domain, hosting, website and is moving in your bank account and patting your kids on the head.


  10. For Windoze boxes I use Roboform and Roboform2Go. It generates passwords and saves forms and notes with encryption. GoodSync (by same company) let’s you sync your local machine with your memory key. I have no complaints except that they don’t make a version for Linux! Does anyone know of a similar solution for Linux? I have tried other password managers but none matched the ease of use that Roboform provides.

  11. A second for RoboForm2Go. It’s a sanity-saver. After wrestling with this growing frustration for years, this finally gave me a workable solution. Great little app. Even imports all of your saved logons from Firefox or IE. I found logons I’d long forgotten.

  12. I use both OpenID and PassPack and think they’re both great… if a site has OpenID, that is my first choice, but no everyone supports it yet ๐Ÿ™
    In those cases I use PP, or for many passwords for things that cannot possibly accept OpenID (my SIM card encryption passcode).

    Besides, you need somewhere to keep a copy of your OpenID password ๐Ÿ˜›

  13. @Assaf “Use my e-mail address,”
    There are some people that think its better not to expose info like that from a username –

    You could of course set your username to be the same as your email address ๐Ÿ˜›

    The reason AFAIK for this is that some people think it is better not to expose info like an email address from the username, since your username is known by PassPack.

    It probably doesn’t really matter, but your username is only encrypted 1 time – between you and PassPack. That means if someone cracked the HTTPS encryption (extraordinarily unlikely, i know) they they could see your username. PP is great because even in that unlikely circumstance, your private data is still secure!

    One option you might like is that the next version should support OpenID authentication, so instead of a username and pass, you would just enter your OpenID url.

    To view your password store you still must enter the packing key, but this should effectively make login a one-password one-click login.

    So to reiterate: use them both

    (sorry for double post ๐Ÿ˜€ )

  14. @tom My e-mail address would also be known to PassPack. If not, that is something to worry about. It may be extremely unlikely, but if there’s a security breach, I want to be informed.

    My e-mail address travels over SMTP, unencrypted, so I’m not too concerned about the unlikely even that someone cracks it while traveling over HTTPS.

%d bloggers like this: